Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BOQ Inquiry.exe

Overview

General Information

Sample name:BOQ Inquiry.exe
Analysis ID:1483267
MD5:ccdc7eb74161dec113cfc651731e3ed2
SHA1:c299757e2eb69276ba604e114bda9800c22753fb
SHA256:a133d4b98713e10ff269ced474727528256011109c3440bcfb5112a46b836c26
Tags:exe
Infos:

Detection

FormBook
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • BOQ Inquiry.exe (PID: 6736 cmdline: "C:\Users\user\Desktop\BOQ Inquiry.exe" MD5: CCDC7EB74161DEC113CFC651731E3ED2)
    • svchost.exe (PID: 6780 cmdline: "C:\Users\user\Desktop\BOQ Inquiry.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1964890977.0000000000E40000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000001.00000002.1964890977.0000000000E40000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2b6b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x141ff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000001.00000002.1964646888.0000000000620000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000001.00000002.1964646888.0000000000620000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2eaa3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x175f2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.svchost.exe.620000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        1.2.svchost.exe.620000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2eaa3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x175f2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        1.2.svchost.exe.620000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.620000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2dca3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x167f2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\BOQ Inquiry.exe", CommandLine: "C:\Users\user\Desktop\BOQ Inquiry.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\BOQ Inquiry.exe", ParentImage: C:\Users\user\Desktop\BOQ Inquiry.exe, ParentProcessId: 6736, ParentProcessName: BOQ Inquiry.exe, ProcessCommandLine: "C:\Users\user\Desktop\BOQ Inquiry.exe", ProcessId: 6780, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\BOQ Inquiry.exe", CommandLine: "C:\Users\user\Desktop\BOQ Inquiry.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\BOQ Inquiry.exe", ParentImage: C:\Users\user\Desktop\BOQ Inquiry.exe, ParentProcessId: 6736, ParentProcessName: BOQ Inquiry.exe, ProcessCommandLine: "C:\Users\user\Desktop\BOQ Inquiry.exe", ProcessId: 6780, ProcessName: svchost.exe

          Snort Signatures

          No Snort rule has matched

          Suricata Signatures

          Timestamp:2024-07-26T23:45:24.516206+0200
          SID:2022930
          Source Port:443
          Destination Port:49732
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:2024-07-26T23:46:05.324878+0200
          SID:2022930
          Source Port:443
          Destination Port:52447
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: BOQ Inquiry.exeReversingLabs: Detection: 36%
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.620000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.620000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.1964890977.0000000000E40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1964646888.0000000000620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: BOQ Inquiry.exeJoe Sandbox ML: detected
          Source: BOQ Inquiry.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: BOQ Inquiry.exe, 00000000.00000003.1674157801.0000000003C90000.00000004.00001000.00020000.00000000.sdmp, BOQ Inquiry.exe, 00000000.00000003.1674447238.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1964930708.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1964930708.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1750464522.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1757999893.0000000002F00000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: BOQ Inquiry.exe, 00000000.00000003.1674157801.0000000003C90000.00000004.00001000.00020000.00000000.sdmp, BOQ Inquiry.exe, 00000000.00000003.1674447238.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1964930708.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1964930708.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1750464522.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1757999893.0000000002F00000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DFDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00DFDBBE
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00E068EE FindFirstFileW,FindClose,0_2_00E068EE
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00E0698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00E0698F
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DFD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00DFD076
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DFD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00DFD3A9
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00E09642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E09642
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00E0979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E0979D
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00E09B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00E09B2B
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00E05C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00E05C97
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00E0CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_00E0CE44
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00E0EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00E0EAFF
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00E0ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00E0ED6A
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00E0EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00E0EAFF
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DFAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_00DFAA57
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00E29576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00E29576

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.620000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.620000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.1964890977.0000000000E40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1964646888.0000000000620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 1.2.svchost.exe.620000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 1.2.svchost.exe.620000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.1964890977.0000000000E40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.1964646888.0000000000620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Binary is likely a compiled AutoIt script file
          Source: BOQ Inquiry.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: BOQ Inquiry.exe, 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_73696ffa-0
          Source: BOQ Inquiry.exe, 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_a7438255-7
          Source: BOQ Inquiry.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_50cd6cea-e
          Source: BOQ Inquiry.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_6c6dea8a-8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0064BDB3 NtClose,1_2_0064BDB3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0062192F NtProtectVirtualMemory,1_2_0062192F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0062199E NtProtectVirtualMemory,1_2_0062199E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172B60 NtClose,LdrInitializeThunk,1_2_03172B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03172DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031735C0 NtCreateMutant,LdrInitializeThunk,1_2_031735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03174340 NtSetContextThread,1_2_03174340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03174650 NtSuspendThread,1_2_03174650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172B80 NtQueryInformationFile,1_2_03172B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172BA0 NtEnumerateValueKey,1_2_03172BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172BF0 NtAllocateVirtualMemory,1_2_03172BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172BE0 NtQueryValueKey,1_2_03172BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172AB0 NtWaitForSingleObject,1_2_03172AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172AD0 NtReadFile,1_2_03172AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172AF0 NtWriteFile,1_2_03172AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172F30 NtCreateSection,1_2_03172F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172F60 NtCreateProcessEx,1_2_03172F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172F90 NtProtectVirtualMemory,1_2_03172F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172FB0 NtResumeThread,1_2_03172FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172FA0 NtQuerySection,1_2_03172FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172FE0 NtCreateFile,1_2_03172FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172E30 NtWriteVirtualMemory,1_2_03172E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172E80 NtReadVirtualMemory,1_2_03172E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172EA0 NtAdjustPrivilegesToken,1_2_03172EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172EE0 NtQueueApcThread,1_2_03172EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172D10 NtMapViewOfSection,1_2_03172D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172D00 NtSetInformationFile,1_2_03172D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172D30 NtUnmapViewOfSection,1_2_03172D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172DB0 NtEnumerateKey,1_2_03172DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172DD0 NtDelayExecution,1_2_03172DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172C00 NtQueryInformationProcess,1_2_03172C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172C70 NtFreeVirtualMemory,1_2_03172C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172C60 NtCreateKey,1_2_03172C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172CA0 NtQueryInformationToken,1_2_03172CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172CC0 NtQueryVirtualMemory,1_2_03172CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172CF0 NtOpenProcess,1_2_03172CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03173010 NtOpenDirectoryObject,1_2_03173010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03173090 NtSetValueKey,1_2_03173090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031739B0 NtGetContextThread,1_2_031739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03173D10 NtOpenProcessToken,1_2_03173D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03173D70 NtOpenThread,1_2_03173D70
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DFD5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_00DFD5EB
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DF1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00DF1201
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DFE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00DFE8F6
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00E020460_2_00E02046
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00D980600_2_00D98060
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DF82980_2_00DF8298
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DCE4FF0_2_00DCE4FF
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DC676B0_2_00DC676B
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00E248730_2_00E24873
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00D9CAF00_2_00D9CAF0
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DBCAA00_2_00DBCAA0
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DACC390_2_00DACC39
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DC6DD90_2_00DC6DD9
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00D991C00_2_00D991C0
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DAB1190_2_00DAB119
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DB13940_2_00DB1394
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DB17060_2_00DB1706
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DB781B0_2_00DB781B
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DB19B00_2_00DB19B0
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DA997D0_2_00DA997D
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00D979200_2_00D97920
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DB7A4A0_2_00DB7A4A
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DB7CA70_2_00DB7CA7
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DB1C770_2_00DB1C77
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DC9EEE0_2_00DC9EEE
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00E1BE440_2_00E1BE44
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00D9BF400_2_00D9BF40
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DB1F320_2_00DB1F32
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00CF36000_2_00CF3600
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_006210001_2_00621000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_006369631_2_00636963
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0063695F1_2_0063695F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_006231801_2_00623180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0064E3931_2_0064E393
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0062FC7A1_2_0062FC7A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00621C4E1_2_00621C4E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00621C501_2_00621C50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0062FC831_2_0062FC83
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_006245941_2_00624594
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_006226261_2_00622626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_006226301_2_00622630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0062FEA31_2_0062FEA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0062DF231_2_0062DF23
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FA3521_2_031FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032003E61_2_032003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E3F01_2_0314E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E02741_2_031E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C02C01_2_031C02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DA1181_2_031DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031301001_2_03130100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C81581_2_031C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032001AA1_2_032001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F41A21_2_031F41A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F81CC1_2_031F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D20001_2_031D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031647501_2_03164750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031407701_2_03140770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313C7C01_2_0313C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315C6E01_2_0315C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031405351_2_03140535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032005911_2_03200591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E44201_2_031E4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F24461_2_031F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EE4F61_2_031EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FAB401_2_031FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F6BD71_2_031F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA801_2_0313EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031569621_2_03156962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0320A9A61_2_0320A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A01_2_031429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314A8401_2_0314A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031428401_2_03142840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031268B81_2_031268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E8F01_2_0316E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03160F301_2_03160F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E2F301_2_031E2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03182F281_2_03182F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B4F401_2_031B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BEFA01_2_031BEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03132FC81_2_03132FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FEE261_2_031FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140E591_2_03140E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03152E901_2_03152E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FCE931_2_031FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FEEDB1_2_031FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DCD1F1_2_031DCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314AD001_2_0314AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03158DBF1_2_03158DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313ADE01_2_0313ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140C001_2_03140C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0CB51_2_031E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130CF21_2_03130CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F132D1_2_031F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312D34C1_2_0312D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0318739A1_2_0318739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031452A01_2_031452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315B2C01_2_0315B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E12ED1_2_031E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0320B16B1_2_0320B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F1721_2_0312F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0317516C1_2_0317516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314B1B01_2_0314B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EF0CC1_2_031EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031470C01_2_031470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F70E91_2_031F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FF0E01_2_031FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FF7B01_2_031FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031856301_2_03185630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F16CC1_2_031F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F75711_2_031F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DD5B01_2_031DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FF43F1_2_031FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031314601_2_03131460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FFB761_2_031FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315FB801_2_0315FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B5BF01_2_031B5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0317DBF91_2_0317DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FFA491_2_031FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F7A461_2_031F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B3A6C1_2_031B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DDAAC1_2_031DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03185AA01_2_03185AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E1AA31_2_031E1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EDAC61_2_031EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D59101_2_031D5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031499501_2_03149950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315B9501_2_0315B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AD8001_2_031AD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031438E01_2_031438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FFF091_2_031FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03141F921_2_03141F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FFFB11_2_031FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03149EB01_2_03149EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F1D5A1_2_031F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03143D401_2_03143D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F7D731_2_031F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315FDC01_2_0315FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B9C321_2_031B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FFCF21_2_031FFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03187E54 appears 108 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0312B970 appears 265 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03175130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 031BF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 031AEA12 appears 86 times
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: String function: 00DB0A30 appears 46 times
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: String function: 00DAF9F2 appears 31 times
          Source: BOQ Inquiry.exe, 00000000.00000003.1673627475.0000000003DBD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BOQ Inquiry.exe
          Source: BOQ Inquiry.exe, 00000000.00000003.1674447238.0000000003C13000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BOQ Inquiry.exe
          Source: BOQ Inquiry.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: 1.2.svchost.exe.620000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 1.2.svchost.exe.620000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.1964890977.0000000000E40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.1964646888.0000000000620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal92.troj.evad.winEXE@3/4@0/0
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00E037B5 GetLastError,FormatMessageW,0_2_00E037B5
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DF10BF AdjustTokenPrivileges,CloseHandle,0_2_00DF10BF
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DF16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00DF16C3
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00E051CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00E051CD
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00E1A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00E1A67C
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00E0648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_00E0648E
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00D942A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00D942A2
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeFile created: C:\Users\user\AppData\Local\Temp\autCEA3.tmpJump to behavior
          Source: BOQ Inquiry.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: BOQ Inquiry.exeReversingLabs: Detection: 36%
          Source: unknownProcess created: C:\Users\user\Desktop\BOQ Inquiry.exe "C:\Users\user\Desktop\BOQ Inquiry.exe"
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\BOQ Inquiry.exe"
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\BOQ Inquiry.exe"Jump to behavior
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeSection loaded: ntmarta.dllJump to behavior
          Source: BOQ Inquiry.exeStatic file information: File size 1245184 > 1048576
          Source: BOQ Inquiry.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: BOQ Inquiry.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: BOQ Inquiry.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: BOQ Inquiry.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: BOQ Inquiry.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: BOQ Inquiry.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: BOQ Inquiry.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: BOQ Inquiry.exe, 00000000.00000003.1674157801.0000000003C90000.00000004.00001000.00020000.00000000.sdmp, BOQ Inquiry.exe, 00000000.00000003.1674447238.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1964930708.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1964930708.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1750464522.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1757999893.0000000002F00000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: BOQ Inquiry.exe, 00000000.00000003.1674157801.0000000003C90000.00000004.00001000.00020000.00000000.sdmp, BOQ Inquiry.exe, 00000000.00000003.1674447238.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1964930708.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1964930708.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1750464522.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1757999893.0000000002F00000.00000004.00000020.00020000.00000000.sdmp
          Source: BOQ Inquiry.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: BOQ Inquiry.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: BOQ Inquiry.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: BOQ Inquiry.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: BOQ Inquiry.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00D942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00D942DE
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DB0A76 push ecx; ret 0_2_00DB0A89
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_006381F4 push ecx; ret 1_2_006381F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0062D27F push ds; ret 1_2_0062D28D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_006233F0 push eax; ret 1_2_006233F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0063A478 push 00000025h; iretd 1_2_0063A534
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0064DC13 push edi; ret 1_2_0064DC1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0063A515 push 00000025h; iretd 1_2_0063A534
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0063A624 push ecx; retf 1_2_0063A625
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0062C68F push esi; ret 1_2_0062C691
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0063377B push es; retf 1_2_00633782
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0062872A push ecx; ret 1_2_0062872B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031309AD push ecx; mov dword ptr [esp], ecx1_2_031309B6
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DAF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00DAF98E
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00E21C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00E21C41
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Found API chain indicative of sandbox detection
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-98159
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeAPI/Special instruction interceptor: Address: CF3224
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0317096E rdtsc 1_2_0317096E
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeAPI coverage: 3.9 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 6804Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DFDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00DFDBBE
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00E068EE FindFirstFileW,FindClose,0_2_00E068EE
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00E0698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00E0698F
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DFD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00DFD076
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DFD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00DFD3A9
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00E09642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E09642
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00E0979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E0979D
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00E09B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00E09B2B
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00E05C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00E05C97
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00D942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00D942DE
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0317096E rdtsc 1_2_0317096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00637913 LdrLoadDll,1_2_00637913
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00E0EAA2 BlockInput,0_2_00E0EAA2
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DC2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00DC2622
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00D942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00D942DE
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DB4CE8 mov eax, dword ptr fs:[00000030h]0_2_00DB4CE8
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00CF34F0 mov eax, dword ptr fs:[00000030h]0_2_00CF34F0
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00CF3490 mov eax, dword ptr fs:[00000030h]0_2_00CF3490
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00CF1E70 mov eax, dword ptr fs:[00000030h]0_2_00CF1E70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312C310 mov ecx, dword ptr fs:[00000030h]1_2_0312C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03150310 mov ecx, dword ptr fs:[00000030h]1_2_03150310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A30B mov eax, dword ptr fs:[00000030h]1_2_0316A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A30B mov eax, dword ptr fs:[00000030h]1_2_0316A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A30B mov eax, dword ptr fs:[00000030h]1_2_0316A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]1_2_031B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]1_2_031B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]1_2_031B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B035C mov ecx, dword ptr fs:[00000030h]1_2_031B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]1_2_031B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]1_2_031B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FA352 mov eax, dword ptr fs:[00000030h]1_2_031FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D8350 mov ecx, dword ptr fs:[00000030h]1_2_031D8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D437C mov eax, dword ptr fs:[00000030h]1_2_031D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0320634F mov eax, dword ptr fs:[00000030h]1_2_0320634F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03128397 mov eax, dword ptr fs:[00000030h]1_2_03128397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03128397 mov eax, dword ptr fs:[00000030h]1_2_03128397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03128397 mov eax, dword ptr fs:[00000030h]1_2_03128397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312E388 mov eax, dword ptr fs:[00000030h]1_2_0312E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312E388 mov eax, dword ptr fs:[00000030h]1_2_0312E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312E388 mov eax, dword ptr fs:[00000030h]1_2_0312E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315438F mov eax, dword ptr fs:[00000030h]1_2_0315438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315438F mov eax, dword ptr fs:[00000030h]1_2_0315438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE3DB mov eax, dword ptr fs:[00000030h]1_2_031DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE3DB mov eax, dword ptr fs:[00000030h]1_2_031DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE3DB mov ecx, dword ptr fs:[00000030h]1_2_031DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE3DB mov eax, dword ptr fs:[00000030h]1_2_031DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D43D4 mov eax, dword ptr fs:[00000030h]1_2_031D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D43D4 mov eax, dword ptr fs:[00000030h]1_2_031D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EC3CD mov eax, dword ptr fs:[00000030h]1_2_031EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]1_2_0313A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]1_2_0313A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]1_2_0313A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]1_2_0313A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]1_2_0313A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]1_2_0313A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]1_2_031383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]1_2_031383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]1_2_031383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]1_2_031383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B63C0 mov eax, dword ptr fs:[00000030h]1_2_031B63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E3F0 mov eax, dword ptr fs:[00000030h]1_2_0314E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E3F0 mov eax, dword ptr fs:[00000030h]1_2_0314E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E3F0 mov eax, dword ptr fs:[00000030h]1_2_0314E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031663FF mov eax, dword ptr fs:[00000030h]1_2_031663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312823B mov eax, dword ptr fs:[00000030h]1_2_0312823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312A250 mov eax, dword ptr fs:[00000030h]1_2_0312A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136259 mov eax, dword ptr fs:[00000030h]1_2_03136259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EA250 mov eax, dword ptr fs:[00000030h]1_2_031EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EA250 mov eax, dword ptr fs:[00000030h]1_2_031EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B8243 mov eax, dword ptr fs:[00000030h]1_2_031B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B8243 mov ecx, dword ptr fs:[00000030h]1_2_031B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03134260 mov eax, dword ptr fs:[00000030h]1_2_03134260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03134260 mov eax, dword ptr fs:[00000030h]1_2_03134260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03134260 mov eax, dword ptr fs:[00000030h]1_2_03134260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312826B mov eax, dword ptr fs:[00000030h]1_2_0312826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0320625D mov eax, dword ptr fs:[00000030h]1_2_0320625D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E284 mov eax, dword ptr fs:[00000030h]1_2_0316E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E284 mov eax, dword ptr fs:[00000030h]1_2_0316E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B0283 mov eax, dword ptr fs:[00000030h]1_2_031B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B0283 mov eax, dword ptr fs:[00000030h]1_2_031B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B0283 mov eax, dword ptr fs:[00000030h]1_2_031B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031402A0 mov eax, dword ptr fs:[00000030h]1_2_031402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031402A0 mov eax, dword ptr fs:[00000030h]1_2_031402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]1_2_031C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C62A0 mov ecx, dword ptr fs:[00000030h]1_2_031C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]1_2_031C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]1_2_031C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]1_2_031C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]1_2_031C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]1_2_0313A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]1_2_0313A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]1_2_0313A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]1_2_0313A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]1_2_0313A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031402E1 mov eax, dword ptr fs:[00000030h]1_2_031402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031402E1 mov eax, dword ptr fs:[00000030h]1_2_031402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031402E1 mov eax, dword ptr fs:[00000030h]1_2_031402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032062D6 mov eax, dword ptr fs:[00000030h]1_2_032062D6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DA118 mov ecx, dword ptr fs:[00000030h]1_2_031DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DA118 mov eax, dword ptr fs:[00000030h]1_2_031DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DA118 mov eax, dword ptr fs:[00000030h]1_2_031DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DA118 mov eax, dword ptr fs:[00000030h]1_2_031DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F0115 mov eax, dword ptr fs:[00000030h]1_2_031F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]1_2_031DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE10E mov ecx, dword ptr fs:[00000030h]1_2_031DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]1_2_031DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]1_2_031DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE10E mov ecx, dword ptr fs:[00000030h]1_2_031DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]1_2_031DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]1_2_031DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE10E mov ecx, dword ptr fs:[00000030h]1_2_031DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]1_2_031DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE10E mov ecx, dword ptr fs:[00000030h]1_2_031DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03160124 mov eax, dword ptr fs:[00000030h]1_2_03160124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312C156 mov eax, dword ptr fs:[00000030h]1_2_0312C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C8158 mov eax, dword ptr fs:[00000030h]1_2_031C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204164 mov eax, dword ptr fs:[00000030h]1_2_03204164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204164 mov eax, dword ptr fs:[00000030h]1_2_03204164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136154 mov eax, dword ptr fs:[00000030h]1_2_03136154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136154 mov eax, dword ptr fs:[00000030h]1_2_03136154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]1_2_031C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]1_2_031C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C4144 mov ecx, dword ptr fs:[00000030h]1_2_031C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]1_2_031C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]1_2_031C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]1_2_031B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]1_2_031B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]1_2_031B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]1_2_031B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312A197 mov eax, dword ptr fs:[00000030h]1_2_0312A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312A197 mov eax, dword ptr fs:[00000030h]1_2_0312A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312A197 mov eax, dword ptr fs:[00000030h]1_2_0312A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03170185 mov eax, dword ptr fs:[00000030h]1_2_03170185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EC188 mov eax, dword ptr fs:[00000030h]1_2_031EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EC188 mov eax, dword ptr fs:[00000030h]1_2_031EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D4180 mov eax, dword ptr fs:[00000030h]1_2_031D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D4180 mov eax, dword ptr fs:[00000030h]1_2_031D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032061E5 mov eax, dword ptr fs:[00000030h]1_2_032061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]1_2_031AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]1_2_031AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_031AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]1_2_031AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]1_2_031AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F61C3 mov eax, dword ptr fs:[00000030h]1_2_031F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F61C3 mov eax, dword ptr fs:[00000030h]1_2_031F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031601F8 mov eax, dword ptr fs:[00000030h]1_2_031601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]1_2_0314E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]1_2_0314E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]1_2_0314E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]1_2_0314E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B4000 mov ecx, dword ptr fs:[00000030h]1_2_031B4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C6030 mov eax, dword ptr fs:[00000030h]1_2_031C6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312A020 mov eax, dword ptr fs:[00000030h]1_2_0312A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312C020 mov eax, dword ptr fs:[00000030h]1_2_0312C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03132050 mov eax, dword ptr fs:[00000030h]1_2_03132050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6050 mov eax, dword ptr fs:[00000030h]1_2_031B6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315C073 mov eax, dword ptr fs:[00000030h]1_2_0315C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313208A mov eax, dword ptr fs:[00000030h]1_2_0313208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F60B8 mov eax, dword ptr fs:[00000030h]1_2_031F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F60B8 mov ecx, dword ptr fs:[00000030h]1_2_031F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031280A0 mov eax, dword ptr fs:[00000030h]1_2_031280A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C80A8 mov eax, dword ptr fs:[00000030h]1_2_031C80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B20DE mov eax, dword ptr fs:[00000030h]1_2_031B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312C0F0 mov eax, dword ptr fs:[00000030h]1_2_0312C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031720F0 mov ecx, dword ptr fs:[00000030h]1_2_031720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0312A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031380E9 mov eax, dword ptr fs:[00000030h]1_2_031380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B60E0 mov eax, dword ptr fs:[00000030h]1_2_031B60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130710 mov eax, dword ptr fs:[00000030h]1_2_03130710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03160710 mov eax, dword ptr fs:[00000030h]1_2_03160710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316C700 mov eax, dword ptr fs:[00000030h]1_2_0316C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316273C mov eax, dword ptr fs:[00000030h]1_2_0316273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316273C mov ecx, dword ptr fs:[00000030h]1_2_0316273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316273C mov eax, dword ptr fs:[00000030h]1_2_0316273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AC730 mov eax, dword ptr fs:[00000030h]1_2_031AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316C720 mov eax, dword ptr fs:[00000030h]1_2_0316C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316C720 mov eax, dword ptr fs:[00000030h]1_2_0316C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130750 mov eax, dword ptr fs:[00000030h]1_2_03130750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BE75D mov eax, dword ptr fs:[00000030h]1_2_031BE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172750 mov eax, dword ptr fs:[00000030h]1_2_03172750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172750 mov eax, dword ptr fs:[00000030h]1_2_03172750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B4755 mov eax, dword ptr fs:[00000030h]1_2_031B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316674D mov esi, dword ptr fs:[00000030h]1_2_0316674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316674D mov eax, dword ptr fs:[00000030h]1_2_0316674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316674D mov eax, dword ptr fs:[00000030h]1_2_0316674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138770 mov eax, dword ptr fs:[00000030h]1_2_03138770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D678E mov eax, dword ptr fs:[00000030h]1_2_031D678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031307AF mov eax, dword ptr fs:[00000030h]1_2_031307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E47A0 mov eax, dword ptr fs:[00000030h]1_2_031E47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313C7C0 mov eax, dword ptr fs:[00000030h]1_2_0313C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B07C3 mov eax, dword ptr fs:[00000030h]1_2_031B07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031347FB mov eax, dword ptr fs:[00000030h]1_2_031347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031347FB mov eax, dword ptr fs:[00000030h]1_2_031347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031527ED mov eax, dword ptr fs:[00000030h]1_2_031527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031527ED mov eax, dword ptr fs:[00000030h]1_2_031527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031527ED mov eax, dword ptr fs:[00000030h]1_2_031527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BE7E1 mov eax, dword ptr fs:[00000030h]1_2_031BE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172619 mov eax, dword ptr fs:[00000030h]1_2_03172619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE609 mov eax, dword ptr fs:[00000030h]1_2_031AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E627 mov eax, dword ptr fs:[00000030h]1_2_0314E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03166620 mov eax, dword ptr fs:[00000030h]1_2_03166620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03168620 mov eax, dword ptr fs:[00000030h]1_2_03168620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313262C mov eax, dword ptr fs:[00000030h]1_2_0313262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314C640 mov eax, dword ptr fs:[00000030h]1_2_0314C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03162674 mov eax, dword ptr fs:[00000030h]1_2_03162674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F866E mov eax, dword ptr fs:[00000030h]1_2_031F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F866E mov eax, dword ptr fs:[00000030h]1_2_031F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A660 mov eax, dword ptr fs:[00000030h]1_2_0316A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A660 mov eax, dword ptr fs:[00000030h]1_2_0316A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03134690 mov eax, dword ptr fs:[00000030h]1_2_03134690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03134690 mov eax, dword ptr fs:[00000030h]1_2_03134690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031666B0 mov eax, dword ptr fs:[00000030h]1_2_031666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316C6A6 mov eax, dword ptr fs:[00000030h]1_2_0316C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0316A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A6C7 mov eax, dword ptr fs:[00000030h]1_2_0316A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]1_2_031AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]1_2_031AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]1_2_031AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]1_2_031AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B06F1 mov eax, dword ptr fs:[00000030h]1_2_031B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B06F1 mov eax, dword ptr fs:[00000030h]1_2_031B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C6500 mov eax, dword ptr fs:[00000030h]1_2_031C6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]1_2_03204500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]1_2_03204500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]1_2_03204500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]1_2_03204500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]1_2_03204500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]1_2_03204500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]1_2_03204500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]1_2_03140535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]1_2_03140535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]1_2_03140535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]1_2_03140535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]1_2_03140535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]1_2_03140535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]1_2_0315E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]1_2_0315E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]1_2_0315E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]1_2_0315E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]1_2_0315E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138550 mov eax, dword ptr fs:[00000030h]1_2_03138550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138550 mov eax, dword ptr fs:[00000030h]1_2_03138550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316656A mov eax, dword ptr fs:[00000030h]1_2_0316656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316656A mov eax, dword ptr fs:[00000030h]1_2_0316656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316656A mov eax, dword ptr fs:[00000030h]1_2_0316656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E59C mov eax, dword ptr fs:[00000030h]1_2_0316E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03132582 mov eax, dword ptr fs:[00000030h]1_2_03132582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03132582 mov ecx, dword ptr fs:[00000030h]1_2_03132582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03164588 mov eax, dword ptr fs:[00000030h]1_2_03164588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031545B1 mov eax, dword ptr fs:[00000030h]1_2_031545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031545B1 mov eax, dword ptr fs:[00000030h]1_2_031545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B05A7 mov eax, dword ptr fs:[00000030h]1_2_031B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B05A7 mov eax, dword ptr fs:[00000030h]1_2_031B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B05A7 mov eax, dword ptr fs:[00000030h]1_2_031B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031365D0 mov eax, dword ptr fs:[00000030h]1_2_031365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A5D0 mov eax, dword ptr fs:[00000030h]1_2_0316A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A5D0 mov eax, dword ptr fs:[00000030h]1_2_0316A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E5CF mov eax, dword ptr fs:[00000030h]1_2_0316E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E5CF mov eax, dword ptr fs:[00000030h]1_2_0316E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031325E0 mov eax, dword ptr fs:[00000030h]1_2_031325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316C5ED mov eax, dword ptr fs:[00000030h]1_2_0316C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316C5ED mov eax, dword ptr fs:[00000030h]1_2_0316C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03168402 mov eax, dword ptr fs:[00000030h]1_2_03168402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03168402 mov eax, dword ptr fs:[00000030h]1_2_03168402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03168402 mov eax, dword ptr fs:[00000030h]1_2_03168402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A430 mov eax, dword ptr fs:[00000030h]1_2_0316A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312E420 mov eax, dword ptr fs:[00000030h]1_2_0312E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312E420 mov eax, dword ptr fs:[00000030h]1_2_0312E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312E420 mov eax, dword ptr fs:[00000030h]1_2_0312E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312C427 mov eax, dword ptr fs:[00000030h]1_2_0312C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]1_2_031B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]1_2_031B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]1_2_031B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]1_2_031B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]1_2_031B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]1_2_031B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]1_2_031B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EA456 mov eax, dword ptr fs:[00000030h]1_2_031EA456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312645D mov eax, dword ptr fs:[00000030h]1_2_0312645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315245A mov eax, dword ptr fs:[00000030h]1_2_0315245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315A470 mov eax, dword ptr fs:[00000030h]1_2_0315A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315A470 mov eax, dword ptr fs:[00000030h]1_2_0315A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315A470 mov eax, dword ptr fs:[00000030h]1_2_0315A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BC460 mov ecx, dword ptr fs:[00000030h]1_2_031BC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EA49A mov eax, dword ptr fs:[00000030h]1_2_031EA49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031644B0 mov ecx, dword ptr fs:[00000030h]1_2_031644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BA4B0 mov eax, dword ptr fs:[00000030h]1_2_031BA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031364AB mov eax, dword ptr fs:[00000030h]1_2_031364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031304E5 mov ecx, dword ptr fs:[00000030h]1_2_031304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204B00 mov eax, dword ptr fs:[00000030h]1_2_03204B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315EB20 mov eax, dword ptr fs:[00000030h]1_2_0315EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315EB20 mov eax, dword ptr fs:[00000030h]1_2_0315EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F8B28 mov eax, dword ptr fs:[00000030h]1_2_031F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F8B28 mov eax, dword ptr fs:[00000030h]1_2_031F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03128B50 mov eax, dword ptr fs:[00000030h]1_2_03128B50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DEB50 mov eax, dword ptr fs:[00000030h]1_2_031DEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E4B4B mov eax, dword ptr fs:[00000030h]1_2_031E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E4B4B mov eax, dword ptr fs:[00000030h]1_2_031E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C6B40 mov eax, dword ptr fs:[00000030h]1_2_031C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C6B40 mov eax, dword ptr fs:[00000030h]1_2_031C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FAB40 mov eax, dword ptr fs:[00000030h]1_2_031FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D8B42 mov eax, dword ptr fs:[00000030h]1_2_031D8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312CB7E mov eax, dword ptr fs:[00000030h]1_2_0312CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03202B57 mov eax, dword ptr fs:[00000030h]1_2_03202B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03202B57 mov eax, dword ptr fs:[00000030h]1_2_03202B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03202B57 mov eax, dword ptr fs:[00000030h]1_2_03202B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03202B57 mov eax, dword ptr fs:[00000030h]1_2_03202B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140BBE mov eax, dword ptr fs:[00000030h]1_2_03140BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140BBE mov eax, dword ptr fs:[00000030h]1_2_03140BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E4BB0 mov eax, dword ptr fs:[00000030h]1_2_031E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E4BB0 mov eax, dword ptr fs:[00000030h]1_2_031E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DEBD0 mov eax, dword ptr fs:[00000030h]1_2_031DEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03150BCB mov eax, dword ptr fs:[00000030h]1_2_03150BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03150BCB mov eax, dword ptr fs:[00000030h]1_2_03150BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03150BCB mov eax, dword ptr fs:[00000030h]1_2_03150BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130BCD mov eax, dword ptr fs:[00000030h]1_2_03130BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130BCD mov eax, dword ptr fs:[00000030h]1_2_03130BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130BCD mov eax, dword ptr fs:[00000030h]1_2_03130BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138BF0 mov eax, dword ptr fs:[00000030h]1_2_03138BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138BF0 mov eax, dword ptr fs:[00000030h]1_2_03138BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138BF0 mov eax, dword ptr fs:[00000030h]1_2_03138BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315EBFC mov eax, dword ptr fs:[00000030h]1_2_0315EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BCBF0 mov eax, dword ptr fs:[00000030h]1_2_031BCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BCA11 mov eax, dword ptr fs:[00000030h]1_2_031BCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03154A35 mov eax, dword ptr fs:[00000030h]1_2_03154A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03154A35 mov eax, dword ptr fs:[00000030h]1_2_03154A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316CA38 mov eax, dword ptr fs:[00000030h]1_2_0316CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316CA24 mov eax, dword ptr fs:[00000030h]1_2_0316CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315EA2E mov eax, dword ptr fs:[00000030h]1_2_0315EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]1_2_03136A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]1_2_03136A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]1_2_03136A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]1_2_03136A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]1_2_03136A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]1_2_03136A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]1_2_03136A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140A5B mov eax, dword ptr fs:[00000030h]1_2_03140A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140A5B mov eax, dword ptr fs:[00000030h]1_2_03140A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031ACA72 mov eax, dword ptr fs:[00000030h]1_2_031ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031ACA72 mov eax, dword ptr fs:[00000030h]1_2_031ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316CA6F mov eax, dword ptr fs:[00000030h]1_2_0316CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316CA6F mov eax, dword ptr fs:[00000030h]1_2_0316CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316CA6F mov eax, dword ptr fs:[00000030h]1_2_0316CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DEA60 mov eax, dword ptr fs:[00000030h]1_2_031DEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03168A90 mov edx, dword ptr fs:[00000030h]1_2_03168A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204A80 mov eax, dword ptr fs:[00000030h]1_2_03204A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138AA0 mov eax, dword ptr fs:[00000030h]1_2_03138AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138AA0 mov eax, dword ptr fs:[00000030h]1_2_03138AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03186AA4 mov eax, dword ptr fs:[00000030h]1_2_03186AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130AD0 mov eax, dword ptr fs:[00000030h]1_2_03130AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03164AD0 mov eax, dword ptr fs:[00000030h]1_2_03164AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03164AD0 mov eax, dword ptr fs:[00000030h]1_2_03164AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03186ACC mov eax, dword ptr fs:[00000030h]1_2_03186ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03186ACC mov eax, dword ptr fs:[00000030h]1_2_03186ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03186ACC mov eax, dword ptr fs:[00000030h]1_2_03186ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316AAEE mov eax, dword ptr fs:[00000030h]1_2_0316AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316AAEE mov eax, dword ptr fs:[00000030h]1_2_0316AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BC912 mov eax, dword ptr fs:[00000030h]1_2_031BC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03128918 mov eax, dword ptr fs:[00000030h]1_2_03128918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03128918 mov eax, dword ptr fs:[00000030h]1_2_03128918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE908 mov eax, dword ptr fs:[00000030h]1_2_031AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE908 mov eax, dword ptr fs:[00000030h]1_2_031AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B892A mov eax, dword ptr fs:[00000030h]1_2_031B892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C892B mov eax, dword ptr fs:[00000030h]1_2_031C892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B0946 mov eax, dword ptr fs:[00000030h]1_2_031B0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204940 mov eax, dword ptr fs:[00000030h]1_2_03204940
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D4978 mov eax, dword ptr fs:[00000030h]1_2_031D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D4978 mov eax, dword ptr fs:[00000030h]1_2_031D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BC97C mov eax, dword ptr fs:[00000030h]1_2_031BC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03156962 mov eax, dword ptr fs:[00000030h]1_2_03156962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03156962 mov eax, dword ptr fs:[00000030h]1_2_03156962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03156962 mov eax, dword ptr fs:[00000030h]1_2_03156962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0317096E mov eax, dword ptr fs:[00000030h]1_2_0317096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0317096E mov edx, dword ptr fs:[00000030h]1_2_0317096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0317096E mov eax, dword ptr fs:[00000030h]1_2_0317096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B89B3 mov esi, dword ptr fs:[00000030h]1_2_031B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B89B3 mov eax, dword ptr fs:[00000030h]1_2_031B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B89B3 mov eax, dword ptr fs:[00000030h]1_2_031B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031309AD mov eax, dword ptr fs:[00000030h]1_2_031309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031309AD mov eax, dword ptr fs:[00000030h]1_2_031309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]1_2_0313A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]1_2_0313A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]1_2_0313A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]1_2_0313A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]1_2_0313A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]1_2_0313A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031649D0 mov eax, dword ptr fs:[00000030h]1_2_031649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FA9D3 mov eax, dword ptr fs:[00000030h]1_2_031FA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C69C0 mov eax, dword ptr fs:[00000030h]1_2_031C69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031629F9 mov eax, dword ptr fs:[00000030h]1_2_031629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031629F9 mov eax, dword ptr fs:[00000030h]1_2_031629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BE9E0 mov eax, dword ptr fs:[00000030h]1_2_031BE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BC810 mov eax, dword ptr fs:[00000030h]1_2_031BC810
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]1_2_03152835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]1_2_03152835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]1_2_03152835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03152835 mov ecx, dword ptr fs:[00000030h]1_2_03152835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]1_2_03152835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]1_2_03152835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A830 mov eax, dword ptr fs:[00000030h]1_2_0316A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D483A mov eax, dword ptr fs:[00000030h]1_2_031D483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D483A mov eax, dword ptr fs:[00000030h]1_2_031D483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03160854 mov eax, dword ptr fs:[00000030h]1_2_03160854
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03134859 mov eax, dword ptr fs:[00000030h]1_2_03134859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03134859 mov eax, dword ptr fs:[00000030h]1_2_03134859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03142840 mov ecx, dword ptr fs:[00000030h]1_2_03142840
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DF0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00DF0B62
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DC2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00DC2622
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DB083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00DB083F
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DB09D5 SetUnhandledExceptionFilter,0_2_00DB09D5
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DB0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00DB0C21

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 477008Jump to behavior
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DF1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00DF1201
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DD2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00DD2BA5
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DFB226 SendInput,keybd_event,0_2_00DFB226
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00E122DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_00E122DA
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\BOQ Inquiry.exe"Jump to behavior
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DF0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00DF0B62
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DF1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00DF1663
          Source: BOQ Inquiry.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: BOQ Inquiry.exeBinary or memory string: Shell_TrayWnd
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DB0698 cpuid 0_2_00DB0698
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00E08195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00E08195
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DED27A GetUserNameW,0_2_00DED27A
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00DCBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00DCBB6F
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00D942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00D942DE

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.620000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.620000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.1964890977.0000000000E40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1964646888.0000000000620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: BOQ Inquiry.exeBinary or memory string: WIN_81
          Source: BOQ Inquiry.exeBinary or memory string: WIN_XP
          Source: BOQ Inquiry.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
          Source: BOQ Inquiry.exeBinary or memory string: WIN_XPe
          Source: BOQ Inquiry.exeBinary or memory string: WIN_VISTA
          Source: BOQ Inquiry.exeBinary or memory string: WIN_7
          Source: BOQ Inquiry.exeBinary or memory string: WIN_8

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.620000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.620000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.1964890977.0000000000E40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1964646888.0000000000620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00E11204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00E11204
          Source: C:\Users\user\Desktop\BOQ Inquiry.exeCode function: 0_2_00E11806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00E11806

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		1
          Native API          		2
          Valid Accounts          		2
          Valid Accounts          		2
          Valid Accounts          		21
          Input Capture          		2
          System Time Discovery          		Remote Services21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		LSASS Memory24
          Security Software Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)21
          Access Token Manipulation          		12
          Virtualization/Sandbox Evasion          		Security Account Manager12
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares3
          Clipboard Data          		SteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook212
          Process Injection          		21
          Access Token Manipulation          		NTDS3
          Process Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
          DLL Side-Loading          		212
          Process Injection          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Deobfuscate/Decode Files or Information          		Cached Domain Credentials1
          Account Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Obfuscated Files or Information          		DCSync1
          System Owner/User Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc Filesystem1
          File and Directory Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow115
          System Information Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          BOQ Inquiry.exe37%ReversingLabsWin32.Trojan.Strab
          BOQ Inquiry.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1483267
          Start date and time:2024-07-26 23:44:13 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 6m 40s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:7
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:BOQ Inquiry.exe
          Detection:MAL
          Classification:mal92.troj.evad.winEXE@3/4@0/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 97%
          • Number of executed functions: 48
          • Number of non-executed functions: 302
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing disassembly code.
          • VT rate limit hit for: BOQ Inquiry.exe

          Simulations

          Behavior and APIs

          TimeTypeDescription
          17:45:27API Interceptor3x Sleep call for process: svchost.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Temp\Graff

          Download File
          Process:C:\Users\user\Desktop\BOQ Inquiry.exe
          File Type:data
          Category:dropped
          Size (bytes):286208
          Entropy (8bit):7.995214657232319
          Encrypted:true
          SSDEEP:6144:GvrmL789mCwXK2FlOOSBTQ9ICFOnBDCyAW4260Fhwu:ArO8spXK2FzSBTIIF9CWLQu
          MD5:B5B513583FFDFA67438C6F51C7F81454
          SHA1:042BA6DC3DD318CCDEA68DBE3C54DF6867617A77
          SHA-256:15481795C2A75B15D5F5E4DABA8B92A16F2D19ACA102CB3C18E1DDF8E361212C
          SHA-512:097E44AF452A48470B0165567C5BB15424AFFD3FF7A5FB7DDCCCB7E3947B15B9413F8F789F095F91AE5C201B91DB6D55C64C0E9C2CE6F625898E48B9B1470CED
          Malicious:false
          Reputation:low
          Preview:yowj.AL2Vl.N..v.GA....7=...AL2V4HYGCBVAJRGBW1M14528RAL2V4.YGCLI.DR.K...0x..l:(?.&F'>5"/v"+<)-#./T.GGVr("..{.y*,&3oG_MfW1M1452ASH..6S.d'$.k!-.]...wQS.(...pR1.R..~6&...!?.-V.528RAL2Vd.YG.CWA....W1M14528.AN3]5CYG.FVAJRGBW1M. 528BAL260HYG.BVQJRG@W1K14528RAJ2V4HYGCB6EJREBW1M1472x.AL"V4XYGCBFAJBGBW1M1$528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL."Q0-GCB..NRGRW1M}052(RAL2V4HYGCBVAJrGB71M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M1

          C:\Users\user\AppData\Local\Temp\Grinnellia

          Download File
          Process:C:\Users\user\Desktop\BOQ Inquiry.exe
          File Type:ASCII text, with very long lines (28674), with no line terminators
          Category:dropped
          Size (bytes):28674
          Entropy (8bit):3.581049375828545
          Encrypted:false
          SSDEEP:768:Jxy18ScFCo3T3iC8vh3wntjUa+nz+nVkC/esT2HzcmL5sCWi:q18ScFCo3T3idvh3wntjUa+nz+nVkC/u
          MD5:C88C4512675DF0A4B92076D00682E03B
          SHA1:F6B8BB287A70B36D237DC875CC036D32D261C6D4
          SHA-256:9AD952B2A18B8494B5FB6BE6AFB1ABBF0445DB5D8FFC7EDF9583637BF2E575C1
          SHA-512:09D067317883432F196B1D076816F2BA4AEFC792134163322C7467490DE3E0F2FBFEB47D983750CBA8BFB4E8D820ECF557CCEAA8DA1EA493D489411178D18841
          Malicious:false
          Reputation:low
          Preview:3{88;ehf;4hfff353333898:e;9e33333399;<78;7e<9833333399;<7g;9ed:533333399;<88;;e;9h33333399;<78;de<9833333399;<7g;fed9f33333399;<88;he;6633333399;<78<3e<6533333399;<7g<5ed5h33333399;<88<7e;9733333399;<78<9e<9f33333399;<7g<;ed9f33333399;<88<d66f399;<78<fe<9h33333399;<;g77iiiiiied:733333399;<<879iiiiiie;9733333399;<;87;iiiiiie<9f33333399;<;g7diiiiiied9f33333399;<<87fiiiiiie;5h33333399;<;87hiiiiiie<9733333399;<;g83iiiiiied9f33333399;<<885iiiiiie;9f33333399;<;887iiiiii66f<99;<;g89iiiiiied:833333399;<88g3e;:633333399;<78g5e<9833333399;<7gg7ed:533333399;<88g9e;6633333399;<78g;e<6533333399;<7ggded5h33333399;<88gfe;9733333399;<78ghe<9f33333399;<7gh3ed9f33333399;<88h566f399;<78h7e<9433333399;<;g9;iiiiiied9733333399;<<89diiiiiie;:933333399;<;89fiiiiiie<9433333399;<;g9hiiiiiied:333333399;<<8:3iiiiiie;9<33333399;<;8:5iiiiiie<6633333399;<;g:7iiiiiied6533333399;<<8:9iiiiiie;5h33333399;<;8:;iiiiiie<9733333399;<;g:diiiiiied9f33333399;<<8:fiiiiiie;9f33333399;<;8:hiiiiii66f<99;<7g;3ed:633333399;<88d3e;9;

          C:\Users\user\AppData\Local\Temp\autCEA3.tmp

          Download File
          Process:C:\Users\user\Desktop\BOQ Inquiry.exe
          File Type:data
          Category:dropped
          Size (bytes):286208
          Entropy (8bit):7.995214657232319
          Encrypted:true
          SSDEEP:6144:GvrmL789mCwXK2FlOOSBTQ9ICFOnBDCyAW4260Fhwu:ArO8spXK2FzSBTIIF9CWLQu
          MD5:B5B513583FFDFA67438C6F51C7F81454
          SHA1:042BA6DC3DD318CCDEA68DBE3C54DF6867617A77
          SHA-256:15481795C2A75B15D5F5E4DABA8B92A16F2D19ACA102CB3C18E1DDF8E361212C
          SHA-512:097E44AF452A48470B0165567C5BB15424AFFD3FF7A5FB7DDCCCB7E3947B15B9413F8F789F095F91AE5C201B91DB6D55C64C0E9C2CE6F625898E48B9B1470CED
          Malicious:false
          Reputation:low
          Preview:yowj.AL2Vl.N..v.GA....7=...AL2V4HYGCBVAJRGBW1M14528RAL2V4.YGCLI.DR.K...0x..l:(?.&F'>5"/v"+<)-#./T.GGVr("..{.y*,&3oG_MfW1M1452ASH..6S.d'$.k!-.]...wQS.(...pR1.R..~6&...!?.-V.528RAL2Vd.YG.CWA....W1M14528.AN3]5CYG.FVAJRGBW1M. 528BAL260HYG.BVQJRG@W1K14528RAJ2V4HYGCB6EJREBW1M1472x.AL"V4XYGCBFAJBGBW1M1$528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL."Q0-GCB..NRGRW1M}052(RAL2V4HYGCBVAJrGB71M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M14528RAL2V4HYGCBVAJRGBW1M1

          C:\Users\user\AppData\Local\Temp\autCEF3.tmp

          Download File
          Process:C:\Users\user\Desktop\BOQ Inquiry.exe
          File Type:data
          Category:dropped
          Size (bytes):9774
          Entropy (8bit):7.636919830450193
          Encrypted:false
          SSDEEP:192:ZtQkahrmDcR7EZIkN35+q45zhCLBNEfYPmLBYoWR8U86kFnIs:ZGt1rgH35TeivEfYeLBtW6U4FIs
          MD5:4C5703237884D8F9A694B50D0C799AC3
          SHA1:9DC5CBB97F60C7A11C6B50D487C4F58B08EB7573
          SHA-256:954776EB9FC57BACD3054EE1F9F3F64928CD89B0F71A4D032A8A68319E6F5580
          SHA-512:79D7871767E9CC2BFCF13B550B0DE624AE305C1FB1357DF05C8BD731062DD385D60CE9F75451287A9586C735AAD26E5B6E72EC31B9A58BB9D1F4FCB4727610A2
          Malicious:false
          Reputation:low
          Preview:EA06..p........f..-.k5.g5.......ue..l....g9...y..oe.Ng..]....I...K........|.@.o..e.Nl......;.M...<..g.`........5.Z..q<..6.p.o.r..Y......g.<.M..`..Y....N...y.........<.M. ...r.'s....c ....Ad.H.....0.F.3<..Z..6...<.f....&....x..p....Bx.....Y'@0.N,.;,.t...Y.5_..n..... 5_..v.U...5_....U....5_..f.U..&.5\..>3@..N@^.d.Z..q9.z..u9......@.........G.@/Z..g......jx....t.u....$.../.u;...g@G_T.......>_.......zq8..........P..................`.M..`... ...f...@..@.'.7..@{>K,..c..,.p..Yg ._..v....A.>K(#G.e..3|vi..G.7...8_..qf..i|vi....f.h.,.@......5..:..-3{M....6`;..;..'.`.L..6...f..+0.ff.Y...9.......f.`.E...Y....3.y............vy.....`.....2p....<d....,vh...$......!+0.'&.....,fu5.Y..Y......r.5.X...c3.<.ki.Y.!...Gf.....,f.<.N. . .#:.....c.`........v.h.s.....,vl...,..t......40.....f.........4..@.6.-..p..S.E..5...S`.N...;8.`..<.......q;.....c....Z&..wx.....vr........E......y6....p.c3.=..7..b.!....F ...B5f...........vt......fvk=.x...B3......;;.X...d....8........g`...Mg..D..f...

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):7.129838431293544
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:BOQ Inquiry.exe
          File size:1'245'184 bytes
          MD5:ccdc7eb74161dec113cfc651731e3ed2
          SHA1:c299757e2eb69276ba604e114bda9800c22753fb
          SHA256:a133d4b98713e10ff269ced474727528256011109c3440bcfb5112a46b836c26
          SHA512:7cc6dbf5f3ca2e20954abc687a886689db8f576bf653335382c30f14d623854347ffb046457f0ba2112a21f6486930bc815359057fd5327912a43ed32a154fcd
          SSDEEP:24576:DqDEvCTbMWu7rQYlBQcBiT6rprG8a4Q+GoPcvc9KsTzM:DTvC/MTQYxsWR7a4FGc9
          TLSH:4745CF027391C062FFAB92334B5AF6515BBC79260123E61F13A81D79BE701B1563E7A3
          File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

          File Icon

          Icon Hash:aaf3e3e3938382a0

          Static PE Info

          General

          Entrypoint:0x420577
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
          Time Stamp:0x66A38279 [Fri Jul 26 11:03:21 2024 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:5
          OS Version Minor:1
          File Version Major:5
          File Version Minor:1
          Subsystem Version Major:5
          Subsystem Version Minor:1
          Import Hash:948cc502fe9226992dce9417f952fce3

          Entrypoint Preview

          Instruction
          call 00007F46247F48E3h
          jmp 00007F46247F41EFh
          push ebp
          mov ebp, esp
          push esi
          push dword ptr [ebp+08h]
          mov esi, ecx
          call 00007F46247F43CDh
          mov dword ptr [esi], 0049FDF0h
          mov eax, esi
          pop esi
          pop ebp
          retn 0004h
          and dword ptr [ecx+04h], 00000000h
          mov eax, ecx
          and dword ptr [ecx+08h], 00000000h
          mov dword ptr [ecx+04h], 0049FDF8h
          mov dword ptr [ecx], 0049FDF0h
          ret
          push ebp
          mov ebp, esp
          push esi
          push dword ptr [ebp+08h]
          mov esi, ecx
          call 00007F46247F439Ah
          mov dword ptr [esi], 0049FE0Ch
          mov eax, esi
          pop esi
          pop ebp
          retn 0004h
          and dword ptr [ecx+04h], 00000000h
          mov eax, ecx
          and dword ptr [ecx+08h], 00000000h
          mov dword ptr [ecx+04h], 0049FE14h
          mov dword ptr [ecx], 0049FE0Ch
          ret
          push ebp
          mov ebp, esp
          push esi
          mov esi, ecx
          lea eax, dword ptr [esi+04h]
          mov dword ptr [esi], 0049FDD0h
          and dword ptr [eax], 00000000h
          and dword ptr [eax+04h], 00000000h
          push eax
          mov eax, dword ptr [ebp+08h]
          add eax, 04h
          push eax
          call 00007F46247F6F8Dh
          pop ecx
          pop ecx
          mov eax, esi
          pop esi
          pop ebp
          retn 0004h
          lea eax, dword ptr [ecx+04h]
          mov dword ptr [ecx], 0049FDD0h
          push eax
          call 00007F46247F6FD8h
          pop ecx
          ret
          push ebp
          mov ebp, esp
          push esi
          mov esi, ecx
          lea eax, dword ptr [esi+04h]
          mov dword ptr [esi], 0049FDD0h
          push eax
          call 00007F46247F6FC1h
          test byte ptr [ebp+08h], 00000001h
          pop ecx

          Rich Headers

          Programming Language:
          • [ C ] VS2008 SP1 build 30729
          • [IMP] VS2008 SP1 build 30729

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x59578.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x12e0000x7594.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0xd40000x595780x59600950281cc69c4308c2597e40443666893False0.9267564466783217data7.890836195032741IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x12e0000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
          RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
          RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
          RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
          RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
          RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
          RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
          RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
          RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
          RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
          RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
          RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
          RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
          RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
          RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
          RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
          RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
          RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
          RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
          RT_RCDATA0xdc7b80x50840data1.0003365757810985
          RT_GROUP_ICON0x12cff80x76dataEnglishGreat Britain0.6610169491525424
          RT_GROUP_ICON0x12d0700x14dataEnglishGreat Britain1.25
          RT_GROUP_ICON0x12d0840x14dataEnglishGreat Britain1.15
          RT_GROUP_ICON0x12d0980x14dataEnglishGreat Britain1.25
          RT_VERSION0x12d0ac0xdcdataEnglishGreat Britain0.6181818181818182
          RT_MANIFEST0x12d1880x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

          Imports

          DLLImport
          WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
          VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
          MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
          WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
          PSAPI.DLLGetProcessMemoryInfo
          IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
          USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
          UxTheme.dllIsThemeActive
          KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
          USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
          GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
          COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
          SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
          OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishGreat Britain

          Network Behavior

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Jul 26, 2024 23:45:27.504021883 CEST53550401.1.1.1192.168.2.4

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:17:45:03
          Start date:26/07/2024
          Path:C:\Users\user\Desktop\BOQ Inquiry.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\BOQ Inquiry.exe"
          Imagebase:0xd90000
          File size:1'245'184 bytes
          MD5 hash:CCDC7EB74161DEC113CFC651731E3ED2
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:1
          Start time:17:45:04
          Start date:26/07/2024
          Path:C:\Windows\SysWOW64\svchost.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\BOQ Inquiry.exe"
          Imagebase:0xef0000
          File size:46'504 bytes
          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1964890977.0000000000E40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1964890977.0000000000E40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1964646888.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1964646888.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          Reputation:moderate
          Has exited:true

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:3%
            Dynamic/Decrypted Code Coverage:0.9%
            Signature Coverage:3%
            Total number of Nodes:1915
            Total number of Limit Nodes:54
            execution_graph 95929 db03fb 95930 db0407 CallCatchBlock 95929->95930 95958 dafeb1 95930->95958 95932 db040e 95933 db0561 95932->95933 95936 db0438 95932->95936 95985 db083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 95933->95985 95935 db0568 95986 db4e52 28 API calls _abort 95935->95986 95947 db0477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 95936->95947 95969 dc247d 95936->95969 95938 db056e 95987 db4e04 28 API calls _abort 95938->95987 95942 db0576 95943 db0457 95945 db04d8 95977 db0959 95945->95977 95947->95945 95981 db4e1a 38 API calls 3 library calls 95947->95981 95949 db04de 95950 db04f3 95949->95950 95982 db0992 GetModuleHandleW 95950->95982 95952 db04fa 95952->95935 95953 db04fe 95952->95953 95954 db0507 95953->95954 95983 db4df5 28 API calls _abort 95953->95983 95984 db0040 13 API calls 2 library calls 95954->95984 95957 db050f 95957->95943 95959 dafeba 95958->95959 95988 db0698 IsProcessorFeaturePresent 95959->95988 95961 dafec6 95989 db2c94 10 API calls 3 library calls 95961->95989 95963 dafecb 95964 dafecf 95963->95964 95990 dc2317 95963->95990 95964->95932 95967 dafee6 95967->95932 95970 dc2494 95969->95970 95971 db0a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 95970->95971 95972 db0451 95971->95972 95972->95943 95973 dc2421 95972->95973 95975 dc2450 95973->95975 95974 db0a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 95976 dc2479 95974->95976 95975->95974 95976->95947 96065 db2340 95977->96065 95980 db097f 95980->95949 95981->95945 95982->95952 95983->95954 95984->95957 95985->95935 95986->95938 95987->95942 95988->95961 95989->95963 95994 dcd1f6 95990->95994 95993 db2cbd 8 API calls 3 library calls 95993->95964 95997 dcd213 95994->95997 95998 dcd20f 95994->95998 95996 dafed8 95996->95967 95996->95993 95997->95998 96000 dc4bfb 95997->96000 96012 db0a8c 95998->96012 96001 dc4c07 CallCatchBlock 96000->96001 96019 dc2f5e EnterCriticalSection 96001->96019 96003 dc4c0e 96020 dc50af 96003->96020 96005 dc4c1d 96011 dc4c2c 96005->96011 96033 dc4a8f 29 API calls 96005->96033 96008 dc4c27 96034 dc4b45 GetStdHandle GetFileType 96008->96034 96009 dc4c3d __wsopen_s 96009->95997 96035 dc4c48 LeaveCriticalSection _abort 96011->96035 96013 db0a97 IsProcessorFeaturePresent 96012->96013 96014 db0a95 96012->96014 96016 db0c5d 96013->96016 96014->95996 96064 db0c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 96016->96064 96018 db0d40 96018->95996 96019->96003 96021 dc50bb CallCatchBlock 96020->96021 96022 dc50df 96021->96022 96023 dc50c8 96021->96023 96036 dc2f5e EnterCriticalSection 96022->96036 96044 dbf2d9 20 API calls __dosmaperr 96023->96044 96026 dc50eb 96032 dc5117 96026->96032 96037 dc5000 96026->96037 96027 dc50cd 96045 dc27ec 26 API calls __cftof 96027->96045 96030 dc50d7 __wsopen_s 96030->96005 96046 dc513e LeaveCriticalSection _abort 96032->96046 96033->96008 96034->96011 96035->96009 96036->96026 96047 dc4c7d 96037->96047 96039 dc5012 96043 dc501f 96039->96043 96054 dc3405 11 API calls 2 library calls 96039->96054 96042 dc5071 96042->96026 96055 dc29c8 96043->96055 96044->96027 96045->96030 96046->96030 96052 dc4c8a __dosmaperr 96047->96052 96048 dc4cca 96062 dbf2d9 20 API calls __dosmaperr 96048->96062 96049 dc4cb5 RtlAllocateHeap 96050 dc4cc8 96049->96050 96049->96052 96050->96039 96052->96048 96052->96049 96061 db4ead 7 API calls 2 library calls 96052->96061 96054->96039 96056 dc29d3 RtlFreeHeap 96055->96056 96060 dc29fc __dosmaperr 96055->96060 96057 dc29e8 96056->96057 96056->96060 96063 dbf2d9 20 API calls __dosmaperr 96057->96063 96059 dc29ee GetLastError 96059->96060 96060->96042 96061->96052 96062->96050 96063->96059 96064->96018 96066 db096c GetStartupInfoW 96065->96066 96066->95980 96067 d91098 96072 d942de 96067->96072 96071 d910a7 96093 d9a961 96072->96093 96076 d94342 96086 d94378 96076->96086 96110 d993b2 96076->96110 96078 d9436c 96114 d937a0 96078->96114 96079 d9441b GetCurrentProcess IsWow64Process 96081 d94437 96079->96081 96082 d9444f LoadLibraryA 96081->96082 96083 dd3824 GetSystemInfo 96081->96083 96084 d9449c GetSystemInfo 96082->96084 96085 d94460 GetProcAddress 96082->96085 96089 d94476 96084->96089 96085->96084 96088 d94470 GetNativeSystemInfo 96085->96088 96086->96079 96087 dd37df 96086->96087 96088->96089 96090 d9447a FreeLibrary 96089->96090 96091 d9109d 96089->96091 96090->96091 96092 db00a3 29 API calls __onexit 96091->96092 96092->96071 96118 dafe0b 96093->96118 96095 d9a976 96128 dafddb 96095->96128 96097 d942f5 GetVersionExW 96098 d96b57 96097->96098 96099 dd4ba1 96098->96099 96100 d96b67 _wcslen 96098->96100 96101 d993b2 22 API calls 96099->96101 96103 d96b7d 96100->96103 96104 d96ba2 96100->96104 96102 dd4baa 96101->96102 96102->96102 96153 d96f34 22 API calls 96103->96153 96106 dafddb 22 API calls 96104->96106 96107 d96bae 96106->96107 96108 dafe0b 22 API calls 96107->96108 96109 d96b85 __fread_nolock 96108->96109 96109->96076 96111 d993c0 96110->96111 96112 d993c9 __fread_nolock 96110->96112 96111->96112 96154 d9aec9 96111->96154 96112->96078 96112->96112 96115 d937ae 96114->96115 96116 d993b2 22 API calls 96115->96116 96117 d937c2 96116->96117 96117->96086 96119 dafddb 96118->96119 96121 dafdfa 96119->96121 96124 dafdfc 96119->96124 96138 dbea0c 96119->96138 96145 db4ead 7 API calls 2 library calls 96119->96145 96121->96095 96123 db066d 96147 db32a4 RaiseException 96123->96147 96124->96123 96146 db32a4 RaiseException 96124->96146 96127 db068a 96127->96095 96131 dafde0 96128->96131 96129 dbea0c ___std_exception_copy 21 API calls 96129->96131 96130 dafdfa 96130->96097 96131->96129 96131->96130 96134 dafdfc 96131->96134 96150 db4ead 7 API calls 2 library calls 96131->96150 96133 db066d 96152 db32a4 RaiseException 96133->96152 96134->96133 96151 db32a4 RaiseException 96134->96151 96137 db068a 96137->96097 96143 dc3820 __dosmaperr 96138->96143 96139 dc385e 96149 dbf2d9 20 API calls __dosmaperr 96139->96149 96140 dc3849 RtlAllocateHeap 96142 dc385c 96140->96142 96140->96143 96142->96119 96143->96139 96143->96140 96148 db4ead 7 API calls 2 library calls 96143->96148 96145->96119 96146->96123 96147->96127 96148->96143 96149->96142 96150->96131 96151->96133 96152->96137 96153->96109 96155 d9aed9 __fread_nolock 96154->96155 96156 d9aedc 96154->96156 96155->96112 96157 dafddb 22 API calls 96156->96157 96158 d9aee7 96157->96158 96159 dafe0b 22 API calls 96158->96159 96159->96155 96160 d9105b 96165 d9344d 96160->96165 96162 d9106a 96196 db00a3 29 API calls __onexit 96162->96196 96164 d91074 96166 d9345d __wsopen_s 96165->96166 96167 d9a961 22 API calls 96166->96167 96168 d93513 96167->96168 96197 d93a5a 96168->96197 96170 d9351c 96204 d93357 96170->96204 96177 d9a961 22 API calls 96178 d9354d 96177->96178 96225 d9a6c3 96178->96225 96181 dd3176 RegQueryValueExW 96182 dd320c RegCloseKey 96181->96182 96183 dd3193 96181->96183 96185 d93578 96182->96185 96195 dd321e _wcslen 96182->96195 96184 dafe0b 22 API calls 96183->96184 96186 dd31ac 96184->96186 96185->96162 96231 d95722 96186->96231 96187 d94c6d 22 API calls 96187->96195 96190 dd31d4 96191 d96b57 22 API calls 96190->96191 96192 dd31ee messages 96191->96192 96192->96182 96194 d9515f 22 API calls 96194->96195 96195->96185 96195->96187 96195->96194 96234 d99cb3 96195->96234 96196->96164 96240 dd1f50 96197->96240 96200 d99cb3 22 API calls 96201 d93a8d 96200->96201 96242 d93aa2 96201->96242 96203 d93a97 96203->96170 96205 dd1f50 __wsopen_s 96204->96205 96206 d93364 GetFullPathNameW 96205->96206 96207 d93386 96206->96207 96208 d96b57 22 API calls 96207->96208 96209 d933a4 96208->96209 96210 d933c6 96209->96210 96211 d933dd 96210->96211 96212 dd30bb 96210->96212 96252 d933ee 96211->96252 96214 dafddb 22 API calls 96212->96214 96216 dd30c5 _wcslen 96214->96216 96215 d933e8 96219 d9515f 96215->96219 96217 dafe0b 22 API calls 96216->96217 96218 dd30fe __fread_nolock 96217->96218 96220 d9516e 96219->96220 96224 d9518f __fread_nolock 96219->96224 96222 dafe0b 22 API calls 96220->96222 96221 dafddb 22 API calls 96223 d93544 96221->96223 96222->96224 96223->96177 96224->96221 96226 d9a6dd 96225->96226 96227 d93556 RegOpenKeyExW 96225->96227 96228 dafddb 22 API calls 96226->96228 96227->96181 96227->96185 96229 d9a6e7 96228->96229 96230 dafe0b 22 API calls 96229->96230 96230->96227 96232 dafddb 22 API calls 96231->96232 96233 d95734 RegQueryValueExW 96232->96233 96233->96190 96233->96192 96235 d99cc2 _wcslen 96234->96235 96236 dafe0b 22 API calls 96235->96236 96237 d99cea __fread_nolock 96236->96237 96238 dafddb 22 API calls 96237->96238 96239 d99d00 96238->96239 96239->96195 96241 d93a67 GetModuleFileNameW 96240->96241 96241->96200 96243 dd1f50 __wsopen_s 96242->96243 96244 d93aaf GetFullPathNameW 96243->96244 96245 d93ae9 96244->96245 96246 d93ace 96244->96246 96248 d9a6c3 22 API calls 96245->96248 96247 d96b57 22 API calls 96246->96247 96249 d93ada 96247->96249 96248->96249 96250 d937a0 22 API calls 96249->96250 96251 d93ae6 96250->96251 96251->96203 96253 d933fe _wcslen 96252->96253 96254 dd311d 96253->96254 96255 d93411 96253->96255 96257 dafddb 22 API calls 96254->96257 96262 d9a587 96255->96262 96258 dd3127 96257->96258 96260 dafe0b 22 API calls 96258->96260 96259 d9341e __fread_nolock 96259->96215 96261 dd3157 __fread_nolock 96260->96261 96264 d9a59d 96262->96264 96266 d9a598 __fread_nolock 96262->96266 96263 ddf80f 96264->96263 96265 dafe0b 22 API calls 96264->96265 96265->96266 96266->96259 96267 ded8dd GetTempPathW 96268 ded8fa 96267->96268 96269 d9dddc 96272 d9b710 96269->96272 96273 d9b72b 96272->96273 96274 de00f8 96273->96274 96275 de0146 96273->96275 96301 d9b750 96273->96301 96278 de0102 96274->96278 96281 de010f 96274->96281 96274->96301 96338 e158a2 235 API calls 2 library calls 96275->96338 96336 e15d33 235 API calls 96278->96336 96298 d9ba20 96281->96298 96337 e161d0 235 API calls 2 library calls 96281->96337 96284 de03d9 96284->96284 96288 d9ba4e 96289 de0322 96345 e15c0c 82 API calls 96289->96345 96296 dad336 40 API calls 96296->96301 96297 d9bbe0 40 API calls 96297->96301 96298->96288 96346 e0359c 82 API calls __wsopen_s 96298->96346 96301->96288 96301->96289 96301->96296 96301->96297 96301->96298 96303 d9ec40 96301->96303 96327 d9a81b 41 API calls 96301->96327 96328 dad2f0 40 API calls 96301->96328 96329 daa01b 235 API calls 96301->96329 96330 db0242 5 API calls __Init_thread_wait 96301->96330 96331 daedcd 22 API calls 96301->96331 96332 db00a3 29 API calls __onexit 96301->96332 96333 db01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96301->96333 96334 daee53 82 API calls 96301->96334 96335 dae5ca 235 API calls 96301->96335 96339 d9aceb 23 API calls messages 96301->96339 96340 def6bf 23 API calls 96301->96340 96341 d9a8c7 96301->96341 96321 d9ec76 messages 96303->96321 96304 dafddb 22 API calls 96304->96321 96305 db0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96305->96321 96306 d9fef7 96313 d9a8c7 22 API calls 96306->96313 96319 d9ed9d messages 96306->96319 96309 de4b0b 96350 e0359c 82 API calls __wsopen_s 96309->96350 96310 d9a8c7 22 API calls 96310->96321 96311 de4600 96316 d9a8c7 22 API calls 96311->96316 96311->96319 96313->96319 96316->96319 96317 d9fbe3 96317->96319 96320 de4bdc 96317->96320 96326 d9f3ae messages 96317->96326 96318 d9a961 22 API calls 96318->96321 96319->96301 96351 e0359c 82 API calls __wsopen_s 96320->96351 96321->96304 96321->96305 96321->96306 96321->96309 96321->96310 96321->96311 96321->96317 96321->96318 96321->96319 96322 db00a3 29 API calls pre_c_initialization 96321->96322 96324 db01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96321->96324 96325 de4beb 96321->96325 96321->96326 96347 da01e0 235 API calls 2 library calls 96321->96347 96348 da06a0 41 API calls messages 96321->96348 96322->96321 96324->96321 96352 e0359c 82 API calls __wsopen_s 96325->96352 96326->96319 96349 e0359c 82 API calls __wsopen_s 96326->96349 96327->96301 96328->96301 96329->96301 96330->96301 96331->96301 96332->96301 96333->96301 96334->96301 96335->96301 96336->96281 96337->96298 96338->96301 96339->96301 96340->96301 96342 d9a8ea __fread_nolock 96341->96342 96343 d9a8db 96341->96343 96342->96301 96343->96342 96344 dafe0b 22 API calls 96343->96344 96344->96342 96345->96298 96346->96284 96347->96321 96348->96321 96349->96319 96350->96319 96351->96325 96352->96319 96353 dc90fa 96354 dc9107 96353->96354 96358 dc911f 96353->96358 96410 dbf2d9 20 API calls __dosmaperr 96354->96410 96356 dc910c 96411 dc27ec 26 API calls __cftof 96356->96411 96359 dc917a 96358->96359 96367 dc9117 96358->96367 96412 dcfdc4 21 API calls 2 library calls 96358->96412 96373 dbd955 96359->96373 96362 dc9192 96380 dc8c32 96362->96380 96364 dc9199 96365 dbd955 __fread_nolock 26 API calls 96364->96365 96364->96367 96366 dc91c5 96365->96366 96366->96367 96368 dbd955 __fread_nolock 26 API calls 96366->96368 96369 dc91d3 96368->96369 96369->96367 96370 dbd955 __fread_nolock 26 API calls 96369->96370 96371 dc91e3 96370->96371 96372 dbd955 __fread_nolock 26 API calls 96371->96372 96372->96367 96374 dbd961 96373->96374 96375 dbd976 96373->96375 96413 dbf2d9 20 API calls __dosmaperr 96374->96413 96375->96362 96377 dbd966 96414 dc27ec 26 API calls __cftof 96377->96414 96379 dbd971 96379->96362 96381 dc8c3e CallCatchBlock 96380->96381 96382 dc8c5e 96381->96382 96383 dc8c46 96381->96383 96384 dc8d24 96382->96384 96388 dc8c97 96382->96388 96481 dbf2c6 20 API calls __dosmaperr 96383->96481 96488 dbf2c6 20 API calls __dosmaperr 96384->96488 96387 dc8c4b 96482 dbf2d9 20 API calls __dosmaperr 96387->96482 96391 dc8cbb 96388->96391 96392 dc8ca6 96388->96392 96389 dc8d29 96489 dbf2d9 20 API calls __dosmaperr 96389->96489 96415 dc5147 EnterCriticalSection 96391->96415 96483 dbf2c6 20 API calls __dosmaperr 96392->96483 96396 dc8cb3 96490 dc27ec 26 API calls __cftof 96396->96490 96397 dc8cab 96484 dbf2d9 20 API calls __dosmaperr 96397->96484 96398 dc8cc1 96401 dc8cdd 96398->96401 96402 dc8cf2 96398->96402 96399 dc8c53 __wsopen_s 96399->96364 96485 dbf2d9 20 API calls __dosmaperr 96401->96485 96416 dc8d45 96402->96416 96406 dc8ced 96487 dc8d1c LeaveCriticalSection __wsopen_s 96406->96487 96407 dc8ce2 96486 dbf2c6 20 API calls __dosmaperr 96407->96486 96410->96356 96411->96367 96412->96359 96413->96377 96414->96379 96415->96398 96417 dc8d6f 96416->96417 96418 dc8d57 96416->96418 96420 dc90d9 96417->96420 96425 dc8db4 96417->96425 96500 dbf2c6 20 API calls __dosmaperr 96418->96500 96516 dbf2c6 20 API calls __dosmaperr 96420->96516 96421 dc8d5c 96501 dbf2d9 20 API calls __dosmaperr 96421->96501 96424 dc90de 96517 dbf2d9 20 API calls __dosmaperr 96424->96517 96426 dc8d64 96425->96426 96428 dc8dbf 96425->96428 96432 dc8def 96425->96432 96426->96406 96502 dbf2c6 20 API calls __dosmaperr 96428->96502 96429 dc8dcc 96518 dc27ec 26 API calls __cftof 96429->96518 96431 dc8dc4 96503 dbf2d9 20 API calls __dosmaperr 96431->96503 96435 dc8e08 96432->96435 96436 dc8e2e 96432->96436 96437 dc8e4a 96432->96437 96435->96436 96439 dc8e15 96435->96439 96504 dbf2c6 20 API calls __dosmaperr 96436->96504 96507 dc3820 21 API calls __dosmaperr 96437->96507 96491 dcf89b 96439->96491 96441 dc8e33 96505 dbf2d9 20 API calls __dosmaperr 96441->96505 96442 dc8e61 96445 dc29c8 _free 20 API calls 96442->96445 96448 dc8e6a 96445->96448 96446 dc8fb3 96449 dc9029 96446->96449 96453 dc8fcc GetConsoleMode 96446->96453 96447 dc8e3a 96506 dc27ec 26 API calls __cftof 96447->96506 96451 dc29c8 _free 20 API calls 96448->96451 96452 dc902d ReadFile 96449->96452 96454 dc8e71 96451->96454 96455 dc9047 96452->96455 96456 dc90a1 GetLastError 96452->96456 96453->96449 96457 dc8fdd 96453->96457 96459 dc8e7b 96454->96459 96460 dc8e96 96454->96460 96455->96456 96463 dc901e 96455->96463 96461 dc90ae 96456->96461 96462 dc9005 96456->96462 96457->96452 96458 dc8fe3 ReadConsoleW 96457->96458 96458->96463 96464 dc8fff GetLastError 96458->96464 96508 dbf2d9 20 API calls __dosmaperr 96459->96508 96510 dc9424 28 API calls __wsopen_s 96460->96510 96514 dbf2d9 20 API calls __dosmaperr 96461->96514 96478 dc8e45 __fread_nolock 96462->96478 96511 dbf2a3 20 API calls __dosmaperr 96462->96511 96472 dc906c 96463->96472 96473 dc9083 96463->96473 96463->96478 96464->96462 96465 dc29c8 _free 20 API calls 96465->96426 96470 dc8e80 96509 dbf2c6 20 API calls __dosmaperr 96470->96509 96471 dc90b3 96515 dbf2c6 20 API calls __dosmaperr 96471->96515 96512 dc8a61 31 API calls 3 library calls 96472->96512 96477 dc909a 96473->96477 96473->96478 96513 dc88a1 29 API calls __wsopen_s 96477->96513 96478->96465 96480 dc909f 96480->96478 96481->96387 96482->96399 96483->96397 96484->96396 96485->96407 96486->96406 96487->96399 96488->96389 96489->96396 96490->96399 96492 dcf8a8 96491->96492 96493 dcf8b5 96491->96493 96519 dbf2d9 20 API calls __dosmaperr 96492->96519 96496 dcf8c1 96493->96496 96520 dbf2d9 20 API calls __dosmaperr 96493->96520 96495 dcf8ad 96495->96446 96496->96446 96498 dcf8e2 96521 dc27ec 26 API calls __cftof 96498->96521 96500->96421 96501->96426 96502->96431 96503->96429 96504->96441 96505->96447 96506->96478 96507->96442 96508->96470 96509->96478 96510->96439 96511->96478 96512->96478 96513->96480 96514->96471 96515->96478 96516->96424 96517->96429 96518->96426 96519->96495 96520->96498 96521->96495 96522 d9f7bf 96523 d9f7d3 96522->96523 96524 d9fcb6 96522->96524 96526 d9fcc2 96523->96526 96528 dafddb 22 API calls 96523->96528 96615 d9aceb 23 API calls messages 96524->96615 96616 d9aceb 23 API calls messages 96526->96616 96529 d9f7e5 96528->96529 96529->96526 96530 d9f83e 96529->96530 96531 d9fd3d 96529->96531 96540 d9ed9d messages 96530->96540 96557 da1310 96530->96557 96617 e01155 22 API calls 96531->96617 96534 de4beb 96621 e0359c 82 API calls __wsopen_s 96534->96621 96535 d9fef7 96535->96540 96543 d9a8c7 22 API calls 96535->96543 96537 d9ec76 messages 96537->96534 96537->96535 96539 dafddb 22 API calls 96537->96539 96537->96540 96541 de4b0b 96537->96541 96544 de4600 96537->96544 96547 d9a8c7 22 API calls 96537->96547 96549 db0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96537->96549 96550 d9fbe3 96537->96550 96551 d9a961 22 API calls 96537->96551 96554 db00a3 29 API calls pre_c_initialization 96537->96554 96555 db01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96537->96555 96556 d9f3ae messages 96537->96556 96613 da01e0 235 API calls 2 library calls 96537->96613 96614 da06a0 41 API calls messages 96537->96614 96539->96537 96619 e0359c 82 API calls __wsopen_s 96541->96619 96543->96540 96544->96540 96548 d9a8c7 22 API calls 96544->96548 96547->96537 96548->96540 96549->96537 96550->96540 96552 de4bdc 96550->96552 96550->96556 96551->96537 96620 e0359c 82 API calls __wsopen_s 96552->96620 96554->96537 96555->96537 96556->96540 96618 e0359c 82 API calls __wsopen_s 96556->96618 96558 da17b0 96557->96558 96559 da1376 96557->96559 96731 db0242 5 API calls __Init_thread_wait 96558->96731 96560 da1390 96559->96560 96561 de6331 96559->96561 96622 da1940 96560->96622 96564 de633d 96561->96564 96736 e1709c 235 API calls 96561->96736 96564->96537 96566 da17ba 96569 d99cb3 22 API calls 96566->96569 96571 da17fb 96566->96571 96568 da1940 9 API calls 96570 da13b6 96568->96570 96577 da17d4 96569->96577 96570->96571 96573 da13ec 96570->96573 96572 de6346 96571->96572 96574 da182c 96571->96574 96737 e0359c 82 API calls __wsopen_s 96572->96737 96573->96572 96597 da1408 __fread_nolock 96573->96597 96733 d9aceb 23 API calls messages 96574->96733 96732 db01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96577->96732 96578 da1839 96734 dad217 235 API calls 96578->96734 96581 de636e 96738 e0359c 82 API calls __wsopen_s 96581->96738 96582 da152f 96584 da153c 96582->96584 96585 de63d1 96582->96585 96587 da1940 9 API calls 96584->96587 96740 e15745 54 API calls _wcslen 96585->96740 96588 da1549 96587->96588 96592 de64fa 96588->96592 96594 da1940 9 API calls 96588->96594 96589 dafddb 22 API calls 96589->96597 96590 da1872 96735 dafaeb 23 API calls 96590->96735 96591 dafe0b 22 API calls 96591->96597 96601 de6369 96592->96601 96741 e0359c 82 API calls __wsopen_s 96592->96741 96599 da1563 96594->96599 96596 d9ec40 235 API calls 96596->96597 96597->96578 96597->96581 96597->96582 96597->96589 96597->96591 96597->96596 96598 de63b2 96597->96598 96597->96601 96739 e0359c 82 API calls __wsopen_s 96598->96739 96599->96592 96602 d9a8c7 22 API calls 96599->96602 96604 da15c7 messages 96599->96604 96601->96537 96602->96604 96603 da1940 9 API calls 96603->96604 96604->96590 96604->96592 96604->96601 96604->96603 96606 da167b messages 96604->96606 96632 e06ef1 96604->96632 96712 e0f0ec 96604->96712 96721 dfd4ce 96604->96721 96724 e1959f 96604->96724 96727 e1958b 96604->96727 96605 da171d 96605->96537 96606->96605 96730 dace17 22 API calls messages 96606->96730 96613->96537 96614->96537 96615->96526 96616->96531 96617->96540 96618->96540 96619->96540 96620->96534 96621->96540 96623 da1981 96622->96623 96627 da195d 96622->96627 96742 db0242 5 API calls __Init_thread_wait 96623->96742 96625 da198b 96625->96627 96743 db01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96625->96743 96631 da13a0 96627->96631 96744 db0242 5 API calls __Init_thread_wait 96627->96744 96628 da8727 96628->96631 96745 db01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96628->96745 96631->96568 96633 d9a961 22 API calls 96632->96633 96634 e06f1d 96633->96634 96635 d9a961 22 API calls 96634->96635 96636 e06f26 96635->96636 96637 e06f3a 96636->96637 96954 d9b567 39 API calls 96636->96954 96746 d97510 96637->96746 96640 e06fbc 96642 d97510 53 API calls 96640->96642 96641 e070bf 96769 d94ecb 96641->96769 96645 e06fc8 96642->96645 96644 e06f57 _wcslen 96644->96640 96644->96641 96711 e070e9 96644->96711 96649 d9a8c7 22 API calls 96645->96649 96654 e06fdb 96645->96654 96647 e070e5 96648 d9a961 22 API calls 96647->96648 96647->96711 96651 e0711a 96648->96651 96649->96654 96650 d94ecb 94 API calls 96650->96647 96652 d9a961 22 API calls 96651->96652 96656 e07126 96652->96656 96653 e07027 96655 d97510 53 API calls 96653->96655 96654->96653 96657 e07005 96654->96657 96661 d9a8c7 22 API calls 96654->96661 96659 e07034 96655->96659 96660 d9a961 22 API calls 96656->96660 96658 d933c6 22 API calls 96657->96658 96662 e0700f 96658->96662 96663 e07047 96659->96663 96664 e0703d 96659->96664 96665 e0712f 96660->96665 96661->96657 96666 d97510 53 API calls 96662->96666 96955 dfe199 GetFileAttributesW 96663->96955 96667 d9a8c7 22 API calls 96664->96667 96669 d9a961 22 API calls 96665->96669 96670 e0701b 96666->96670 96667->96663 96672 e07138 96669->96672 96673 d96350 22 API calls 96670->96673 96671 e07050 96674 e07063 96671->96674 96677 d94c6d 22 API calls 96671->96677 96675 d97510 53 API calls 96672->96675 96673->96653 96676 d97510 53 API calls 96674->96676 96684 e07069 96674->96684 96678 e07145 96675->96678 96680 e070a0 96676->96680 96677->96674 96791 d9525f 96678->96791 96956 dfd076 57 API calls 96680->96956 96681 e07166 96833 d94c6d 96681->96833 96684->96711 96686 e071a9 96688 d9a8c7 22 API calls 96686->96688 96687 d94c6d 22 API calls 96689 e07186 96687->96689 96690 e071ba 96688->96690 96689->96686 96692 d96b57 22 API calls 96689->96692 96836 d96350 96690->96836 96695 e0719b 96692->96695 96694 d96350 22 API calls 96696 e071d6 96694->96696 96697 d96b57 22 API calls 96695->96697 96698 d96350 22 API calls 96696->96698 96697->96686 96699 e071e4 96698->96699 96700 d97510 53 API calls 96699->96700 96701 e071f0 96700->96701 96845 dfd7bc 96701->96845 96703 e07201 96704 dfd4ce 4 API calls 96703->96704 96705 e0720b 96704->96705 96706 d97510 53 API calls 96705->96706 96709 e07239 96705->96709 96707 e07229 96706->96707 96899 e02947 96707->96899 96957 d94f39 96709->96957 96711->96604 96713 d97510 53 API calls 96712->96713 96714 e0f126 96713->96714 97492 d99e90 96714->97492 96716 e0f136 96717 e0f15b 96716->96717 96718 d9ec40 235 API calls 96716->96718 96720 e0f15f 96717->96720 97520 d99c6e 22 API calls 96717->97520 96718->96717 96720->96604 97541 dfdbbe lstrlenW 96721->97541 97546 e17f59 96724->97546 96726 e195af 96726->96604 96728 e17f59 120 API calls 96727->96728 96729 e1959b 96728->96729 96729->96604 96730->96606 96731->96566 96732->96571 96733->96578 96734->96590 96735->96590 96736->96564 96737->96601 96738->96601 96739->96601 96740->96599 96741->96601 96742->96625 96743->96627 96744->96628 96745->96631 96747 d97525 96746->96747 96763 d97522 96746->96763 96748 d9752d 96747->96748 96751 d9755b 96747->96751 96963 db51c6 26 API calls 96748->96963 96750 dd50f6 96966 db5183 26 API calls 96750->96966 96751->96750 96754 d9756d 96751->96754 96759 dd500f 96751->96759 96752 d9753d 96758 dafddb 22 API calls 96752->96758 96964 dafb21 51 API calls 96754->96964 96755 dd510e 96755->96755 96760 d97547 96758->96760 96762 dafe0b 22 API calls 96759->96762 96768 dd5088 96759->96768 96761 d99cb3 22 API calls 96760->96761 96761->96763 96764 dd5058 96762->96764 96763->96644 96765 dafddb 22 API calls 96764->96765 96766 dd507f 96765->96766 96767 d99cb3 22 API calls 96766->96767 96767->96768 96965 dafb21 51 API calls 96768->96965 96967 d94e90 LoadLibraryA 96769->96967 96774 dd3ccf 96776 d94f39 68 API calls 96774->96776 96775 d94ef6 LoadLibraryExW 96975 d94e59 LoadLibraryA 96775->96975 96779 dd3cd6 96776->96779 96781 d94e59 3 API calls 96779->96781 96783 dd3cde 96781->96783 96782 d94f20 96782->96783 96784 d94f2c 96782->96784 96997 d950f5 96783->96997 96785 d94f39 68 API calls 96784->96785 96787 d94f31 96785->96787 96787->96647 96787->96650 96790 dd3d05 96792 d9a961 22 API calls 96791->96792 96793 d95275 96792->96793 96794 d9a961 22 API calls 96793->96794 96795 d9527d 96794->96795 96796 d9a961 22 API calls 96795->96796 96797 d95285 96796->96797 96798 d9a961 22 API calls 96797->96798 96799 d9528d 96798->96799 96800 dd3df5 96799->96800 96801 d952c1 96799->96801 96802 d9a8c7 22 API calls 96800->96802 96803 d96d25 22 API calls 96801->96803 96804 dd3dfe 96802->96804 96805 d952cf 96803->96805 96806 d9a6c3 22 API calls 96804->96806 96807 d993b2 22 API calls 96805->96807 96810 d95304 96806->96810 96808 d952d9 96807->96808 96808->96810 96811 d96d25 22 API calls 96808->96811 96809 d95349 97144 d96d25 96809->97144 96810->96809 96812 d95325 96810->96812 96822 dd3e20 96810->96822 96814 d952fa 96811->96814 96812->96809 96817 d94c6d 22 API calls 96812->96817 96816 d993b2 22 API calls 96814->96816 96815 d9535a 96818 d95370 96815->96818 96824 d9a8c7 22 API calls 96815->96824 96816->96810 96820 d95332 96817->96820 96819 d95384 96818->96819 96825 d9a8c7 22 API calls 96818->96825 96823 d9538f 96819->96823 96827 d9a8c7 22 API calls 96819->96827 96820->96809 96826 d96d25 22 API calls 96820->96826 96821 d96b57 22 API calls 96828 dd3ee0 96821->96828 96822->96821 96829 d9a8c7 22 API calls 96823->96829 96831 d9539a 96823->96831 96824->96818 96825->96819 96826->96809 96827->96823 96828->96809 96830 d94c6d 22 API calls 96828->96830 97157 d949bd 22 API calls __fread_nolock 96828->97157 96829->96831 96830->96828 96831->96681 96834 d9aec9 22 API calls 96833->96834 96835 d94c78 96834->96835 96835->96686 96835->96687 96837 d96362 96836->96837 96838 dd4a51 96836->96838 97159 d96373 96837->97159 97169 d94a88 22 API calls __fread_nolock 96838->97169 96841 d9636e 96841->96694 96842 dd4a5b 96843 d9a8c7 22 API calls 96842->96843 96844 dd4a67 96842->96844 96843->96844 96846 dfd7d8 96845->96846 96847 dfd7dd 96846->96847 96848 dfd7f3 96846->96848 96850 d9a8c7 22 API calls 96847->96850 96898 dfd7ee 96847->96898 96849 d9a961 22 API calls 96848->96849 96851 dfd7fb 96849->96851 96850->96898 96852 d9a961 22 API calls 96851->96852 96853 dfd803 96852->96853 96854 d9a961 22 API calls 96853->96854 96855 dfd80e 96854->96855 96856 d9a961 22 API calls 96855->96856 96857 dfd816 96856->96857 96858 d9a961 22 API calls 96857->96858 96859 dfd81e 96858->96859 96860 d9a961 22 API calls 96859->96860 96861 dfd826 96860->96861 96862 d9a961 22 API calls 96861->96862 96863 dfd82e 96862->96863 96864 d9a961 22 API calls 96863->96864 96865 dfd836 96864->96865 96866 d9525f 22 API calls 96865->96866 96867 dfd84d 96866->96867 96868 d9525f 22 API calls 96867->96868 96869 dfd866 96868->96869 96870 d94c6d 22 API calls 96869->96870 96871 dfd872 96870->96871 96872 dfd885 96871->96872 96873 d993b2 22 API calls 96871->96873 96874 d94c6d 22 API calls 96872->96874 96873->96872 96875 dfd88e 96874->96875 96876 dfd89e 96875->96876 96878 d993b2 22 API calls 96875->96878 96877 dfd8b0 96876->96877 96879 d9a8c7 22 API calls 96876->96879 96880 d96350 22 API calls 96877->96880 96878->96876 96879->96877 96881 dfd8bb 96880->96881 97170 dfd978 22 API calls 96881->97170 96883 dfd8ca 97171 dfd978 22 API calls 96883->97171 96885 dfd8dd 96886 d94c6d 22 API calls 96885->96886 96887 dfd8e7 96886->96887 96888 dfd8fe 96887->96888 96889 dfd8ec 96887->96889 96890 d94c6d 22 API calls 96888->96890 96891 d933c6 22 API calls 96889->96891 96892 dfd907 96890->96892 96893 dfd8f9 96891->96893 96894 dfd925 96892->96894 96895 d933c6 22 API calls 96892->96895 96896 d96350 22 API calls 96893->96896 96897 d96350 22 API calls 96894->96897 96895->96893 96896->96894 96897->96898 96898->96703 96900 e02954 __wsopen_s 96899->96900 96901 dafe0b 22 API calls 96900->96901 96902 e02971 96901->96902 96903 d95722 22 API calls 96902->96903 96904 e0297b 96903->96904 96905 e0274e 27 API calls 96904->96905 96906 e02986 96905->96906 96907 d9511f 64 API calls 96906->96907 96908 e0299b 96907->96908 96909 e02a6c 96908->96909 96910 e029bf 96908->96910 96911 e02e66 75 API calls 96909->96911 97198 e02e66 96910->97198 96927 e02a38 96911->96927 96915 d950f5 40 API calls 96916 e02a91 96915->96916 96917 d950f5 40 API calls 96916->96917 96920 e02aa1 96917->96920 96918 e02a75 messages 96918->96709 96919 e029ed 97205 dbd583 26 API calls 96919->97205 96921 d950f5 40 API calls 96920->96921 96923 e02abc 96921->96923 96924 d950f5 40 API calls 96923->96924 96925 e02acc 96924->96925 96926 d950f5 40 API calls 96925->96926 96928 e02ae7 96926->96928 96927->96915 96927->96918 96929 d950f5 40 API calls 96928->96929 96930 e02af7 96929->96930 96931 d950f5 40 API calls 96930->96931 96932 e02b07 96931->96932 96933 d950f5 40 API calls 96932->96933 96934 e02b17 96933->96934 97172 e03017 GetTempPathW GetTempFileNameW 96934->97172 96936 e02b22 96937 dbe5eb 29 API calls 96936->96937 96939 e02b33 96937->96939 96939->96918 96941 d950f5 40 API calls 96939->96941 96950 e02bed 96939->96950 97173 dbdbb3 96939->97173 96940 e02bf8 96942 e02c12 96940->96942 96943 e02bfe DeleteFileW 96940->96943 96941->96939 96944 e02c91 CopyFileW 96942->96944 96949 e02c18 96942->96949 96943->96918 96945 e02ca7 DeleteFileW 96944->96945 96946 e02cb9 DeleteFileW 96944->96946 96945->96918 97195 e02fd8 CreateFileW 96946->97195 97206 e022ce 96949->97206 97182 dbe678 96950->97182 96953 e02c80 DeleteFileW 96953->96918 96954->96637 96955->96671 96956->96684 96958 d94f43 96957->96958 96960 d94f4a 96957->96960 96959 dbe678 67 API calls 96958->96959 96959->96960 96961 d94f59 96960->96961 96962 d94f6a FreeLibrary 96960->96962 96961->96711 96962->96961 96963->96752 96964->96752 96965->96750 96966->96755 96968 d94ea8 GetProcAddress 96967->96968 96969 d94ec6 96967->96969 96970 d94eb8 96968->96970 96972 dbe5eb 96969->96972 96970->96969 96971 d94ebf FreeLibrary 96970->96971 96971->96969 97005 dbe52a 96972->97005 96974 d94eea 96974->96774 96974->96775 96976 d94e8d 96975->96976 96977 d94e6e GetProcAddress 96975->96977 96980 d94f80 96976->96980 96978 d94e7e 96977->96978 96978->96976 96979 d94e86 FreeLibrary 96978->96979 96979->96976 96981 dafe0b 22 API calls 96980->96981 96982 d94f95 96981->96982 96983 d95722 22 API calls 96982->96983 96984 d94fa1 __fread_nolock 96983->96984 96985 dd3d1d 96984->96985 96986 d950a5 96984->96986 96996 d94fdc 96984->96996 97068 e0304d 74 API calls 96985->97068 97057 d942a2 CreateStreamOnHGlobal 96986->97057 96989 dd3d22 96991 d9511f 64 API calls 96989->96991 96990 d950f5 40 API calls 96990->96996 96992 dd3d45 96991->96992 96993 d950f5 40 API calls 96992->96993 96994 d9506e messages 96993->96994 96994->96782 96996->96989 96996->96990 96996->96994 97063 d9511f 96996->97063 96998 dd3d70 96997->96998 96999 d95107 96997->96999 97090 dbe8c4 96999->97090 97002 e028fe 97127 e0274e 97002->97127 97004 e02919 97004->96790 97008 dbe536 CallCatchBlock 97005->97008 97006 dbe544 97030 dbf2d9 20 API calls __dosmaperr 97006->97030 97008->97006 97010 dbe574 97008->97010 97009 dbe549 97031 dc27ec 26 API calls __cftof 97009->97031 97012 dbe579 97010->97012 97013 dbe586 97010->97013 97032 dbf2d9 20 API calls __dosmaperr 97012->97032 97022 dc8061 97013->97022 97016 dbe58f 97017 dbe5a2 97016->97017 97018 dbe595 97016->97018 97034 dbe5d4 LeaveCriticalSection __fread_nolock 97017->97034 97033 dbf2d9 20 API calls __dosmaperr 97018->97033 97019 dbe554 __wsopen_s 97019->96974 97023 dc806d CallCatchBlock 97022->97023 97035 dc2f5e EnterCriticalSection 97023->97035 97025 dc807b 97036 dc80fb 97025->97036 97029 dc80ac __wsopen_s 97029->97016 97030->97009 97031->97019 97032->97019 97033->97019 97034->97019 97035->97025 97044 dc811e 97036->97044 97037 dc8177 97038 dc4c7d __dosmaperr 20 API calls 97037->97038 97039 dc8180 97038->97039 97041 dc29c8 _free 20 API calls 97039->97041 97042 dc8189 97041->97042 97045 dc8088 97042->97045 97054 dc3405 11 API calls 2 library calls 97042->97054 97044->97037 97044->97045 97052 db918d EnterCriticalSection 97044->97052 97053 db91a1 LeaveCriticalSection 97044->97053 97049 dc80b7 97045->97049 97047 dc81a8 97055 db918d EnterCriticalSection 97047->97055 97056 dc2fa6 LeaveCriticalSection 97049->97056 97051 dc80be 97051->97029 97052->97044 97053->97044 97054->97047 97055->97045 97056->97051 97058 d942d9 97057->97058 97059 d942bc FindResourceExW 97057->97059 97058->96996 97059->97058 97060 dd35ba LoadResource 97059->97060 97060->97058 97061 dd35cf SizeofResource 97060->97061 97061->97058 97062 dd35e3 LockResource 97061->97062 97062->97058 97064 d9512e 97063->97064 97065 dd3d90 97063->97065 97069 dbece3 97064->97069 97068->96989 97072 dbeaaa 97069->97072 97071 d9513c 97071->96996 97076 dbeab6 CallCatchBlock 97072->97076 97073 dbeac2 97085 dbf2d9 20 API calls __dosmaperr 97073->97085 97075 dbeae8 97087 db918d EnterCriticalSection 97075->97087 97076->97073 97076->97075 97077 dbeac7 97086 dc27ec 26 API calls __cftof 97077->97086 97080 dbeaf4 97088 dbec0a 62 API calls 2 library calls 97080->97088 97082 dbeb08 97089 dbeb27 LeaveCriticalSection __fread_nolock 97082->97089 97084 dbead2 __wsopen_s 97084->97071 97085->97077 97086->97084 97087->97080 97088->97082 97089->97084 97093 dbe8e1 97090->97093 97092 d95118 97092->97002 97094 dbe8ed CallCatchBlock 97093->97094 97095 dbe925 __wsopen_s 97094->97095 97096 dbe92d 97094->97096 97097 dbe900 ___scrt_fastfail 97094->97097 97095->97092 97106 db918d EnterCriticalSection 97096->97106 97120 dbf2d9 20 API calls __dosmaperr 97097->97120 97100 dbe937 97107 dbe6f8 97100->97107 97102 dbe91a 97121 dc27ec 26 API calls __cftof 97102->97121 97106->97100 97108 dbe727 97107->97108 97111 dbe70a ___scrt_fastfail 97107->97111 97122 dbe96c LeaveCriticalSection __fread_nolock 97108->97122 97109 dbe717 97123 dbf2d9 20 API calls __dosmaperr 97109->97123 97111->97108 97111->97109 97114 dbe76a __fread_nolock 97111->97114 97113 dbe886 ___scrt_fastfail 97126 dbf2d9 20 API calls __dosmaperr 97113->97126 97114->97108 97114->97113 97116 dbd955 __fread_nolock 26 API calls 97114->97116 97119 dc8d45 __fread_nolock 38 API calls 97114->97119 97125 dbcf78 26 API calls 4 library calls 97114->97125 97116->97114 97118 dbe71c 97124 dc27ec 26 API calls __cftof 97118->97124 97119->97114 97120->97102 97121->97095 97122->97095 97123->97118 97124->97108 97125->97114 97126->97118 97130 dbe4e8 97127->97130 97129 e0275d 97129->97004 97133 dbe469 97130->97133 97132 dbe505 97132->97129 97134 dbe478 97133->97134 97135 dbe48c 97133->97135 97141 dbf2d9 20 API calls __dosmaperr 97134->97141 97139 dbe488 __alldvrm 97135->97139 97143 dc333f 11 API calls 2 library calls 97135->97143 97138 dbe47d 97142 dc27ec 26 API calls __cftof 97138->97142 97139->97132 97141->97138 97142->97139 97143->97139 97145 d96d91 97144->97145 97146 d96d34 97144->97146 97148 d993b2 22 API calls 97145->97148 97146->97145 97147 d96d3f 97146->97147 97149 dd4c9d 97147->97149 97150 d96d5a 97147->97150 97154 d96d62 __fread_nolock 97148->97154 97152 dafddb 22 API calls 97149->97152 97158 d96f34 22 API calls 97150->97158 97153 dd4ca7 97152->97153 97155 dafe0b 22 API calls 97153->97155 97154->96815 97156 dd4cda 97155->97156 97157->96828 97158->97154 97160 d96382 97159->97160 97166 d963b6 __fread_nolock 97159->97166 97161 dd4a82 97160->97161 97162 d963a9 97160->97162 97160->97166 97163 dafddb 22 API calls 97161->97163 97164 d9a587 22 API calls 97162->97164 97165 dd4a91 97163->97165 97164->97166 97167 dafe0b 22 API calls 97165->97167 97166->96841 97168 dd4ac5 __fread_nolock 97167->97168 97169->96842 97170->96883 97171->96885 97172->96936 97174 dbdbdd 97173->97174 97175 dbdbc1 97173->97175 97174->96939 97175->97174 97176 dbdbcd 97175->97176 97177 dbdbe3 97175->97177 97238 dbf2d9 20 API calls __dosmaperr 97176->97238 97235 dbd9cc 97177->97235 97180 dbdbd2 97239 dc27ec 26 API calls __cftof 97180->97239 97183 dbe684 CallCatchBlock 97182->97183 97184 dbe6aa 97183->97184 97185 dbe695 97183->97185 97194 dbe6a5 __wsopen_s 97184->97194 97374 db918d EnterCriticalSection 97184->97374 97391 dbf2d9 20 API calls __dosmaperr 97185->97391 97187 dbe69a 97392 dc27ec 26 API calls __cftof 97187->97392 97190 dbe6c6 97375 dbe602 97190->97375 97192 dbe6d1 97393 dbe6ee LeaveCriticalSection __fread_nolock 97192->97393 97194->96940 97196 e03013 97195->97196 97197 e02fff SetFileTime CloseHandle 97195->97197 97196->96918 97197->97196 97203 e02e7a 97198->97203 97199 d950f5 40 API calls 97199->97203 97200 e029c4 97200->96918 97204 dbd583 26 API calls 97200->97204 97201 e028fe 27 API calls 97201->97203 97202 d9511f 64 API calls 97202->97203 97203->97199 97203->97200 97203->97201 97203->97202 97204->96919 97205->96927 97207 e022e7 97206->97207 97208 e022d9 97206->97208 97210 e0232c 97207->97210 97211 dbe5eb 29 API calls 97207->97211 97221 e022f0 97207->97221 97209 dbe5eb 29 API calls 97208->97209 97209->97207 97467 e02557 97210->97467 97212 e02311 97211->97212 97212->97210 97214 e0231a 97212->97214 97218 dbe678 67 API calls 97214->97218 97214->97221 97215 e02370 97216 e02374 97215->97216 97217 e02395 97215->97217 97220 e02381 97216->97220 97223 dbe678 67 API calls 97216->97223 97471 e02171 97217->97471 97218->97221 97220->97221 97224 dbe678 67 API calls 97220->97224 97221->96946 97221->96953 97222 e0239d 97225 e023c3 97222->97225 97226 e023a3 97222->97226 97223->97220 97224->97221 97478 e023f3 97225->97478 97228 dbe678 67 API calls 97226->97228 97230 e023b0 97226->97230 97228->97230 97229 e023ca 97232 e023de 97229->97232 97233 dbe678 67 API calls 97229->97233 97230->97221 97231 dbe678 67 API calls 97230->97231 97231->97221 97232->97221 97234 dbe678 67 API calls 97232->97234 97233->97232 97234->97221 97240 dbd97b 97235->97240 97237 dbd9f0 97237->97174 97238->97180 97239->97174 97241 dbd987 CallCatchBlock 97240->97241 97248 db918d EnterCriticalSection 97241->97248 97243 dbd995 97249 dbd9f4 97243->97249 97247 dbd9b3 __wsopen_s 97247->97237 97248->97243 97257 dc49a1 97249->97257 97255 dbd9a2 97256 dbd9c0 LeaveCriticalSection __fread_nolock 97255->97256 97256->97247 97258 dbd955 __fread_nolock 26 API calls 97257->97258 97259 dc49b0 97258->97259 97260 dcf89b __fread_nolock 26 API calls 97259->97260 97261 dc49b6 97260->97261 97265 dbda09 97261->97265 97278 dc3820 21 API calls __dosmaperr 97261->97278 97263 dc4a15 97264 dc29c8 _free 20 API calls 97263->97264 97264->97265 97266 dbda3a 97265->97266 97269 dbda4c 97266->97269 97272 dbda24 97266->97272 97267 dbda5a 97304 dbf2d9 20 API calls __dosmaperr 97267->97304 97269->97267 97269->97272 97273 dbda85 __fread_nolock 97269->97273 97270 dbda5f 97305 dc27ec 26 API calls __cftof 97270->97305 97277 dc4a56 62 API calls 97272->97277 97273->97272 97275 dbd955 __fread_nolock 26 API calls 97273->97275 97279 dc59be 97273->97279 97306 dbdc0b 97273->97306 97275->97273 97277->97255 97278->97263 97280 dc59ca CallCatchBlock 97279->97280 97281 dc59ea 97280->97281 97282 dc59d2 97280->97282 97284 dc5a88 97281->97284 97289 dc5a1f 97281->97289 97366 dbf2c6 20 API calls __dosmaperr 97282->97366 97371 dbf2c6 20 API calls __dosmaperr 97284->97371 97285 dc59d7 97367 dbf2d9 20 API calls __dosmaperr 97285->97367 97288 dc5a8d 97372 dbf2d9 20 API calls __dosmaperr 97288->97372 97312 dc5147 EnterCriticalSection 97289->97312 97290 dc59df __wsopen_s 97290->97273 97293 dc5a95 97373 dc27ec 26 API calls __cftof 97293->97373 97294 dc5a25 97296 dc5a56 97294->97296 97297 dc5a41 97294->97297 97313 dc5aa9 97296->97313 97368 dbf2d9 20 API calls __dosmaperr 97297->97368 97300 dc5a51 97370 dc5a80 LeaveCriticalSection __wsopen_s 97300->97370 97301 dc5a46 97369 dbf2c6 20 API calls __dosmaperr 97301->97369 97304->97270 97305->97272 97307 dbdc23 97306->97307 97308 dbdc1f 97306->97308 97307->97308 97309 dbd955 __fread_nolock 26 API calls 97307->97309 97308->97273 97310 dbdc43 97309->97310 97311 dc59be __wsopen_s 62 API calls 97310->97311 97311->97308 97312->97294 97314 dc5ad7 97313->97314 97345 dc5ad0 97313->97345 97315 dc5afa 97314->97315 97316 dc5adb 97314->97316 97319 dc5b4b 97315->97319 97320 dc5b2e 97315->97320 97318 dbf2c6 __dosmaperr 20 API calls 97316->97318 97317 db0a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 97321 dc5cb1 97317->97321 97322 dc5ae0 97318->97322 97324 dc5b61 97319->97324 97326 dc9424 __wsopen_s 28 API calls 97319->97326 97323 dbf2c6 __dosmaperr 20 API calls 97320->97323 97321->97300 97325 dbf2d9 __dosmaperr 20 API calls 97322->97325 97329 dc5b33 97323->97329 97328 dc564e __wsopen_s 39 API calls 97324->97328 97327 dc5ae7 97325->97327 97326->97324 97330 dc27ec __cftof 26 API calls 97327->97330 97331 dc5b6a 97328->97331 97332 dbf2d9 __dosmaperr 20 API calls 97329->97332 97330->97345 97333 dc5b6f 97331->97333 97334 dc5ba8 97331->97334 97335 dc5b3b 97332->97335 97336 dc5b95 97333->97336 97337 dc5b73 97333->97337 97339 dc5bbc 97334->97339 97340 dc5c02 WriteFile 97334->97340 97338 dc27ec __cftof 26 API calls 97335->97338 97344 dc542e __wsopen_s 45 API calls 97336->97344 97343 dc5c69 97337->97343 97349 dc55e1 __wsopen_s GetLastError WriteConsoleW CreateFileW 97337->97349 97338->97345 97341 dc5bc4 97339->97341 97342 dc5bf2 97339->97342 97346 dc5c25 GetLastError 97340->97346 97351 dc5b8b 97340->97351 97347 dc5bc9 97341->97347 97348 dc5be2 97341->97348 97350 dc56c4 __wsopen_s 7 API calls 97342->97350 97343->97345 97355 dbf2d9 __dosmaperr 20 API calls 97343->97355 97344->97351 97345->97317 97346->97351 97347->97343 97352 dc5bd2 97347->97352 97353 dc5891 __wsopen_s 8 API calls 97348->97353 97349->97351 97354 dc5be0 97350->97354 97351->97343 97351->97345 97356 dc5c45 97351->97356 97357 dc57a3 __wsopen_s 7 API calls 97352->97357 97353->97354 97354->97351 97358 dc5c8e 97355->97358 97360 dc5c4c 97356->97360 97361 dc5c60 97356->97361 97357->97354 97359 dbf2c6 __dosmaperr 20 API calls 97358->97359 97359->97345 97362 dbf2d9 __dosmaperr 20 API calls 97360->97362 97363 dbf2a3 __dosmaperr 20 API calls 97361->97363 97364 dc5c51 97362->97364 97363->97345 97365 dbf2c6 __dosmaperr 20 API calls 97364->97365 97365->97345 97366->97285 97367->97290 97368->97301 97369->97300 97370->97290 97371->97288 97372->97293 97373->97290 97374->97190 97376 dbe60f 97375->97376 97377 dbe624 97375->97377 97413 dbf2d9 20 API calls __dosmaperr 97376->97413 97380 dbdc0b 62 API calls 97377->97380 97382 dbe61f 97377->97382 97379 dbe614 97414 dc27ec 26 API calls __cftof 97379->97414 97383 dbe638 97380->97383 97382->97192 97394 dc4d7a 97383->97394 97386 dbd955 __fread_nolock 26 API calls 97387 dbe646 97386->97387 97398 dc862f 97387->97398 97390 dc29c8 _free 20 API calls 97390->97382 97391->97187 97392->97194 97393->97194 97395 dbe640 97394->97395 97396 dc4d90 97394->97396 97395->97386 97396->97395 97397 dc29c8 _free 20 API calls 97396->97397 97397->97395 97399 dc863e 97398->97399 97400 dc8653 97398->97400 97418 dbf2c6 20 API calls __dosmaperr 97399->97418 97401 dc868e 97400->97401 97405 dc867a 97400->97405 97420 dbf2c6 20 API calls __dosmaperr 97401->97420 97404 dc8643 97419 dbf2d9 20 API calls __dosmaperr 97404->97419 97415 dc8607 97405->97415 97406 dc8693 97421 dbf2d9 20 API calls __dosmaperr 97406->97421 97410 dbe64c 97410->97382 97410->97390 97411 dc869b 97422 dc27ec 26 API calls __cftof 97411->97422 97413->97379 97414->97382 97423 dc8585 97415->97423 97417 dc862b 97417->97410 97418->97404 97419->97410 97420->97406 97421->97411 97422->97410 97424 dc8591 CallCatchBlock 97423->97424 97434 dc5147 EnterCriticalSection 97424->97434 97426 dc859f 97427 dc85c6 97426->97427 97428 dc85d1 97426->97428 97435 dc86ae 97427->97435 97450 dbf2d9 20 API calls __dosmaperr 97428->97450 97431 dc85cc 97451 dc85fb LeaveCriticalSection __wsopen_s 97431->97451 97433 dc85ee __wsopen_s 97433->97417 97434->97426 97452 dc53c4 97435->97452 97437 dc86c4 97465 dc5333 21 API calls 2 library calls 97437->97465 97438 dc86be 97438->97437 97440 dc53c4 __wsopen_s 26 API calls 97438->97440 97449 dc86f6 97438->97449 97444 dc86ed 97440->97444 97441 dc53c4 __wsopen_s 26 API calls 97445 dc8702 FindCloseChangeNotification 97441->97445 97442 dc871c 97443 dc873e 97442->97443 97466 dbf2a3 20 API calls __dosmaperr 97442->97466 97443->97431 97447 dc53c4 __wsopen_s 26 API calls 97444->97447 97445->97437 97448 dc870e GetLastError 97445->97448 97447->97449 97448->97437 97449->97437 97449->97441 97450->97431 97451->97433 97453 dc53d1 97452->97453 97456 dc53e6 97452->97456 97454 dbf2c6 __dosmaperr 20 API calls 97453->97454 97455 dc53d6 97454->97455 97458 dbf2d9 __dosmaperr 20 API calls 97455->97458 97457 dbf2c6 __dosmaperr 20 API calls 97456->97457 97459 dc540b 97456->97459 97460 dc5416 97457->97460 97461 dc53de 97458->97461 97459->97438 97462 dbf2d9 __dosmaperr 20 API calls 97460->97462 97461->97438 97463 dc541e 97462->97463 97464 dc27ec __cftof 26 API calls 97463->97464 97464->97461 97465->97442 97466->97443 97468 e0257c 97467->97468 97470 e02565 __fread_nolock 97467->97470 97469 dbe8c4 __fread_nolock 40 API calls 97468->97469 97469->97470 97470->97215 97472 dbea0c ___std_exception_copy 21 API calls 97471->97472 97473 e0217f 97472->97473 97474 dbea0c ___std_exception_copy 21 API calls 97473->97474 97475 e02190 97474->97475 97476 dbea0c ___std_exception_copy 21 API calls 97475->97476 97477 e0219c 97476->97477 97477->97222 97482 e02408 97478->97482 97479 e024c0 97486 e02724 97479->97486 97481 e021cc 40 API calls 97481->97482 97482->97479 97482->97481 97485 e024c7 97482->97485 97490 e02269 40 API calls 97482->97490 97491 e02606 65 API calls 97482->97491 97485->97229 97487 e02731 97486->97487 97488 e02742 97486->97488 97489 dbdbb3 65 API calls 97487->97489 97488->97485 97489->97488 97490->97482 97491->97482 97521 d96270 97492->97521 97494 d99fd2 97527 d9a4a1 97494->97527 97498 d9a6c3 22 API calls 97519 d99eb5 97498->97519 97499 ddf7c4 97539 df96e2 84 API calls __wsopen_s 97499->97539 97500 ddf699 97508 dafddb 22 API calls 97500->97508 97501 d9a405 97504 d99fec 97501->97504 97540 df96e2 84 API calls __wsopen_s 97501->97540 97502 d9a4a1 22 API calls 97502->97519 97504->96716 97507 ddf7d2 97509 d9a4a1 22 API calls 97507->97509 97510 ddf754 97508->97510 97511 ddf7e8 97509->97511 97512 dafe0b 22 API calls 97510->97512 97511->97504 97513 d9a12c __fread_nolock 97512->97513 97513->97499 97513->97501 97515 d9a587 22 API calls 97515->97519 97516 d9aec9 22 API calls 97517 d9a0db CharUpperBuffW 97516->97517 97535 d9a673 22 API calls 97517->97535 97519->97494 97519->97498 97519->97499 97519->97500 97519->97501 97519->97502 97519->97513 97519->97515 97519->97516 97526 d94573 41 API calls _wcslen 97519->97526 97536 d948c8 23 API calls 97519->97536 97537 d949bd 22 API calls __fread_nolock 97519->97537 97538 d9a673 22 API calls 97519->97538 97520->96720 97522 dafe0b 22 API calls 97521->97522 97523 d96295 97522->97523 97524 dafddb 22 API calls 97523->97524 97525 d962a3 97524->97525 97525->97519 97526->97519 97528 d9a52b 97527->97528 97532 d9a4b1 __fread_nolock 97527->97532 97530 dafe0b 22 API calls 97528->97530 97529 dafddb 22 API calls 97531 d9a4b8 97529->97531 97530->97532 97533 dafddb 22 API calls 97531->97533 97534 d9a4d6 97531->97534 97532->97529 97533->97534 97534->97504 97535->97519 97536->97519 97537->97519 97538->97519 97539->97507 97540->97504 97542 dfdbdc GetFileAttributesW 97541->97542 97543 dfd4d5 97541->97543 97542->97543 97544 dfdbe8 FindFirstFileW 97542->97544 97543->96604 97544->97543 97545 dfdbf9 FindClose 97544->97545 97545->97543 97547 d97510 53 API calls 97546->97547 97548 e17f90 97547->97548 97570 e17fd5 messages 97548->97570 97584 e18cd3 97548->97584 97550 e18049 97555 d97510 53 API calls 97550->97555 97550->97570 97571 e18281 97550->97571 97616 df417d 22 API calls __fread_nolock 97550->97616 97617 e1851d 42 API calls _strftime 97550->97617 97551 e1844f 97625 e18ee4 60 API calls 97551->97625 97554 e1845e 97556 e1828f 97554->97556 97557 e1846a 97554->97557 97555->97550 97597 e17e86 97556->97597 97557->97570 97562 e182c8 97612 dafc70 97562->97612 97565 e18302 97619 d963eb 22 API calls 97565->97619 97566 e182e8 97618 e0359c 82 API calls __wsopen_s 97566->97618 97569 e182f3 GetCurrentProcess TerminateProcess 97569->97565 97570->96726 97571->97551 97571->97556 97572 e18311 97620 d96a50 22 API calls 97572->97620 97574 e1832a 97583 e18352 97574->97583 97621 da04f0 22 API calls 97574->97621 97575 e184c5 97575->97570 97580 e184d9 FreeLibrary 97575->97580 97577 e18341 97622 e18b7b 75 API calls 97577->97622 97580->97570 97583->97575 97623 da04f0 22 API calls 97583->97623 97624 d9aceb 23 API calls messages 97583->97624 97626 e18b7b 75 API calls 97583->97626 97585 d9aec9 22 API calls 97584->97585 97586 e18cee CharLowerBuffW 97585->97586 97627 df8e54 97586->97627 97590 d9a961 22 API calls 97591 e18d2a 97590->97591 97592 d96d25 22 API calls 97591->97592 97593 e18d3e 97592->97593 97594 d993b2 22 API calls 97593->97594 97596 e18d48 _wcslen 97594->97596 97595 e18e5e _wcslen 97595->97550 97596->97595 97634 e1851d 42 API calls _strftime 97596->97634 97598 e17ea1 97597->97598 97599 e17eec 97597->97599 97600 dafe0b 22 API calls 97598->97600 97603 e19096 97599->97603 97601 e17ec3 97600->97601 97601->97599 97602 dafddb 22 API calls 97601->97602 97602->97601 97604 e192ab messages 97603->97604 97609 e190ba _strcat _wcslen 97603->97609 97604->97562 97605 d9b6b5 39 API calls 97605->97609 97606 d9b567 39 API calls 97606->97609 97607 d9b38f 39 API calls 97607->97609 97608 d97510 53 API calls 97608->97609 97609->97604 97609->97605 97609->97606 97609->97607 97609->97608 97610 dbea0c 21 API calls ___std_exception_copy 97609->97610 97637 dfefae 24 API calls _wcslen 97609->97637 97610->97609 97613 dafc85 97612->97613 97614 dafd1d VirtualAlloc 97613->97614 97615 dafceb 97613->97615 97614->97615 97615->97565 97615->97566 97616->97550 97617->97550 97618->97569 97619->97572 97620->97574 97621->97577 97622->97583 97623->97583 97624->97583 97625->97554 97626->97583 97629 df8e74 _wcslen 97627->97629 97628 df8f63 97628->97590 97628->97596 97629->97628 97630 df8f68 97629->97630 97632 df8ea9 97629->97632 97630->97628 97636 dace60 41 API calls 97630->97636 97632->97628 97635 dace60 41 API calls 97632->97635 97634->97595 97635->97632 97636->97630 97637->97609 97638 d9fe73 97645 daceb1 97638->97645 97640 d9fe89 97654 dacf92 97640->97654 97642 d9feb3 97666 e0359c 82 API calls __wsopen_s 97642->97666 97644 de4ab8 97646 dacebf 97645->97646 97647 daced2 97645->97647 97667 d9aceb 23 API calls messages 97646->97667 97649 daced7 97647->97649 97650 dacf05 97647->97650 97651 dafddb 22 API calls 97649->97651 97668 d9aceb 23 API calls messages 97650->97668 97653 dacec9 97651->97653 97653->97640 97655 d96270 22 API calls 97654->97655 97656 dacfc9 97655->97656 97657 d99cb3 22 API calls 97656->97657 97659 dacffa 97656->97659 97658 ded166 97657->97658 97660 d96350 22 API calls 97658->97660 97659->97642 97661 ded171 97660->97661 97669 dad2f0 40 API calls 97661->97669 97663 ded184 97665 ded188 97663->97665 97670 d9aceb 23 API calls messages 97663->97670 97665->97665 97666->97644 97667->97653 97668->97653 97669->97663 97670->97665 97671 d91033 97676 d94c91 97671->97676 97675 d91042 97677 d9a961 22 API calls 97676->97677 97678 d94cff 97677->97678 97684 d93af0 97678->97684 97681 d94d9c 97682 d91038 97681->97682 97687 d951f7 22 API calls __fread_nolock 97681->97687 97683 db00a3 29 API calls __onexit 97682->97683 97683->97675 97688 d93b1c 97684->97688 97687->97681 97689 d93b0f 97688->97689 97690 d93b29 97688->97690 97689->97681 97690->97689 97691 d93b30 RegOpenKeyExW 97690->97691 97691->97689 97692 d93b4a RegQueryValueExW 97691->97692 97693 d93b80 RegCloseKey 97692->97693 97694 d93b6b 97692->97694 97693->97689 97694->97693 97695 d92e37 97696 d9a961 22 API calls 97695->97696 97697 d92e4d 97696->97697 97774 d94ae3 97697->97774 97699 d92e6b 97700 d93a5a 24 API calls 97699->97700 97701 d92e7f 97700->97701 97702 d99cb3 22 API calls 97701->97702 97703 d92e8c 97702->97703 97704 d94ecb 94 API calls 97703->97704 97705 d92ea5 97704->97705 97706 dd2cb0 97705->97706 97707 d92ead 97705->97707 97804 e02cf9 97706->97804 97711 d9a8c7 22 API calls 97707->97711 97709 dd2cc3 97710 dd2ccf 97709->97710 97712 d94f39 68 API calls 97709->97712 97715 d94f39 68 API calls 97710->97715 97713 d92ec3 97711->97713 97712->97710 97788 d96f88 22 API calls 97713->97788 97717 dd2ce5 97715->97717 97716 d92ecf 97718 d99cb3 22 API calls 97716->97718 97830 d93084 22 API calls 97717->97830 97719 d92edc 97718->97719 97789 d9a81b 41 API calls 97719->97789 97721 d92eec 97724 d99cb3 22 API calls 97721->97724 97723 dd2d02 97831 d93084 22 API calls 97723->97831 97726 d92f12 97724->97726 97790 d9a81b 41 API calls 97726->97790 97727 dd2d1e 97729 d93a5a 24 API calls 97727->97729 97730 dd2d44 97729->97730 97832 d93084 22 API calls 97730->97832 97731 d92f21 97734 d9a961 22 API calls 97731->97734 97733 dd2d50 97735 d9a8c7 22 API calls 97733->97735 97736 d92f3f 97734->97736 97737 dd2d5e 97735->97737 97791 d93084 22 API calls 97736->97791 97833 d93084 22 API calls 97737->97833 97740 d92f4b 97792 db4a28 40 API calls 3 library calls 97740->97792 97742 dd2d6d 97746 d9a8c7 22 API calls 97742->97746 97743 d92f59 97743->97717 97744 d92f63 97743->97744 97793 db4a28 40 API calls 3 library calls 97744->97793 97748 dd2d83 97746->97748 97747 d92f6e 97747->97723 97750 d92f78 97747->97750 97834 d93084 22 API calls 97748->97834 97794 db4a28 40 API calls 3 library calls 97750->97794 97751 dd2d90 97753 d92f83 97753->97727 97754 d92f8d 97753->97754 97795 db4a28 40 API calls 3 library calls 97754->97795 97756 d92f98 97757 d92fdc 97756->97757 97796 d93084 22 API calls 97756->97796 97757->97742 97758 d92fe8 97757->97758 97758->97751 97798 d963eb 22 API calls 97758->97798 97761 d92fbf 97762 d9a8c7 22 API calls 97761->97762 97764 d92fcd 97762->97764 97763 d92ff8 97799 d96a50 22 API calls 97763->97799 97797 d93084 22 API calls 97764->97797 97767 d93006 97800 d970b0 23 API calls 97767->97800 97771 d93021 97772 d93065 97771->97772 97801 d96f88 22 API calls 97771->97801 97802 d970b0 23 API calls 97771->97802 97803 d93084 22 API calls 97771->97803 97775 d94af0 __wsopen_s 97774->97775 97776 d96b57 22 API calls 97775->97776 97777 d94b22 97775->97777 97776->97777 97778 d94c6d 22 API calls 97777->97778 97782 d94b58 97777->97782 97778->97777 97779 d94c6d 22 API calls 97779->97782 97780 d94c29 97781 d99cb3 22 API calls 97780->97781 97787 d94c5e 97780->97787 97784 d94c52 97781->97784 97782->97779 97782->97780 97783 d99cb3 22 API calls 97782->97783 97786 d9515f 22 API calls 97782->97786 97783->97782 97785 d9515f 22 API calls 97784->97785 97785->97787 97786->97782 97787->97699 97788->97716 97789->97721 97790->97731 97791->97740 97792->97743 97793->97747 97794->97753 97795->97756 97796->97761 97797->97757 97798->97763 97799->97767 97800->97771 97801->97771 97802->97771 97803->97771 97805 e02d15 97804->97805 97806 d9511f 64 API calls 97805->97806 97807 e02d29 97806->97807 97808 e02e66 75 API calls 97807->97808 97809 e02d3b 97808->97809 97810 d950f5 40 API calls 97809->97810 97827 e02d3f 97809->97827 97811 e02d56 97810->97811 97812 d950f5 40 API calls 97811->97812 97813 e02d66 97812->97813 97814 d950f5 40 API calls 97813->97814 97815 e02d81 97814->97815 97816 d950f5 40 API calls 97815->97816 97817 e02d9c 97816->97817 97818 d9511f 64 API calls 97817->97818 97819 e02db3 97818->97819 97820 dbea0c ___std_exception_copy 21 API calls 97819->97820 97821 e02dba 97820->97821 97822 dbea0c ___std_exception_copy 21 API calls 97821->97822 97823 e02dc4 97822->97823 97824 d950f5 40 API calls 97823->97824 97825 e02dd8 97824->97825 97826 e028fe 27 API calls 97825->97826 97828 e02dee 97826->97828 97827->97709 97828->97827 97829 e022ce 79 API calls 97828->97829 97829->97827 97830->97723 97831->97727 97832->97733 97833->97742 97834->97751 97835 d93156 97838 d93170 97835->97838 97839 d93187 97838->97839 97840 d931e9 97839->97840 97841 d931eb 97839->97841 97842 d9318c 97839->97842 97843 d931d0 DefWindowProcW 97840->97843 97844 dd2dfb 97841->97844 97845 d931f1 97841->97845 97846 d93199 97842->97846 97847 d93265 PostQuitMessage 97842->97847 97848 d9316a 97843->97848 97887 d918e2 10 API calls 97844->97887 97849 d931f8 97845->97849 97850 d9321d SetTimer RegisterWindowMessageW 97845->97850 97852 dd2e7c 97846->97852 97853 d931a4 97846->97853 97847->97848 97854 dd2d9c 97849->97854 97855 d93201 KillTimer 97849->97855 97850->97848 97857 d93246 CreatePopupMenu 97850->97857 97902 dfbf30 34 API calls ___scrt_fastfail 97852->97902 97858 dd2e68 97853->97858 97859 d931ae 97853->97859 97862 dd2dd7 MoveWindow 97854->97862 97863 dd2da1 97854->97863 97883 d930f2 Shell_NotifyIconW ___scrt_fastfail 97855->97883 97856 dd2e1c 97888 dae499 42 API calls 97856->97888 97857->97848 97901 dfc161 27 API calls ___scrt_fastfail 97858->97901 97867 dd2e4d 97859->97867 97868 d931b9 97859->97868 97861 dd2e8e 97861->97843 97861->97848 97862->97848 97871 dd2da7 97863->97871 97872 dd2dc6 SetFocus 97863->97872 97867->97843 97900 df0ad7 22 API calls 97867->97900 97869 d93253 97868->97869 97870 d931c4 97868->97870 97885 d9326f 44 API calls ___scrt_fastfail 97869->97885 97870->97843 97889 d930f2 Shell_NotifyIconW ___scrt_fastfail 97870->97889 97871->97870 97876 dd2db0 97871->97876 97872->97848 97873 d93214 97884 d93c50 DeleteObject DestroyWindow 97873->97884 97874 d93263 97874->97848 97886 d918e2 10 API calls 97876->97886 97881 dd2e41 97890 d93837 97881->97890 97883->97873 97884->97848 97885->97874 97886->97848 97887->97856 97888->97870 97889->97881 97891 d93862 ___scrt_fastfail 97890->97891 97903 d94212 97891->97903 97895 d938e8 97896 dd3386 Shell_NotifyIconW 97895->97896 97897 d93906 Shell_NotifyIconW 97895->97897 97907 d93923 97897->97907 97899 d9391c 97899->97840 97900->97840 97901->97874 97902->97861 97904 dd35a4 97903->97904 97905 d938b7 97903->97905 97904->97905 97906 dd35ad DestroyIcon 97904->97906 97905->97895 97929 dfc874 42 API calls _strftime 97905->97929 97906->97905 97908 d9393f 97907->97908 97927 d93a13 97907->97927 97909 d96270 22 API calls 97908->97909 97910 d9394d 97909->97910 97911 d9395a 97910->97911 97912 dd3393 LoadStringW 97910->97912 97913 d96b57 22 API calls 97911->97913 97914 dd33ad 97912->97914 97915 d9396f 97913->97915 97918 d9a8c7 22 API calls 97914->97918 97923 d93994 ___scrt_fastfail 97914->97923 97916 dd33c9 97915->97916 97917 d9397c 97915->97917 97920 d96350 22 API calls 97916->97920 97917->97914 97919 d93986 97917->97919 97918->97923 97921 d96350 22 API calls 97919->97921 97922 dd33d7 97920->97922 97921->97923 97922->97923 97925 d933c6 22 API calls 97922->97925 97924 d939f9 Shell_NotifyIconW 97923->97924 97924->97927 97926 dd33f9 97925->97926 97928 d933c6 22 API calls 97926->97928 97927->97899 97928->97923 97929->97895 97930 d91cad SystemParametersInfoW 97931 dd2ba5 97932 dd2baf 97931->97932 97933 d92b25 97931->97933 97935 d93a5a 24 API calls 97932->97935 97959 d92b83 7 API calls 97933->97959 97937 dd2bb8 97935->97937 97939 d99cb3 22 API calls 97937->97939 97941 dd2bc6 97939->97941 97940 d92b2f 97945 d93837 49 API calls 97940->97945 97948 d92b44 97940->97948 97942 dd2bce 97941->97942 97943 dd2bf5 97941->97943 97946 d933c6 22 API calls 97942->97946 97944 d933c6 22 API calls 97943->97944 97947 dd2bf1 GetForegroundWindow ShellExecuteW 97944->97947 97945->97948 97949 dd2bd9 97946->97949 97953 dd2c26 97947->97953 97951 d92b5f 97948->97951 97963 d930f2 Shell_NotifyIconW ___scrt_fastfail 97948->97963 97952 d96350 22 API calls 97949->97952 97957 d92b66 SetCurrentDirectoryW 97951->97957 97955 dd2be7 97952->97955 97953->97951 97956 d933c6 22 API calls 97955->97956 97956->97947 97958 d92b7a 97957->97958 97964 d92cd4 7 API calls 97959->97964 97961 d92b2a 97962 d92c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 97961->97962 97962->97940 97963->97951 97964->97961 97965 d92de3 97966 d92df0 __wsopen_s 97965->97966 97967 d92e09 97966->97967 97968 dd2c2b ___scrt_fastfail 97966->97968 97969 d93aa2 23 API calls 97967->97969 97970 dd2c47 GetOpenFileNameW 97968->97970 97971 d92e12 97969->97971 97972 dd2c96 97970->97972 97981 d92da5 97971->97981 97974 d96b57 22 API calls 97972->97974 97976 dd2cab 97974->97976 97976->97976 97978 d92e27 97999 d944a8 97978->97999 97982 dd1f50 __wsopen_s 97981->97982 97983 d92db2 GetLongPathNameW 97982->97983 97984 d96b57 22 API calls 97983->97984 97985 d92dda 97984->97985 97986 d93598 97985->97986 97987 d9a961 22 API calls 97986->97987 97988 d935aa 97987->97988 97989 d93aa2 23 API calls 97988->97989 97990 d935b5 97989->97990 97991 d935c0 97990->97991 97995 dd32eb 97990->97995 97992 d9515f 22 API calls 97991->97992 97994 d935cc 97992->97994 98028 d935f3 97994->98028 97997 dd330d 97995->97997 98034 dace60 41 API calls 97995->98034 97998 d935df 97998->97978 98000 d94ecb 94 API calls 97999->98000 98001 d944cd 98000->98001 98002 dd3833 98001->98002 98003 d94ecb 94 API calls 98001->98003 98004 e02cf9 80 API calls 98002->98004 98005 d944e1 98003->98005 98006 dd3848 98004->98006 98005->98002 98007 d944e9 98005->98007 98008 dd384c 98006->98008 98009 dd3869 98006->98009 98012 dd3854 98007->98012 98013 d944f5 98007->98013 98010 d94f39 68 API calls 98008->98010 98011 dafe0b 22 API calls 98009->98011 98010->98012 98027 dd38ae 98011->98027 98042 dfda5a 82 API calls 98012->98042 98041 d9940c 136 API calls 2 library calls 98013->98041 98016 dd3862 98016->98009 98017 d92e31 98018 dd3a5f 98019 d94f39 68 API calls 98018->98019 98046 df989b 82 API calls __wsopen_s 98018->98046 98019->98018 98020 d9a4a1 22 API calls 98020->98027 98024 d99cb3 22 API calls 98024->98027 98027->98018 98027->98020 98027->98024 98035 d93ff7 98027->98035 98043 df967e 22 API calls __fread_nolock 98027->98043 98044 df95ad 42 API calls _wcslen 98027->98044 98045 e00b5a 22 API calls 98027->98045 98029 d93605 98028->98029 98033 d93624 __fread_nolock 98028->98033 98031 dafe0b 22 API calls 98029->98031 98030 dafddb 22 API calls 98032 d9363b 98030->98032 98031->98033 98032->97998 98033->98030 98034->97995 98036 d9400a 98035->98036 98038 d940ae 98035->98038 98037 dafe0b 22 API calls 98036->98037 98040 d9403c 98036->98040 98037->98040 98038->98027 98039 dafddb 22 API calls 98039->98040 98040->98038 98040->98039 98041->98017 98042->98016 98043->98027 98044->98027 98045->98027 98046->98018 98047 d91044 98052 d910f3 98047->98052 98049 d9104a 98088 db00a3 29 API calls __onexit 98049->98088 98051 d91054 98089 d91398 98052->98089 98056 d9116a 98057 d9a961 22 API calls 98056->98057 98058 d91174 98057->98058 98059 d9a961 22 API calls 98058->98059 98060 d9117e 98059->98060 98061 d9a961 22 API calls 98060->98061 98062 d91188 98061->98062 98063 d9a961 22 API calls 98062->98063 98064 d911c6 98063->98064 98065 d9a961 22 API calls 98064->98065 98066 d91292 98065->98066 98099 d9171c 98066->98099 98070 d912c4 98071 d9a961 22 API calls 98070->98071 98072 d912ce 98071->98072 98073 da1940 9 API calls 98072->98073 98074 d912f9 98073->98074 98120 d91aab 98074->98120 98076 d91315 98077 d91325 GetStdHandle 98076->98077 98078 dd2485 98077->98078 98079 d9137a 98077->98079 98078->98079 98080 dd248e 98078->98080 98082 d91387 OleInitialize 98079->98082 98081 dafddb 22 API calls 98080->98081 98083 dd2495 98081->98083 98082->98049 98127 e0011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 98083->98127 98085 dd249e 98128 e00944 CreateThread 98085->98128 98087 dd24aa CloseHandle 98087->98079 98088->98051 98129 d913f1 98089->98129 98092 d913f1 22 API calls 98093 d913d0 98092->98093 98094 d9a961 22 API calls 98093->98094 98095 d913dc 98094->98095 98096 d96b57 22 API calls 98095->98096 98097 d91129 98096->98097 98098 d91bc3 6 API calls 98097->98098 98098->98056 98100 d9a961 22 API calls 98099->98100 98101 d9172c 98100->98101 98102 d9a961 22 API calls 98101->98102 98103 d91734 98102->98103 98104 d9a961 22 API calls 98103->98104 98105 d9174f 98104->98105 98106 dafddb 22 API calls 98105->98106 98107 d9129c 98106->98107 98108 d91b4a 98107->98108 98109 d91b58 98108->98109 98110 d9a961 22 API calls 98109->98110 98111 d91b63 98110->98111 98112 d9a961 22 API calls 98111->98112 98113 d91b6e 98112->98113 98114 d9a961 22 API calls 98113->98114 98115 d91b79 98114->98115 98116 d9a961 22 API calls 98115->98116 98117 d91b84 98116->98117 98118 dafddb 22 API calls 98117->98118 98119 d91b96 RegisterWindowMessageW 98118->98119 98119->98070 98121 dd272d 98120->98121 98122 d91abb 98120->98122 98136 e03209 23 API calls 98121->98136 98123 dafddb 22 API calls 98122->98123 98125 d91ac3 98123->98125 98125->98076 98126 dd2738 98127->98085 98128->98087 98137 e0092a 28 API calls 98128->98137 98130 d9a961 22 API calls 98129->98130 98131 d913fc 98130->98131 98132 d9a961 22 API calls 98131->98132 98133 d91404 98132->98133 98134 d9a961 22 API calls 98133->98134 98135 d913c6 98134->98135 98135->98092 98136->98126 98138 de2a00 98152 d9d7b0 messages 98138->98152 98139 d9db11 PeekMessageW 98139->98152 98140 d9d807 GetInputState 98140->98139 98140->98152 98142 de1cbe TranslateAcceleratorW 98142->98152 98143 d9da04 timeGetTime 98143->98152 98144 d9db8f PeekMessageW 98144->98152 98145 d9db73 TranslateMessage DispatchMessageW 98145->98144 98146 d9dbaf Sleep 98164 d9dbc0 98146->98164 98147 de2b74 Sleep 98147->98164 98148 de1dda timeGetTime 98202 dae300 23 API calls 98148->98202 98149 dae551 timeGetTime 98149->98164 98152->98139 98152->98140 98152->98142 98152->98143 98152->98144 98152->98145 98152->98146 98152->98147 98152->98148 98154 d9d9d5 98152->98154 98166 d9ec40 235 API calls 98152->98166 98167 da1310 235 API calls 98152->98167 98170 d9dd50 98152->98170 98177 d9dfd0 98152->98177 98200 d9bf40 235 API calls 2 library calls 98152->98200 98201 daedf6 IsDialogMessageW GetClassLongW 98152->98201 98203 e03a2a 23 API calls 98152->98203 98204 e0359c 82 API calls __wsopen_s 98152->98204 98153 de2c0b GetExitCodeProcess 98156 de2c37 CloseHandle 98153->98156 98157 de2c21 WaitForSingleObject 98153->98157 98156->98164 98157->98152 98157->98156 98158 de2a31 98158->98154 98159 e229bf GetForegroundWindow 98159->98164 98160 de2ca9 Sleep 98160->98152 98164->98149 98164->98152 98164->98153 98164->98154 98164->98158 98164->98159 98164->98160 98205 e15658 23 API calls 98164->98205 98206 dfe97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98164->98206 98207 dfd4dc 47 API calls 98164->98207 98166->98152 98167->98152 98171 d9dd6f 98170->98171 98172 d9dd83 98170->98172 98208 d9d260 235 API calls 2 library calls 98171->98208 98209 e0359c 82 API calls __wsopen_s 98172->98209 98174 d9dd7a 98174->98152 98176 de2f75 98176->98176 98178 d9e010 98177->98178 98184 d9e0dc messages 98178->98184 98212 db0242 5 API calls __Init_thread_wait 98178->98212 98181 de2fca 98183 d9a961 22 API calls 98181->98183 98181->98184 98182 d9a961 22 API calls 98182->98184 98185 de2fe4 98183->98185 98184->98182 98192 d9ec40 235 API calls 98184->98192 98193 e0359c 82 API calls 98184->98193 98195 d9a8c7 22 API calls 98184->98195 98196 da04f0 22 API calls 98184->98196 98197 d9e3e1 98184->98197 98210 d9a81b 41 API calls 98184->98210 98211 daa308 235 API calls 98184->98211 98215 db0242 5 API calls __Init_thread_wait 98184->98215 98216 db00a3 29 API calls __onexit 98184->98216 98217 db01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98184->98217 98218 e147d4 235 API calls 98184->98218 98219 e168c1 235 API calls 98184->98219 98213 db00a3 29 API calls __onexit 98185->98213 98189 de2fee 98214 db01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98189->98214 98192->98184 98193->98184 98195->98184 98196->98184 98197->98152 98200->98152 98201->98152 98202->98152 98203->98152 98204->98152 98205->98164 98206->98164 98207->98164 98208->98174 98209->98176 98210->98184 98211->98184 98212->98181 98213->98189 98214->98184 98215->98184 98216->98184 98217->98184 98218->98184 98219->98184 98220 dc8402 98225 dc81be 98220->98225 98224 dc842a 98230 dc81ef try_get_first_available_module 98225->98230 98227 dc83ee 98244 dc27ec 26 API calls __cftof 98227->98244 98229 dc8343 98229->98224 98237 dd0984 98229->98237 98236 dc8338 98230->98236 98240 db8e0b 40 API calls 2 library calls 98230->98240 98232 dc838c 98232->98236 98241 db8e0b 40 API calls 2 library calls 98232->98241 98234 dc83ab 98234->98236 98242 db8e0b 40 API calls 2 library calls 98234->98242 98236->98229 98243 dbf2d9 20 API calls __dosmaperr 98236->98243 98245 dd0081 98237->98245 98239 dd099f 98239->98224 98240->98232 98241->98234 98242->98236 98243->98227 98244->98229 98248 dd008d CallCatchBlock 98245->98248 98246 dd009b 98302 dbf2d9 20 API calls __dosmaperr 98246->98302 98248->98246 98250 dd00d4 98248->98250 98249 dd00a0 98303 dc27ec 26 API calls __cftof 98249->98303 98256 dd065b 98250->98256 98255 dd00aa __wsopen_s 98255->98239 98257 dd0678 98256->98257 98258 dd068d 98257->98258 98259 dd06a6 98257->98259 98319 dbf2c6 20 API calls __dosmaperr 98258->98319 98305 dc5221 98259->98305 98262 dd0692 98320 dbf2d9 20 API calls __dosmaperr 98262->98320 98263 dd06ab 98264 dd06cb 98263->98264 98265 dd06b4 98263->98265 98318 dd039a CreateFileW 98264->98318 98321 dbf2c6 20 API calls __dosmaperr 98265->98321 98269 dd06b9 98322 dbf2d9 20 API calls __dosmaperr 98269->98322 98270 dd0781 GetFileType 98273 dd078c GetLastError 98270->98273 98274 dd07d3 98270->98274 98272 dd0756 GetLastError 98324 dbf2a3 20 API calls __dosmaperr 98272->98324 98325 dbf2a3 20 API calls __dosmaperr 98273->98325 98327 dc516a 21 API calls 2 library calls 98274->98327 98275 dd0704 98275->98270 98275->98272 98323 dd039a CreateFileW 98275->98323 98279 dd079a CloseHandle 98279->98262 98280 dd07c3 98279->98280 98326 dbf2d9 20 API calls __dosmaperr 98280->98326 98282 dd0749 98282->98270 98282->98272 98284 dd07f4 98288 dd0840 98284->98288 98328 dd05ab 72 API calls 3 library calls 98284->98328 98285 dd07c8 98285->98262 98290 dd086d 98288->98290 98329 dd014d 72 API calls 4 library calls 98288->98329 98289 dd0866 98289->98290 98291 dd087e 98289->98291 98292 dc86ae __wsopen_s 29 API calls 98290->98292 98293 dd00f8 98291->98293 98294 dd08fc CloseHandle 98291->98294 98292->98293 98304 dd0121 LeaveCriticalSection __wsopen_s 98293->98304 98330 dd039a CreateFileW 98294->98330 98296 dd0927 98297 dd0931 GetLastError 98296->98297 98298 dd095d 98296->98298 98331 dbf2a3 20 API calls __dosmaperr 98297->98331 98298->98293 98300 dd093d 98332 dc5333 21 API calls 2 library calls 98300->98332 98302->98249 98303->98255 98304->98255 98306 dc522d CallCatchBlock 98305->98306 98333 dc2f5e EnterCriticalSection 98306->98333 98308 dc527b 98334 dc532a 98308->98334 98309 dc5234 98309->98308 98310 dc5259 98309->98310 98315 dc52c7 EnterCriticalSection 98309->98315 98312 dc5000 __wsopen_s 21 API calls 98310->98312 98314 dc525e 98312->98314 98313 dc52a4 __wsopen_s 98313->98263 98314->98308 98337 dc5147 EnterCriticalSection 98314->98337 98315->98308 98316 dc52d4 LeaveCriticalSection 98315->98316 98316->98309 98318->98275 98319->98262 98320->98293 98321->98269 98322->98262 98323->98282 98324->98262 98325->98279 98326->98285 98327->98284 98328->98288 98329->98289 98330->98296 98331->98300 98332->98298 98333->98309 98338 dc2fa6 LeaveCriticalSection 98334->98338 98336 dc5331 98336->98313 98337->98308 98338->98336 98339 cf23b0 98353 cf0000 98339->98353 98341 cf2465 98356 cf22a0 98341->98356 98343 cf248e CreateFileW 98345 cf24e2 98343->98345 98348 cf24dd 98343->98348 98346 cf24f9 VirtualAlloc 98345->98346 98345->98348 98347 cf2517 ReadFile 98346->98347 98346->98348 98347->98348 98349 cf2532 98347->98349 98350 cf12a0 13 API calls 98349->98350 98351 cf2565 98350->98351 98352 cf2588 ExitProcess 98351->98352 98352->98348 98359 cf3490 GetPEB 98353->98359 98355 cf068b 98355->98341 98357 cf22a9 Sleep 98356->98357 98358 cf22b7 98357->98358 98360 cf34ba 98359->98360 98360->98355

            Executed Functions

            Function 00D942DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 234 d942de-d9434d call d9a961 GetVersionExW call d96b57 239 dd3617-dd362a 234->239 240 d94353 234->240 242 dd362b-dd362f 239->242 241 d94355-d94357 240->241 243 d9435d-d943bc call d993b2 call d937a0 241->243 244 dd3656 241->244 245 dd3631 242->245 246 dd3632-dd363e 242->246 263 dd37df-dd37e6 243->263 264 d943c2-d943c4 243->264 250 dd365d-dd3660 244->250 245->246 246->242 248 dd3640-dd3642 246->248 248->241 249 dd3648-dd364f 248->249 249->239 252 dd3651 249->252 253 d9441b-d94435 GetCurrentProcess IsWow64Process 250->253 254 dd3666-dd36a8 250->254 252->244 256 d94494-d9449a 253->256 257 d94437 253->257 254->253 258 dd36ae-dd36b1 254->258 260 d9443d-d94449 256->260 257->260 261 dd36db-dd36e5 258->261 262 dd36b3-dd36bd 258->262 265 d9444f-d9445e LoadLibraryA 260->265 266 dd3824-dd3828 GetSystemInfo 260->266 270 dd36f8-dd3702 261->270 271 dd36e7-dd36f3 261->271 267 dd36bf-dd36c5 262->267 268 dd36ca-dd36d6 262->268 272 dd37e8 263->272 273 dd3806-dd3809 263->273 264->250 269 d943ca-d943dd 264->269 276 d9449c-d944a6 GetSystemInfo 265->276 277 d94460-d9446e GetProcAddress 265->277 267->253 268->253 278 d943e3-d943e5 269->278 279 dd3726-dd372f 269->279 281 dd3715-dd3721 270->281 282 dd3704-dd3710 270->282 271->253 280 dd37ee 272->280 274 dd380b-dd381a 273->274 275 dd37f4-dd37fc 273->275 274->280 285 dd381c-dd3822 274->285 275->273 287 d94476-d94478 276->287 277->276 286 d94470-d94474 GetNativeSystemInfo 277->286 288 dd374d-dd3762 278->288 289 d943eb-d943ee 278->289 283 dd373c-dd3748 279->283 284 dd3731-dd3737 279->284 280->275 281->253 282->253 283->253 284->253 285->275 286->287 292 d9447a-d9447b FreeLibrary 287->292 293 d94481-d94493 287->293 290 dd376f-dd377b 288->290 291 dd3764-dd376a 288->291 294 dd3791-dd3794 289->294 295 d943f4-d9440f 289->295 290->253 291->253 292->293 294->253 296 dd379a-dd37c1 294->296 297 d94415 295->297 298 dd3780-dd378c 295->298 299 dd37ce-dd37da 296->299 300 dd37c3-dd37c9 296->300 297->253 298->253 299->253 300->253
            APIs
            • GetVersionExW.KERNEL32(?), ref: 00D9430D
              • Part of subcall function 00D96B57: _wcslen.LIBCMT ref: 00D96B6A
            • GetCurrentProcess.KERNEL32(?,00E2CB64,00000000,?,?), ref: 00D94422
            • IsWow64Process.KERNEL32(00000000,?,?), ref: 00D94429
            • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00D94454
            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00D94466
            • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00D94474
            • FreeLibrary.KERNEL32(00000000,?,?), ref: 00D9447B
            • GetSystemInfo.KERNEL32(?,?,?), ref: 00D944A0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
            • String ID: GetNativeSystemInfo$kernel32.dll$|O
            • API String ID: 3290436268-3101561225
            • Opcode ID: 498f2d94b338319a58ca42d2731e510082a121daa865ba50726a65b69b1a87a9
            • Instruction ID: 8b7efe7c50620cea5641a8a75923519c7ec92e9a1032f77eb273ffb531e022b4
            • Opcode Fuzzy Hash: 498f2d94b338319a58ca42d2731e510082a121daa865ba50726a65b69b1a87a9
            • Instruction Fuzzy Hash: 06A1656598A6C0DFCB13C76BBC4159A7FA46B36780B1E54E9D083B7722D2E0450DCB72
            Function 00D942A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1378 d942a2-d942ba CreateStreamOnHGlobal 1379 d942da-d942dd 1378->1379 1380 d942bc-d942d3 FindResourceExW 1378->1380 1381 d942d9 1380->1381 1382 dd35ba-dd35c9 LoadResource 1380->1382 1381->1379 1382->1381 1383 dd35cf-dd35dd SizeofResource 1382->1383 1383->1381 1384 dd35e3-dd35ee LockResource 1383->1384 1384->1381 1385 dd35f4-dd3612 1384->1385 1385->1381
            APIs
            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00D950AA,?,?,00000000,00000000), ref: 00D942B2
            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00D950AA,?,?,00000000,00000000), ref: 00D942C9
            • LoadResource.KERNEL32(?,00000000,?,?,00D950AA,?,?,00000000,00000000,?,?,?,?,?,?,00D94F20), ref: 00DD35BE
            • SizeofResource.KERNEL32(?,00000000,?,?,00D950AA,?,?,00000000,00000000,?,?,?,?,?,?,00D94F20), ref: 00DD35D3
            • LockResource.KERNEL32(00D950AA,?,?,00D950AA,?,?,00000000,00000000,?,?,?,?,?,?,00D94F20,?), ref: 00DD35E6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
            • String ID: SCRIPT
            • API String ID: 3051347437-3967369404
            • Opcode ID: fee9c0771fa99c0ddd8bdcac556edc56f6460c71fbd0b42127e6058995b0acb0
            • Instruction ID: 1e4889524f870ed274cae5b03fd3e1e92a8cbfd0f96c8d4858168832311f1573
            • Opcode Fuzzy Hash: fee9c0771fa99c0ddd8bdcac556edc56f6460c71fbd0b42127e6058995b0acb0
            • Instruction Fuzzy Hash: 71117071201700BFDB218B66DC48F2B7BB9EFC5B51F244269B40296260DB71D8068630
            Function 00DD2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00D92B6B
              • Part of subcall function 00D93A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00E61418,?,00D92E7F,?,?,?,00000000), ref: 00D93A78
              • Part of subcall function 00D99CB3: _wcslen.LIBCMT ref: 00D99CBD
            • GetForegroundWindow.USER32(runas,?,?,?,?,?,00E52224), ref: 00DD2C10
            • ShellExecuteW.SHELL32(00000000,?,?,00E52224), ref: 00DD2C17
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
            • String ID: runas
            • API String ID: 448630720-4000483414
            • Opcode ID: ca05ff249c0b5fc8e48f03a3b676d61685da1ef73d8083f7b55c85a86057b057
            • Instruction ID: 97118a0d07b3b099ec8ef15824e54bc0122481ad0fdc74697bbbfa62a88fca76
            • Opcode Fuzzy Hash: ca05ff249c0b5fc8e48f03a3b676d61685da1ef73d8083f7b55c85a86057b057
            • Instruction Fuzzy Hash: 1C11B4312083016ECF15FF64E85297EB7A4DBE5345F48182DF596630A2DF61890E8732
            Function 00DFDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(?,00DD5222), ref: 00DFDBCE
            • GetFileAttributesW.KERNELBASE(?), ref: 00DFDBDD
            • FindFirstFileW.KERNELBASE(?,?), ref: 00DFDBEE
            • FindClose.KERNEL32(00000000), ref: 00DFDBFA
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: FileFind$AttributesCloseFirstlstrlen
            • String ID:
            • API String ID: 2695905019-0
            • Opcode ID: 621a68884707cc5199bdd68f5f4f7134783ea88abc3f7580b91b9ee5ca16a426
            • Instruction ID: c382d692ac998e95902a0fc751325cb17060e5fe28f063574be8be1843ffc30d
            • Opcode Fuzzy Hash: 621a68884707cc5199bdd68f5f4f7134783ea88abc3f7580b91b9ee5ca16a426
            • Instruction Fuzzy Hash: 07F0A7314109149B82306B78DC0D47E377E9F05334B288702F576D20F0EBF0595985E5
            Function 00D9D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON
            Download Yara Rule
            APIs
            • GetInputState.USER32 ref: 00D9D807
            • timeGetTime.WINMM ref: 00D9DA07
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D9DB28
            • TranslateMessage.USER32(?), ref: 00D9DB7B
            • DispatchMessageW.USER32(?), ref: 00D9DB89
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D9DB9F
            • Sleep.KERNEL32(0000000A), ref: 00D9DBB1
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
            • String ID:
            • API String ID: 2189390790-0
            • Opcode ID: 6963afbc20d865b9f5143ee3d27ede1ca8dad37b4ee1681a3cf04de80f4aac40
            • Instruction ID: ef7bc240ded3af6bd104ce72f91b4c284f0f7d558dcb522ce2923f5953b81f25
            • Opcode Fuzzy Hash: 6963afbc20d865b9f5143ee3d27ede1ca8dad37b4ee1681a3cf04de80f4aac40
            • Instruction Fuzzy Hash: 6A42DF30604241EFDB29EF25C884BBAB7E6FF45304F184669E596972A1D770E844CFB2
            Function 00D92CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetSysColorBrush.USER32(0000000F), ref: 00D92D07
            • RegisterClassExW.USER32(00000030), ref: 00D92D31
            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D92D42
            • InitCommonControlsEx.COMCTL32(?), ref: 00D92D5F
            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D92D6F
            • LoadIconW.USER32(000000A9), ref: 00D92D85
            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D92D94
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
            • API String ID: 2914291525-1005189915
            • Opcode ID: d5ed9d03285894da479e78ea88671f365f6141ab94deb0373fdf0e26c0e667e0
            • Instruction ID: 8e7872fbee4f9e4f3f78beb80d701589c187e9a4c8d6b657f7ddf71ff6852565
            • Opcode Fuzzy Hash: d5ed9d03285894da479e78ea88671f365f6141ab94deb0373fdf0e26c0e667e0
            • Instruction Fuzzy Hash: EB2110B0901318AFDB11DFA6EC89BDEBBB4FB48741F24811AF611B62A0D7B00549CF90
            Function 00DD065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 302 dd065b-dd068b call dd042f 305 dd068d-dd0698 call dbf2c6 302->305 306 dd06a6-dd06b2 call dc5221 302->306 311 dd069a-dd06a1 call dbf2d9 305->311 312 dd06cb-dd0714 call dd039a 306->312 313 dd06b4-dd06c9 call dbf2c6 call dbf2d9 306->313 322 dd097d-dd0983 311->322 320 dd0716-dd071f 312->320 321 dd0781-dd078a GetFileType 312->321 313->311 325 dd0756-dd077c GetLastError call dbf2a3 320->325 326 dd0721-dd0725 320->326 327 dd078c-dd07bd GetLastError call dbf2a3 CloseHandle 321->327 328 dd07d3-dd07d6 321->328 325->311 326->325 331 dd0727-dd0754 call dd039a 326->331 327->311 339 dd07c3-dd07ce call dbf2d9 327->339 329 dd07df-dd07e5 328->329 330 dd07d8-dd07dd 328->330 334 dd07e9-dd0837 call dc516a 329->334 335 dd07e7 329->335 330->334 331->321 331->325 345 dd0839-dd0845 call dd05ab 334->345 346 dd0847-dd086b call dd014d 334->346 335->334 339->311 345->346 353 dd086f-dd0879 call dc86ae 345->353 351 dd086d 346->351 352 dd087e-dd08c1 346->352 351->353 355 dd08c3-dd08c7 352->355 356 dd08e2-dd08f0 352->356 353->322 355->356 358 dd08c9-dd08dd 355->358 359 dd097b 356->359 360 dd08f6-dd08fa 356->360 358->356 359->322 360->359 361 dd08fc-dd092f CloseHandle call dd039a 360->361 364 dd0931-dd095d GetLastError call dbf2a3 call dc5333 361->364 365 dd0963-dd0977 361->365 364->365 365->359
            APIs
              • Part of subcall function 00DD039A: CreateFileW.KERNELBASE(00000000,00000000,?,00DD0704,?,?,00000000,?,00DD0704,00000000,0000000C), ref: 00DD03B7
            • GetLastError.KERNEL32 ref: 00DD076F
            • __dosmaperr.LIBCMT ref: 00DD0776
            • GetFileType.KERNELBASE(00000000), ref: 00DD0782
            • GetLastError.KERNEL32 ref: 00DD078C
            • __dosmaperr.LIBCMT ref: 00DD0795
            • CloseHandle.KERNEL32(00000000), ref: 00DD07B5
            • CloseHandle.KERNEL32(?), ref: 00DD08FF
            • GetLastError.KERNEL32 ref: 00DD0931
            • __dosmaperr.LIBCMT ref: 00DD0938
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
            • String ID: H
            • API String ID: 4237864984-2852464175
            • Opcode ID: aa775f4ded2d0af124d492e1d44671a3d830efac629ceaad4c6b2baab36587d1
            • Instruction ID: 82e03273ddf497cd0a0e33338767004447277434f28f24191ce0102b758b0a56
            • Opcode Fuzzy Hash: aa775f4ded2d0af124d492e1d44671a3d830efac629ceaad4c6b2baab36587d1
            • Instruction Fuzzy Hash: A9A1E332A041149FDF19EF68DC51BAE7FA0EB86320F28015AF815AF391D7719916CBB1
            Function 00D9344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 00D93A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00E61418,?,00D92E7F,?,?,?,00000000), ref: 00D93A78
              • Part of subcall function 00D93357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00D93379
            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00D9356A
            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00DD318D
            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00DD31CE
            • RegCloseKey.ADVAPI32(?), ref: 00DD3210
            • _wcslen.LIBCMT ref: 00DD3277
            • _wcslen.LIBCMT ref: 00DD3286
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
            • API String ID: 98802146-2727554177
            • Opcode ID: e68d712472a535e1f8b3055963c72779ef4836b5e82fb90e50ff59002c9bf7b4
            • Instruction ID: 5ffe6a3872663eec5493dcd7b088618fa4111e7ff74185c9ebb11cc3b814e011
            • Opcode Fuzzy Hash: e68d712472a535e1f8b3055963c72779ef4836b5e82fb90e50ff59002c9bf7b4
            • Instruction Fuzzy Hash: 4D7185715447029EC714EF66EC4295FBBE8FF95380F50042EF645A32A1EB709A49CB72
            Function 00D92B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetSysColorBrush.USER32(0000000F), ref: 00D92B8E
            • LoadCursorW.USER32(00000000,00007F00), ref: 00D92B9D
            • LoadIconW.USER32(00000063), ref: 00D92BB3
            • LoadIconW.USER32(000000A4), ref: 00D92BC5
            • LoadIconW.USER32(000000A2), ref: 00D92BD7
            • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00D92BEF
            • RegisterClassExW.USER32(?), ref: 00D92C40
              • Part of subcall function 00D92CD4: GetSysColorBrush.USER32(0000000F), ref: 00D92D07
              • Part of subcall function 00D92CD4: RegisterClassExW.USER32(00000030), ref: 00D92D31
              • Part of subcall function 00D92CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D92D42
              • Part of subcall function 00D92CD4: InitCommonControlsEx.COMCTL32(?), ref: 00D92D5F
              • Part of subcall function 00D92CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D92D6F
              • Part of subcall function 00D92CD4: LoadIconW.USER32(000000A9), ref: 00D92D85
              • Part of subcall function 00D92CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D92D94
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
            • String ID: #$0$AutoIt v3
            • API String ID: 423443420-4155596026
            • Opcode ID: 7e34eeeb796c5639f8dc704cce9ea73405bf8fda1b9410b22391cd5d71fd72d2
            • Instruction ID: 49c5c71e5375543cd6dbbec3962a6ea1402cb814deec5d8d83ef2bc125372e5c
            • Opcode Fuzzy Hash: 7e34eeeb796c5639f8dc704cce9ea73405bf8fda1b9410b22391cd5d71fd72d2
            • Instruction Fuzzy Hash: 20213670A90314AFCB119FA6FC45BAE7FB4EB48B80F19009BE501B27A0D7B105599F90
            Function 00D9B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON
            Download Yara Rule
            APIs
            • __Init_thread_footer.LIBCMT ref: 00D9BB4E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Init_thread_footer
            • String ID: p#$p#$p#$p#$p%$p%$x#$x#
            • API String ID: 1385522511-4136154834
            • Opcode ID: 195b1294271a8486b128186e5ad99a6ec7e1840dd15aacfc589f39897f33fc5a
            • Instruction ID: 2868e5f247a92a57631aef18bb5cd8e5883b973867788e9500aaa666693d96c0
            • Opcode Fuzzy Hash: 195b1294271a8486b128186e5ad99a6ec7e1840dd15aacfc589f39897f33fc5a
            • Instruction Fuzzy Hash: 6A32D130A00209EFCF10DF55D984ABE7BB9EF44364F19805AEA45AB251C7B4ED81CBB1
            Function 00D93170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 650 d93170-d93185 651 d931e5-d931e7 650->651 652 d93187-d9318a 650->652 651->652 653 d931e9 651->653 654 d931eb 652->654 655 d9318c-d93193 652->655 656 d931d0-d931d8 DefWindowProcW 653->656 657 dd2dfb-dd2e23 call d918e2 call dae499 654->657 658 d931f1-d931f6 654->658 659 d93199-d9319e 655->659 660 d93265-d9326d PostQuitMessage 655->660 661 d931de-d931e4 656->661 693 dd2e28-dd2e2f 657->693 663 d931f8-d931fb 658->663 664 d9321d-d93244 SetTimer RegisterWindowMessageW 658->664 666 dd2e7c-dd2e90 call dfbf30 659->666 667 d931a4-d931a8 659->667 662 d93219-d9321b 660->662 662->661 668 dd2d9c-dd2d9f 663->668 669 d93201-d93214 KillTimer call d930f2 call d93c50 663->669 664->662 671 d93246-d93251 CreatePopupMenu 664->671 666->662 685 dd2e96 666->685 672 dd2e68-dd2e77 call dfc161 667->672 673 d931ae-d931b3 667->673 676 dd2dd7-dd2df6 MoveWindow 668->676 677 dd2da1-dd2da5 668->677 669->662 671->662 672->662 681 dd2e4d-dd2e54 673->681 682 d931b9-d931be 673->682 676->662 686 dd2da7-dd2daa 677->686 687 dd2dc6-dd2dd2 SetFocus 677->687 681->656 688 dd2e5a-dd2e63 call df0ad7 681->688 683 d93253-d93263 call d9326f 682->683 684 d931c4-d931ca 682->684 683->662 684->656 684->693 685->656 686->684 694 dd2db0-dd2dc1 call d918e2 686->694 687->662 688->656 693->656 698 dd2e35-dd2e48 call d930f2 call d93837 693->698 694->662 698->656
            APIs
            • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00D9316A,?,?), ref: 00D931D8
            • KillTimer.USER32(?,00000001,?,?,?,?,?,00D9316A,?,?), ref: 00D93204
            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D93227
            • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00D9316A,?,?), ref: 00D93232
            • CreatePopupMenu.USER32 ref: 00D93246
            • PostQuitMessage.USER32(00000000), ref: 00D93267
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
            • String ID: TaskbarCreated
            • API String ID: 129472671-2362178303
            • Opcode ID: f486b6941eff1298079a76b476dc1a2668a7085d4bf45a436752123ab13d3ed8
            • Instruction ID: b3f83885f78ce6a1594c47e52df99a7767133022c61db6d1122aec5dfeb93134
            • Opcode Fuzzy Hash: f486b6941eff1298079a76b476dc1a2668a7085d4bf45a436752123ab13d3ed8
            • Instruction Fuzzy Hash: 0C412531284304AFDF251BB8ED0AB7E3A1AEB45380F1C0166F556F62B1CBA1CA45D7B5
            Function 00D9DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID:
            • String ID: D%$D%$D%$D%$D%$Variable must be of type 'Object'.
            • API String ID: 0-2799515523
            • Opcode ID: 515c71d12fcebfa481f6b305c2731b50f86000a2c05ed9a806f7b2f282b0478d
            • Instruction ID: ae8fee02c3d7e33b0658818f563f2f4bc4054be03676c4634178f7c0ad4f5f8e
            • Opcode Fuzzy Hash: 515c71d12fcebfa481f6b305c2731b50f86000a2c05ed9a806f7b2f282b0478d
            • Instruction Fuzzy Hash: 62C26971A00215DFCF24DFA9C884AADB7B1FB09310F288569E946AB391D375ED41CBB1
            Function 00DC8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1216 dc8d45-dc8d55 1217 dc8d6f-dc8d71 1216->1217 1218 dc8d57-dc8d6a call dbf2c6 call dbf2d9 1216->1218 1220 dc90d9-dc90e6 call dbf2c6 call dbf2d9 1217->1220 1221 dc8d77-dc8d7d 1217->1221 1234 dc90f1 1218->1234 1239 dc90ec call dc27ec 1220->1239 1221->1220 1224 dc8d83-dc8dae 1221->1224 1224->1220 1227 dc8db4-dc8dbd 1224->1227 1230 dc8dbf-dc8dd2 call dbf2c6 call dbf2d9 1227->1230 1231 dc8dd7-dc8dd9 1227->1231 1230->1239 1232 dc8ddf-dc8de3 1231->1232 1233 dc90d5-dc90d7 1231->1233 1232->1233 1237 dc8de9-dc8ded 1232->1237 1238 dc90f4-dc90f9 1233->1238 1234->1238 1237->1230 1241 dc8def-dc8e06 1237->1241 1239->1234 1244 dc8e08-dc8e0b 1241->1244 1245 dc8e23-dc8e2c 1241->1245 1247 dc8e0d-dc8e13 1244->1247 1248 dc8e15-dc8e1e 1244->1248 1249 dc8e2e-dc8e45 call dbf2c6 call dbf2d9 call dc27ec 1245->1249 1250 dc8e4a-dc8e54 1245->1250 1247->1248 1247->1249 1253 dc8ebf-dc8ed9 1248->1253 1282 dc900c 1249->1282 1251 dc8e5b-dc8e79 call dc3820 call dc29c8 * 2 1250->1251 1252 dc8e56-dc8e58 1250->1252 1286 dc8e7b-dc8e91 call dbf2d9 call dbf2c6 1251->1286 1287 dc8e96-dc8ebc call dc9424 1251->1287 1252->1251 1255 dc8fad-dc8fb6 call dcf89b 1253->1255 1256 dc8edf-dc8eef 1253->1256 1269 dc8fb8-dc8fca 1255->1269 1270 dc9029 1255->1270 1256->1255 1259 dc8ef5-dc8ef7 1256->1259 1259->1255 1263 dc8efd-dc8f23 1259->1263 1263->1255 1267 dc8f29-dc8f3c 1263->1267 1267->1255 1272 dc8f3e-dc8f40 1267->1272 1269->1270 1275 dc8fcc-dc8fdb GetConsoleMode 1269->1275 1274 dc902d-dc9045 ReadFile 1270->1274 1272->1255 1277 dc8f42-dc8f6d 1272->1277 1279 dc9047-dc904d 1274->1279 1280 dc90a1-dc90ac GetLastError 1274->1280 1275->1270 1281 dc8fdd-dc8fe1 1275->1281 1277->1255 1285 dc8f6f-dc8f82 1277->1285 1279->1280 1290 dc904f 1279->1290 1288 dc90ae-dc90c0 call dbf2d9 call dbf2c6 1280->1288 1289 dc90c5-dc90c8 1280->1289 1281->1274 1283 dc8fe3-dc8ffd ReadConsoleW 1281->1283 1284 dc900f-dc9019 call dc29c8 1282->1284 1291 dc901e-dc9027 1283->1291 1292 dc8fff GetLastError 1283->1292 1284->1238 1285->1255 1296 dc8f84-dc8f86 1285->1296 1286->1282 1287->1253 1288->1282 1293 dc90ce-dc90d0 1289->1293 1294 dc9005-dc900b call dbf2a3 1289->1294 1300 dc9052-dc9064 1290->1300 1291->1300 1292->1294 1293->1284 1294->1282 1296->1255 1303 dc8f88-dc8fa8 1296->1303 1300->1284 1307 dc9066-dc906a 1300->1307 1303->1255 1308 dc906c-dc907c call dc8a61 1307->1308 1309 dc9083-dc908e 1307->1309 1321 dc907f-dc9081 1308->1321 1315 dc909a-dc909f call dc88a1 1309->1315 1316 dc9090 call dc8bb1 1309->1316 1322 dc9095-dc9098 1315->1322 1316->1322 1321->1284 1322->1321
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 703b0e1728dad03bbfd95b2d0c4caeefedd220ce6cbc7020dd566c37a5767179
            • Instruction ID: 9841a5daad716f5723a13cb5e8b68bd131059f38d946a63d6a9deff8c676ea6f
            • Opcode Fuzzy Hash: 703b0e1728dad03bbfd95b2d0c4caeefedd220ce6cbc7020dd566c37a5767179
            • Instruction Fuzzy Hash: B9C1EF74A0424AAFCB11DFA9D855FEEBBB4AF09310F18409DF855A7392CB708941DB71
            Function 00CF25E0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1324 cf25e0-cf268e call cf0000 1327 cf2695-cf26bb call cf34f0 CreateFileW 1324->1327 1330 cf26bd 1327->1330 1331 cf26c2-cf26d2 1327->1331 1332 cf280d-cf2811 1330->1332 1338 cf26d9-cf26f3 VirtualAlloc 1331->1338 1339 cf26d4 1331->1339 1333 cf2853-cf2856 1332->1333 1334 cf2813-cf2817 1332->1334 1340 cf2859-cf2860 1333->1340 1336 cf2819-cf281c 1334->1336 1337 cf2823-cf2827 1334->1337 1336->1337 1341 cf2829-cf2833 1337->1341 1342 cf2837-cf283b 1337->1342 1343 cf26fa-cf2711 ReadFile 1338->1343 1344 cf26f5 1338->1344 1339->1332 1345 cf28b5-cf28ca 1340->1345 1346 cf2862-cf286d 1340->1346 1341->1342 1351 cf283d-cf2847 1342->1351 1352 cf284b 1342->1352 1353 cf2718-cf2758 VirtualAlloc 1343->1353 1354 cf2713 1343->1354 1344->1332 1349 cf28cc-cf28d7 VirtualFree 1345->1349 1350 cf28da-cf28e2 1345->1350 1347 cf286f 1346->1347 1348 cf2871-cf287d 1346->1348 1347->1345 1355 cf287f-cf288f 1348->1355 1356 cf2891-cf289d 1348->1356 1349->1350 1351->1352 1352->1333 1357 cf275f-cf277a call cf3740 1353->1357 1358 cf275a 1353->1358 1354->1332 1360 cf28b3 1355->1360 1361 cf289f-cf28a8 1356->1361 1362 cf28aa-cf28b0 1356->1362 1364 cf2785-cf278f 1357->1364 1358->1332 1360->1340 1361->1360 1362->1360 1365 cf27c2-cf27d6 call cf3550 1364->1365 1366 cf2791-cf27c0 call cf3740 1364->1366 1372 cf27da-cf27de 1365->1372 1373 cf27d8 1365->1373 1366->1364 1374 cf27ea-cf27ee 1372->1374 1375 cf27e0-cf27e4 FindCloseChangeNotification 1372->1375 1373->1332 1376 cf27fe-cf2807 1374->1376 1377 cf27f0-cf27fb VirtualFree 1374->1377 1375->1374 1376->1327 1376->1332 1377->1376
            APIs
            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00CF26B1
            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00CF28D7
            Memory Dump Source
            • Source File: 00000000.00000002.1682478802.0000000000CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_cf0000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CreateFileFreeVirtual
            • String ID:
            • API String ID: 204039940-0
            • Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
            • Instruction ID: 44960239e72936b0d47c39955f681333903b70dcaf8eb975839eb54364f033ae
            • Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
            • Instruction Fuzzy Hash: 6CA11571E0020CEBDB54DFA4C894BAEBBB5FF48304F208159E611BB280D7799A81DF95
            Function 00D92C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1388 d92c63-d92cd3 CreateWindowExW * 2 ShowWindow * 2
            APIs
            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00D92C91
            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00D92CB2
            • ShowWindow.USER32(00000000,?,?,?,?,?,?,00D91CAD,?), ref: 00D92CC6
            • ShowWindow.USER32(00000000,?,?,?,?,?,?,00D91CAD,?), ref: 00D92CCF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Window$CreateShow
            • String ID: AutoIt v3$edit
            • API String ID: 1584632944-3779509399
            • Opcode ID: ebfb8abdf8dfe920f88b423d36e48a81b42f0ee84e17a9ef3d3e6b77a89585b7
            • Instruction ID: d861a2c08f264bac2296851895fe9d99da5c5afbe454ce0e71eb74a802602af4
            • Opcode Fuzzy Hash: ebfb8abdf8dfe920f88b423d36e48a81b42f0ee84e17a9ef3d3e6b77a89585b7
            • Instruction Fuzzy Hash: 82F030755802907EE7320723BC08E7B2E7DD7CAFA0B15009AF901B2260C2A10849DAB0
            Function 00CF23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 145fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1503 cf23b0-cf24db call cf0000 call cf22a0 CreateFileW 1510 cf24dd 1503->1510 1511 cf24e2-cf24f2 1503->1511 1512 cf2592-cf2597 1510->1512 1514 cf24f9-cf2513 VirtualAlloc 1511->1514 1515 cf24f4 1511->1515 1516 cf2517-cf252e ReadFile 1514->1516 1517 cf2515 1514->1517 1515->1512 1518 cf2532-cf256c call cf22e0 call cf12a0 1516->1518 1519 cf2530 1516->1519 1517->1512 1524 cf256e-cf2583 call cf2330 1518->1524 1525 cf2588-cf2590 ExitProcess 1518->1525 1519->1512 1524->1525 1525->1512
            APIs
              • Part of subcall function 00CF22A0: Sleep.KERNELBASE(000001F4), ref: 00CF22B1
            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00CF24D1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682478802.0000000000CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_cf0000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CreateFileSleep
            • String ID: 4528RAL2V4HYGCBVAJRGBW1M1
            • API String ID: 2694422964-1588832846
            • Opcode ID: 5a8dd326f9a301d34bcd5d413c10c3e82858fc909ef0e31b5785ce06befcf956
            • Instruction ID: 3f6388c07b4e87deacebd6c987a5b25529961595aa46d5d3f6b70a26f89af9e0
            • Opcode Fuzzy Hash: 5a8dd326f9a301d34bcd5d413c10c3e82858fc909ef0e31b5785ce06befcf956
            • Instruction Fuzzy Hash: 3F51B370D0428CDAEF11D7E4C819BEEBBB8AF19304F044199E6487B2C1D7B90B48DB66
            Function 00E02947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1527 e02947-e029b9 call dd1f50 call e025d6 call dafe0b call d95722 call e0274e call d9511f call db5232 1542 e02a6c-e02a73 call e02e66 1527->1542 1543 e029bf-e029c6 call e02e66 1527->1543 1548 e02a75-e02a77 1542->1548 1549 e02a7c 1542->1549 1543->1548 1550 e029cc-e02a6a call dbd583 call db4983 call db9038 call dbd583 call db9038 * 2 1543->1550 1551 e02cb6-e02cb7 1548->1551 1553 e02a7f-e02b3a call d950f5 * 8 call e03017 call dbe5eb 1549->1553 1550->1553 1556 e02cd5-e02cdb 1551->1556 1592 e02b43-e02b5e call e02792 1553->1592 1593 e02b3c-e02b3e 1553->1593 1557 e02cf0-e02cf6 1556->1557 1558 e02cdd-e02ced call dafdcd call dafe14 1556->1558 1558->1557 1596 e02bf0-e02bfc call dbe678 1592->1596 1597 e02b64-e02b6c 1592->1597 1593->1551 1604 e02c12-e02c16 1596->1604 1605 e02bfe-e02c0d DeleteFileW 1596->1605 1598 e02b74 1597->1598 1599 e02b6e-e02b72 1597->1599 1601 e02b79-e02b97 call d950f5 1598->1601 1599->1601 1609 e02bc1-e02bd7 call e0211d call dbdbb3 1601->1609 1610 e02b99-e02b9e 1601->1610 1607 e02c91-e02ca5 CopyFileW 1604->1607 1608 e02c18-e02c7e call e025d6 call dbd2eb * 2 call e022ce 1604->1608 1605->1551 1612 e02ca7-e02cb4 DeleteFileW 1607->1612 1613 e02cb9-e02ccf DeleteFileW call e02fd8 1607->1613 1608->1613 1632 e02c80-e02c8f DeleteFileW 1608->1632 1627 e02bdc-e02be7 1609->1627 1615 e02ba1-e02bb4 call e028d2 1610->1615 1612->1551 1618 e02cd4 1613->1618 1625 e02bb6-e02bbf 1615->1625 1618->1556 1625->1609 1627->1597 1629 e02bed 1627->1629 1629->1596 1632->1551
            APIs
            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E02C05
            • DeleteFileW.KERNEL32(?), ref: 00E02C87
            • CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00E02C9D
            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E02CAE
            • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E02CC0
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: File$Delete$Copy
            • String ID:
            • API String ID: 3226157194-0
            • Opcode ID: fb7be98e1412fc265a29bfc695fae93419c8cedbd8456e2391d89e6f6bfb4eb2
            • Instruction ID: c0095e22289820124cdbdfa1da6fa1341a84dc2731d357740574d59703df2e25
            • Opcode Fuzzy Hash: fb7be98e1412fc265a29bfc695fae93419c8cedbd8456e2391d89e6f6bfb4eb2
            • Instruction Fuzzy Hash: 6CB15271D00119ABDF21DBA4CC89EDEB7BDEF49350F1040AAF609F6195EA319A848F71
            Function 00D93B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1943 d93b1c-d93b27 1944 d93b99-d93b9b 1943->1944 1945 d93b29-d93b2e 1943->1945 1947 d93b8c-d93b8f 1944->1947 1945->1944 1946 d93b30-d93b48 RegOpenKeyExW 1945->1946 1946->1944 1948 d93b4a-d93b69 RegQueryValueExW 1946->1948 1949 d93b6b-d93b76 1948->1949 1950 d93b80-d93b8b RegCloseKey 1948->1950 1951 d93b78-d93b7a 1949->1951 1952 d93b90-d93b97 1949->1952 1950->1947 1953 d93b7e 1951->1953 1952->1953 1953->1950
            APIs
            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00D93B0F,SwapMouseButtons,00000004,?), ref: 00D93B40
            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00D93B0F,SwapMouseButtons,00000004,?), ref: 00D93B61
            • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00D93B0F,SwapMouseButtons,00000004,?), ref: 00D93B83
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CloseOpenQueryValue
            • String ID: Control Panel\Mouse
            • API String ID: 3677997916-824357125
            • Opcode ID: 6953d570efecba46510bb7499ddf8d4328af92f5bd910c3bcdc23e695bd04dd2
            • Instruction ID: 742f3e35709110ceaf8776b54073854302015d7217c72444b591a0b7db79e898
            • Opcode Fuzzy Hash: 6953d570efecba46510bb7499ddf8d4328af92f5bd910c3bcdc23e695bd04dd2
            • Instruction Fuzzy Hash: C6112AB5510208FFDF208FA5DC44EAEB7B8EF04748B144459A805E7210D2719E4597A0
            Function 00CF12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNELBASE(?,00000000), ref: 00CF1A5B
            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00CF1AF1
            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00CF1B13
            Memory Dump Source
            • Source File: 00000000.00000002.1682478802.0000000000CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_cf0000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Process$ContextCreateMemoryReadThreadWow64
            • String ID:
            • API String ID: 2438371351-0
            • Opcode ID: e15f4bf7b2d8a2436c426929ce02fd6b814221300437380313034c1dc15b3d9c
            • Instruction ID: 965beeae8766fc67bc9a9eb2a2c93723d4ab3da3f5d6cc79394ac971322653d1
            • Opcode Fuzzy Hash: e15f4bf7b2d8a2436c426929ce02fd6b814221300437380313034c1dc15b3d9c
            • Instruction Fuzzy Hash: 11622030A14258DBEB64CFA4C840BEEB371EF58300F1491A9D61DEB394E7759E81CB5A
            Function 00D93923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
            Download Yara Rule
            APIs
            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00DD33A2
              • Part of subcall function 00D96B57: _wcslen.LIBCMT ref: 00D96B6A
            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00D93A04
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: IconLoadNotifyShell_String_wcslen
            • String ID: Line:
            • API String ID: 2289894680-1585850449
            • Opcode ID: 1c71c5187a7583180e54c1e16863d51f6b38b738bd0762df8d7469506a01463f
            • Instruction ID: e9ce9bdf70a55494884ce0cc5e5eed0775f64247ad35ed06efe1dff1f12973d3
            • Opcode Fuzzy Hash: 1c71c5187a7583180e54c1e16863d51f6b38b738bd0762df8d7469506a01463f
            • Instruction Fuzzy Hash: D531C471448300AECB21EB54DC45BEFB7D8EB40754F18455EF59A93191EB709648CBF2
            Function 00D92DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
            Download Yara Rule
            APIs
            • GetOpenFileNameW.COMDLG32(?), ref: 00DD2C8C
              • Part of subcall function 00D93AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D93A97,?,?,00D92E7F,?,?,?,00000000), ref: 00D93AC2
              • Part of subcall function 00D92DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00D92DC4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Name$Path$FileFullLongOpen
            • String ID: X$`e
            • API String ID: 779396738-4036142377
            • Opcode ID: a24c9248e0a8b8e16b3ff3fa2947b9b682894b5957b84d9c49b3e3486422f2f5
            • Instruction ID: 3527de91a1528ce46310f199fe47b286570b4b5796be8513fd8fc5e94ced9b33
            • Opcode Fuzzy Hash: a24c9248e0a8b8e16b3ff3fa2947b9b682894b5957b84d9c49b3e3486422f2f5
            • Instruction Fuzzy Hash: BD218171A10258AEDF419F94C845BEE7BF8EF48305F40405AE445B7241EBB49A498BB1
            Function 00DAFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
            Download Yara Rule
            APIs
            • __CxxThrowException@8.LIBVCRUNTIME ref: 00DB0668
              • Part of subcall function 00DB32A4: RaiseException.KERNEL32(?,?,?,00DB068A,?,00E61444,?,?,?,?,?,?,00DB068A,00D91129,00E58738,00D91129), ref: 00DB3304
            • __CxxThrowException@8.LIBVCRUNTIME ref: 00DB0685
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Exception@8Throw$ExceptionRaise
            • String ID: Unknown exception
            • API String ID: 3476068407-410509341
            • Opcode ID: b26722a054e25fc37966fd7f630fff371fbe7b7185eb75eef9b9439aeefa58e1
            • Instruction ID: 8649ec8ba3c0d985349a73fd3db1b4971ea3d25abb87899cce75895f4fed9cb1
            • Opcode Fuzzy Hash: b26722a054e25fc37966fd7f630fff371fbe7b7185eb75eef9b9439aeefa58e1
            • Instruction Fuzzy Hash: 29F0AF2490020DF7CF10B6A4D846CDE7B6C9E40350B604571B816A6592EF71DA2986B0
            Function 00E03017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
            Download Yara Rule
            APIs
            • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00E0302F
            • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00E03044
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Temp$FileNamePath
            • String ID: aut
            • API String ID: 3285503233-3010740371
            • Opcode ID: 49739ae247c96e4db414cd6d0d6ba6e9425d2833d57b2228c2983a38696b4376
            • Instruction ID: 7f6eb49d609c7ddb526037f5cf7c4e5ecf83e65362e32d1e4d92ad64b00effcd
            • Opcode Fuzzy Hash: 49739ae247c96e4db414cd6d0d6ba6e9425d2833d57b2228c2983a38696b4376
            • Instruction Fuzzy Hash: 09D05E72500328EBDA30A7A5EC0EFCB3A6CDB04751F4006A1BA55F20A1DEB09989CAD0
            Function 00E17F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00E182F5
            • TerminateProcess.KERNEL32(00000000), ref: 00E182FC
            • FreeLibrary.KERNEL32(?,?,?,?), ref: 00E184DD
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Process$CurrentFreeLibraryTerminate
            • String ID:
            • API String ID: 146820519-0
            • Opcode ID: dd9d604f0f0195259a74b86dffbc1f5d75fccddf700b1e548de3c24b53f7f000
            • Instruction ID: c737669cc689e936b0a8a5076422c76a4d7f591f85639beecb3ee23a2ee17649
            • Opcode Fuzzy Hash: dd9d604f0f0195259a74b86dffbc1f5d75fccddf700b1e548de3c24b53f7f000
            • Instruction Fuzzy Hash: 21128C71A083019FC710DF28C584B6ABBE1FF89318F14995DE8999B252DB30ED85CF92
            Function 00DC5AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4882e714475eccfd84190569230addf699a5f8963c3a86fd8116ddb43417d158
            • Instruction ID: 30c7cb5fee93cf75074194d1405613557bcae87f5dfd1a76c9721db304eb5cc1
            • Opcode Fuzzy Hash: 4882e714475eccfd84190569230addf699a5f8963c3a86fd8116ddb43417d158
            • Instruction Fuzzy Hash: 4151EF7190060BAFCB209FA5ED45FEEBFB9EF05310F28005DF401A7295C671A9818B71
            Function 00D910F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00D91BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00D91BF4
              • Part of subcall function 00D91BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00D91BFC
              • Part of subcall function 00D91BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00D91C07
              • Part of subcall function 00D91BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00D91C12
              • Part of subcall function 00D91BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00D91C1A
              • Part of subcall function 00D91BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00D91C22
              • Part of subcall function 00D91B4A: RegisterWindowMessageW.USER32(00000004,?,00D912C4), ref: 00D91BA2
            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00D9136A
            • OleInitialize.OLE32 ref: 00D91388
            • CloseHandle.KERNEL32(00000000,00000000), ref: 00DD24AB
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
            • String ID:
            • API String ID: 1986988660-0
            • Opcode ID: 89c743bd46c0a57e08b4936840f6f4faf85d9769d1584494fbfebb7e47cf50c0
            • Instruction ID: 3e44907a3ec98b24cebb2d7c1b61b0151cdfde9804b67f9b5be70e3a5d65f1a6
            • Opcode Fuzzy Hash: 89c743bd46c0a57e08b4936840f6f4faf85d9769d1584494fbfebb7e47cf50c0
            • Instruction Fuzzy Hash: 9971BFB49012408EC786DF7BF84665ABAE0FBC93C435C51AAD01BF7261EBB04449CF61
            Function 00DC86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00DC85CC,?,00E58CC8,0000000C), ref: 00DC8704
            • GetLastError.KERNEL32(?,00DC85CC,?,00E58CC8,0000000C), ref: 00DC870E
            • __dosmaperr.LIBCMT ref: 00DC8739
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
            • String ID:
            • API String ID: 490808831-0
            • Opcode ID: 213b1a742fb7ee955f41ef51d0e5e2c063df7f97ab636159e19ad5eb6676de03
            • Instruction ID: 9d1d0f02f89deea5415332870396ff72ed889ffc657e7bd93f06ca2358f0ffd9
            • Opcode Fuzzy Hash: 213b1a742fb7ee955f41ef51d0e5e2c063df7f97ab636159e19ad5eb6676de03
            • Instruction Fuzzy Hash: 6D01DB326456622ADA646334B845F7F67498B817B8F3D025DF8149B1D2DEA1ECC1A1B0
            Function 00E02FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00E02CD4,?,?,?,00000004,00000001), ref: 00E02FF2
            • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00E02CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00E03006
            • CloseHandle.KERNEL32(00000000,?,00E02CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00E0300D
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: File$CloseCreateHandleTime
            • String ID:
            • API String ID: 3397143404-0
            • Opcode ID: 102c8fa35d1b40456cb08f333670678b2bea3b538978d8632bb389c36c31e06c
            • Instruction ID: 573208bb60df61c6d5d92727995cc37d207aa18e34bf40de6a30c4fe7f693029
            • Opcode Fuzzy Hash: 102c8fa35d1b40456cb08f333670678b2bea3b538978d8632bb389c36c31e06c
            • Instruction Fuzzy Hash: B2E086362813107BD2301766FC0EF8F3A2CD78AB75F204210F759750D146A0151642A8
            Function 00DA1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
            Download Yara Rule
            APIs
            • __Init_thread_footer.LIBCMT ref: 00DA17F6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Init_thread_footer
            • String ID: CALL
            • API String ID: 1385522511-4196123274
            • Opcode ID: 2e14fe822ecab9473c2faef4ec730396e37f40fda5f7074ee968c9fa333348f4
            • Instruction ID: 36468170ab788e53b47764f07d3219b8e71d2cb32812d024f216c313dd25629c
            • Opcode Fuzzy Hash: 2e14fe822ecab9473c2faef4ec730396e37f40fda5f7074ee968c9fa333348f4
            • Instruction Fuzzy Hash: 0C2289746083419FC714DF25C480A2ABBF1FF9A354F28895DF4968B3A1D771E845CBA2
            Function 00E06EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
            Download Yara Rule
            APIs
            • _wcslen.LIBCMT ref: 00E06F6B
              • Part of subcall function 00D94ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00E61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D94EFD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: LibraryLoad_wcslen
            • String ID: >>>AUTOIT SCRIPT<<<
            • API String ID: 3312870042-2806939583
            • Opcode ID: 1925252cc80ba509b41a7501f6b424821167d63f69e7580ee3652e8498405cba
            • Instruction ID: 07c7ac27ab3f4978c8c85e86b9cc08fca7ade3f7c672b16727591b227da96bc5
            • Opcode Fuzzy Hash: 1925252cc80ba509b41a7501f6b424821167d63f69e7580ee3652e8498405cba
            • Instruction Fuzzy Hash: 64B181716082019FCB14EF24C4919AEB7E5FF94314F44895DF496972A2EB30ED89CBB2
            Function 00E02557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: __fread_nolock
            • String ID: EA06
            • API String ID: 2638373210-3962188686
            • Opcode ID: 5ebb6d84730bf467d25b49e99e41441ea7f2760a2a01fea2ef69f68c333a2966
            • Instruction ID: 1be6048c90298904630bda1888018d0498a9c8da94c58ca24671c2cb6dc45eea
            • Opcode Fuzzy Hash: 5ebb6d84730bf467d25b49e99e41441ea7f2760a2a01fea2ef69f68c333a2966
            • Instruction Fuzzy Hash: 9B019272904258AEDF18C7A88C5AAEEBBF8DB05305F00455AE553E21C1E5B4E6088B70
            Function 00D93837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
            Download Yara Rule
            APIs
            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D93908
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: IconNotifyShell_
            • String ID:
            • API String ID: 1144537725-0
            • Opcode ID: feb8bcb2f3baf135a3c1ee3ffa171e2acb5577430697ed234f61f776a6e58c7c
            • Instruction ID: cbcbf7a42910f889ee52fd15367b5153aa34e951fe4c6d28f6656deb5c5a113a
            • Opcode Fuzzy Hash: feb8bcb2f3baf135a3c1ee3ffa171e2acb5577430697ed234f61f776a6e58c7c
            • Instruction Fuzzy Hash: E93193706043019FD721DF65D88479BBBE4FB49748F04096EF59A97340E7B1AA48CBA2
            Function 00CF129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNELBASE(?,00000000), ref: 00CF1A5B
            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00CF1AF1
            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00CF1B13
            Memory Dump Source
            • Source File: 00000000.00000002.1682478802.0000000000CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_cf0000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Process$ContextCreateMemoryReadThreadWow64
            • String ID:
            • API String ID: 2438371351-0
            • Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
            • Instruction ID: 438ad85f4c1c8a1db4a14b6746d3650e6e975c898ddf2762f8b35b817101f9a2
            • Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
            • Instruction Fuzzy Hash: 7712CD24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F85CF5A
            Function 00D94ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00D94E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00D94EDD,?,00E61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D94E9C
              • Part of subcall function 00D94E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00D94EAE
              • Part of subcall function 00D94E90: FreeLibrary.KERNEL32(00000000,?,?,00D94EDD,?,00E61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D94EC0
            • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00E61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D94EFD
              • Part of subcall function 00D94E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00DD3CDE,?,00E61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D94E62
              • Part of subcall function 00D94E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00D94E74
              • Part of subcall function 00D94E59: FreeLibrary.KERNEL32(00000000,?,?,00DD3CDE,?,00E61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D94E87
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Library$Load$AddressFreeProc
            • String ID:
            • API String ID: 2632591731-0
            • Opcode ID: 54979d594a98f51d8de05984bde7ec1de9e5bf84137d95f5c4647bd831b4bbf1
            • Instruction ID: 0e20053a8ef20bf12ca0c8ceafbdf04fd5606263f93f2f485543da02c44424be
            • Opcode Fuzzy Hash: 54979d594a98f51d8de05984bde7ec1de9e5bf84137d95f5c4647bd831b4bbf1
            • Instruction Fuzzy Hash: 0011E332610306AACF24EF64DC12FAD77A5EF40750F20842EF582B61D2EE709A4A9770
            Function 00DC8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: __wsopen_s
            • String ID:
            • API String ID: 3347428461-0
            • Opcode ID: ce35fe2cb9752933f15647687646b8c28bf32bbbdb915cefd9fcdda81d045d8d
            • Instruction ID: c1c80caf170b436a3889c7b79e2b90f5b83d5c1f43356573c463079ceb09f556
            • Opcode Fuzzy Hash: ce35fe2cb9752933f15647687646b8c28bf32bbbdb915cefd9fcdda81d045d8d
            • Instruction Fuzzy Hash: FE11187590820AAFCB0ADF58E941E9B7BF5EF48314F154069F808AB312DA31DA11DBA5
            Function 00DC5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00DC4C7D: RtlAllocateHeap.NTDLL(00000008,00D91129,00000000,?,00DC2E29,00000001,00000364,?,?,?,00DBF2DE,00DC3863,00E61444,?,00DAFDF5,?), ref: 00DC4CBE
            • _free.LIBCMT ref: 00DC506C
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: AllocateHeap_free
            • String ID:
            • API String ID: 614378929-0
            • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
            • Instruction ID: 4d5377236a83ffef48c92c64bd0942de7dc9521032a9b912bdb66654a31cabd8
            • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
            • Instruction Fuzzy Hash: 830126722047066BE3318E65E881F5AFBE8FB89370F29051DE58483280EB30A845C7B4
            Function 00DBE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
            • Instruction ID: ef8e9f35ede400175943f7bdbcd4708958aae0bc001c1312dd458793edfcde9c
            • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
            • Instruction Fuzzy Hash: 13F0F432511A14DACA313A698C05FDA3799DF52334F140B19F822931D2DB70D8028AB5
            Function 00DC4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • RtlAllocateHeap.NTDLL(00000008,00D91129,00000000,?,00DC2E29,00000001,00000364,?,?,?,00DBF2DE,00DC3863,00E61444,?,00DAFDF5,?), ref: 00DC4CBE
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: 3b097f0ed944e8816648feda3ddda68ff1669174ed5f662ce7fc259fb047d556
            • Instruction ID: 1c2b0af9f4c3b902ab797c7bc3da1e819efefb02e6d3eb1249e2d4a278d33f63
            • Opcode Fuzzy Hash: 3b097f0ed944e8816648feda3ddda68ff1669174ed5f662ce7fc259fb047d556
            • Instruction Fuzzy Hash: D5F0B431603226A6DB215F629F15F9A3798AF817B1B194119FC16E72A1CA70D81146F0
            Function 00DC3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • RtlAllocateHeap.NTDLL(00000000,?,00E61444,?,00DAFDF5,?,?,00D9A976,00000010,00E61440,00D913FC,?,00D913C6,?,00D91129), ref: 00DC3852
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: c57de611b4100a7fc9213eb38fddf32521f4e25e301ff00e06cb262f0fcc2766
            • Instruction ID: 206f6080e72a8ceef8462d1285c8d85a8e157d528c26286ee1c0c1e2cc4b8738
            • Opcode Fuzzy Hash: c57de611b4100a7fc9213eb38fddf32521f4e25e301ff00e06cb262f0fcc2766
            • Instruction Fuzzy Hash: 18E0E5311063269AE6312A679C01FDB3658EF427B0F1D8028BC46A3581CB10DD0185F4
            Function 00D94F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
            Download Yara Rule
            APIs
            • FreeLibrary.KERNEL32(?,?,00E61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D94F6D
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: FreeLibrary
            • String ID:
            • API String ID: 3664257935-0
            • Opcode ID: b7232da47a5c7b8200e68099f3d5eaa05416f331b0d5c33bd69fee6f262b9224
            • Instruction ID: 86f76f4454e993a4cf37014283030964b73f1265cb423e212b8aabcee4042a93
            • Opcode Fuzzy Hash: b7232da47a5c7b8200e68099f3d5eaa05416f331b0d5c33bd69fee6f262b9224
            • Instruction Fuzzy Hash: 99F01571109752CFDB349FA4D494C66BBE4EF143293248A6EE1EA82622C7319849DB20
            Function 00D92DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
            Download Yara Rule
            APIs
            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00D92DC4
              • Part of subcall function 00D96B57: _wcslen.LIBCMT ref: 00D96B6A
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: LongNamePath_wcslen
            • String ID:
            • API String ID: 541455249-0
            • Opcode ID: e34b47be70cb127988a7516c38323de2037afd0169cac5d5ef978bca6a602650
            • Instruction ID: 26dab998d619714240ed1211e73f909390cdef5d0e1dcbca13460756a682baac
            • Opcode Fuzzy Hash: e34b47be70cb127988a7516c38323de2037afd0169cac5d5ef978bca6a602650
            • Instruction Fuzzy Hash: B6E0CD776041245BCB209398DC05FDA77DDDFC8790F040071FD09E7258E960ED848670
            Function 00E02693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: __fread_nolock
            • String ID:
            • API String ID: 2638373210-0
            • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
            • Instruction ID: 07fda549fe3d38fd4c4c97e4e06b9b144d9c538e4cee13062894cf20480f2505
            • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
            • Instruction Fuzzy Hash: 9BE04FB0609B009FDF395A28A8517F677E8DF49304F10086EF69F93352E57378858A5D
            Function 00D92B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00D93837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D93908
              • Part of subcall function 00D9D730: GetInputState.USER32 ref: 00D9D807
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00D92B6B
              • Part of subcall function 00D930F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00D9314E
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: IconNotifyShell_$CurrentDirectoryInputState
            • String ID:
            • API String ID: 3667716007-0
            • Opcode ID: 8f07c63a086a0984d4c37262635ce158ee6a92325d90b40f7355ab6095b5a2fe
            • Instruction ID: bebb1ba3b22443d41588970c3767edf8e75b2744f18fd830c2cffd95ab33b04c
            • Opcode Fuzzy Hash: 8f07c63a086a0984d4c37262635ce158ee6a92325d90b40f7355ab6095b5a2fe
            • Instruction Fuzzy Hash: B0E07D213002040BCF08BBB6A82247DF389CFE1391F44147EF15793163CF2049494332
            Function 00DD039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • CreateFileW.KERNELBASE(00000000,00000000,?,00DD0704,?,?,00000000,?,00DD0704,00000000,0000000C), ref: 00DD03B7
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CreateFile
            • String ID:
            • API String ID: 823142352-0
            • Opcode ID: 42d1e1b54ae9f35fae064a78b2826bef95411fa505b287d3efbf1db0395921e0
            • Instruction ID: a23bfe727560cd8118e7b5dfc1678c411630af44769f3a68eab3a7669d403137
            • Opcode Fuzzy Hash: 42d1e1b54ae9f35fae064a78b2826bef95411fa505b287d3efbf1db0395921e0
            • Instruction Fuzzy Hash: 2ED06C3204010DBFDF128F85DD06EDA3BAAFB48714F114000BE5866020C732E832AB90
            Function 00D91CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
            Download Yara Rule
            APIs
            • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00D91CBC
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: InfoParametersSystem
            • String ID:
            • API String ID: 3098949447-0
            • Opcode ID: e8a468372071c408d8a05c4b64fbbc70d4cd520e54a83f723aa6f583bf5739b5
            • Instruction ID: b5abe07cebc57d6a12655c3448528f4abede55a10d1fd90c6e3edfa8b4d5e9fd
            • Opcode Fuzzy Hash: e8a468372071c408d8a05c4b64fbbc70d4cd520e54a83f723aa6f583bf5739b5
            • Instruction Fuzzy Hash: 36C09B352C03049FF2254781FC4AF157754A75CB40F144001F70A755E3C3E15414D651
            Function 00DED8DD Relevance: 1.5, APIs: 1, Instructions: 7COMMON
            Download Yara Rule
            APIs
            • GetTempPathW.KERNEL32(00000104,?), ref: 00DED8E9
              • Part of subcall function 00D933A7: _wcslen.LIBCMT ref: 00D933AB
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: PathTemp_wcslen
            • String ID:
            • API String ID: 1974555822-0
            • Opcode ID: f2aaef8fb4ccc6a52af5a1f015e414800e3b5146fe2a23ac5b7a24cb44e03836
            • Instruction ID: d68f94428e9c73d505dfef2cf467b8f58fd119a1c6b65230c9ae4f9117489196
            • Opcode Fuzzy Hash: f2aaef8fb4ccc6a52af5a1f015e414800e3b5146fe2a23ac5b7a24cb44e03836
            • Instruction Fuzzy Hash: 1CC04C7554105ADFDBA0AB91CDC9AAC7324EF00301F104095E249910509E709A498B21
            Function 00DAFC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: AllocVirtual
            • String ID:
            • API String ID: 4275171209-0
            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
            • Instruction ID: 418346b3d5677c4690153272b40fd6cf12ec1b2c052f04f69fce12cf9e1042b6
            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
            • Instruction Fuzzy Hash: C731F575A00109DBCB19DF9AD4C0969F7A2FF4A310B2886E5E809CB655D731EDC1CBE0
            Function 00CF22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNELBASE(000001F4), ref: 00CF22B1
            Memory Dump Source
            • Source File: 00000000.00000002.1682478802.0000000000CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_cf0000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Sleep
            • String ID:
            • API String ID: 3472027048-0
            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
            • Instruction ID: 4f90b5cd2c036000ec4c76ef82fd40400b70782acce3659f519f9dd03ec24ee6
            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
            • Instruction Fuzzy Hash: 5FE0E67498110EDFDB00EFB8D5496AE7FB4EF04311F100161FD01D2280D6309D508A72

            Non-executed Functions

            Function 00E29576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00DA9BB2
            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00E2961A
            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E2965B
            • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00E2969F
            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E296C9
            • SendMessageW.USER32 ref: 00E296F2
            • GetKeyState.USER32(00000011), ref: 00E2978B
            • GetKeyState.USER32(00000009), ref: 00E29798
            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E297AE
            • GetKeyState.USER32(00000010), ref: 00E297B8
            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E297E9
            • SendMessageW.USER32 ref: 00E29810
            • SendMessageW.USER32(?,00001030,?,00E27E95), ref: 00E29918
            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00E2992E
            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00E29941
            • SetCapture.USER32(?), ref: 00E2994A
            • ClientToScreen.USER32(?,?), ref: 00E299AF
            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00E299BC
            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E299D6
            • ReleaseCapture.USER32 ref: 00E299E1
            • GetCursorPos.USER32(?), ref: 00E29A19
            • ScreenToClient.USER32(?,?), ref: 00E29A26
            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00E29A80
            • SendMessageW.USER32 ref: 00E29AAE
            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00E29AEB
            • SendMessageW.USER32 ref: 00E29B1A
            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00E29B3B
            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00E29B4A
            • GetCursorPos.USER32(?), ref: 00E29B68
            • ScreenToClient.USER32(?,?), ref: 00E29B75
            • GetParent.USER32(?), ref: 00E29B93
            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00E29BFA
            • SendMessageW.USER32 ref: 00E29C2B
            • ClientToScreen.USER32(?,?), ref: 00E29C84
            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00E29CB4
            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00E29CDE
            • SendMessageW.USER32 ref: 00E29D01
            • ClientToScreen.USER32(?,?), ref: 00E29D4E
            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00E29D82
              • Part of subcall function 00DA9944: GetWindowLongW.USER32(?,000000EB), ref: 00DA9952
            • GetWindowLongW.USER32(?,000000F0), ref: 00E29E05
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
            • String ID: @GUI_DRAGID$F$p#
            • API String ID: 3429851547-638943876
            • Opcode ID: 62822cb140f0b89af664d4f6f4d0cee64f0cbe7667438fdeea91248972cf6267
            • Instruction ID: 6f4dea17a3f6e13dddac7d3554a0784631d0b097bcbd97abd3357ef523dfea13
            • Opcode Fuzzy Hash: 62822cb140f0b89af664d4f6f4d0cee64f0cbe7667438fdeea91248972cf6267
            • Instruction Fuzzy Hash: F642E130204210AFDB25CF24EC44EAABBE5FF88714F14261DF699A72A2D771E855CF52
            Function 00E24873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00E248F3
            • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00E24908
            • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00E24927
            • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00E2494B
            • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00E2495C
            • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00E2497B
            • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00E249AE
            • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00E249D4
            • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00E24A0F
            • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00E24A56
            • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00E24A7E
            • IsMenu.USER32(?), ref: 00E24A97
            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E24AF2
            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E24B20
            • GetWindowLongW.USER32(?,000000F0), ref: 00E24B94
            • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00E24BE3
            • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00E24C82
            • wsprintfW.USER32 ref: 00E24CAE
            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E24CC9
            • GetWindowTextW.USER32(?,00000000,00000001), ref: 00E24CF1
            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00E24D13
            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E24D33
            • GetWindowTextW.USER32(?,00000000,00000001), ref: 00E24D5A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
            • String ID: %d/%02d/%02d
            • API String ID: 4054740463-328681919
            • Opcode ID: e44a2476281698399e6b8a0c6d6d0b82b9d6ec5093262e6b4fbd38688b06f24f
            • Instruction ID: 551ba2af735cd14ae6803bee46ac01ad09dd900fff9fa6b425e315030b30dfd9
            • Opcode Fuzzy Hash: e44a2476281698399e6b8a0c6d6d0b82b9d6ec5093262e6b4fbd38688b06f24f
            • Instruction Fuzzy Hash: 821202B1600224AFEB248F29EC49FAE7BF8EF85714F105119F515FA2E1D7749A41CB60
            Function 00DAF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00DAF998
            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00DEF474
            • IsIconic.USER32(00000000), ref: 00DEF47D
            • ShowWindow.USER32(00000000,00000009), ref: 00DEF48A
            • SetForegroundWindow.USER32(00000000), ref: 00DEF494
            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00DEF4AA
            • GetCurrentThreadId.KERNEL32 ref: 00DEF4B1
            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00DEF4BD
            • AttachThreadInput.USER32(?,00000000,00000001), ref: 00DEF4CE
            • AttachThreadInput.USER32(?,00000000,00000001), ref: 00DEF4D6
            • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00DEF4DE
            • SetForegroundWindow.USER32(00000000), ref: 00DEF4E1
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00DEF4F6
            • keybd_event.USER32(00000012,00000000), ref: 00DEF501
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00DEF50B
            • keybd_event.USER32(00000012,00000000), ref: 00DEF510
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00DEF519
            • keybd_event.USER32(00000012,00000000), ref: 00DEF51E
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00DEF528
            • keybd_event.USER32(00000012,00000000), ref: 00DEF52D
            • SetForegroundWindow.USER32(00000000), ref: 00DEF530
            • AttachThreadInput.USER32(?,000000FF,00000000), ref: 00DEF557
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
            • String ID: Shell_TrayWnd
            • API String ID: 4125248594-2988720461
            • Opcode ID: ea1d3075a8fce2f4ae87ac229cbad676c2c1e2eeb65458b8fa5be01a89e12711
            • Instruction ID: 442b33c876a40e7c0663304982daa58b2f730c07a13e22ed1ca45398a298d918
            • Opcode Fuzzy Hash: ea1d3075a8fce2f4ae87ac229cbad676c2c1e2eeb65458b8fa5be01a89e12711
            • Instruction Fuzzy Hash: FD315871A402187FEB316BB69C49FBF7E6CEB44B50F240065F601F61D1C6B19D01AAB1
            Function 00DF1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DF16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DF170D
              • Part of subcall function 00DF16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DF173A
              • Part of subcall function 00DF16C3: GetLastError.KERNEL32 ref: 00DF174A
            • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00DF1286
            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00DF12A8
            • CloseHandle.KERNEL32(?), ref: 00DF12B9
            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00DF12D1
            • GetProcessWindowStation.USER32 ref: 00DF12EA
            • SetProcessWindowStation.USER32(00000000), ref: 00DF12F4
            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00DF1310
              • Part of subcall function 00DF10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00DF11FC), ref: 00DF10D4
              • Part of subcall function 00DF10BF: CloseHandle.KERNEL32(?,?,00DF11FC), ref: 00DF10E9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
            • String ID: $default$winsta0$Z
            • API String ID: 22674027-1808616255
            • Opcode ID: 16ed32249f82957e1814d24db70c3345c36c24b50606e33e96d1f3a4da54ddb6
            • Instruction ID: 08260320790b712f9c3f45e9795bff5969fcbbbe495d53ae46647917b622c331
            • Opcode Fuzzy Hash: 16ed32249f82957e1814d24db70c3345c36c24b50606e33e96d1f3a4da54ddb6
            • Instruction Fuzzy Hash: C0816775900209EFDF249FA5DC49BFE7BB9EF44704F298129FA11B61A0C7318A49CB60
            Function 00DF0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DF10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00DF1114
              • Part of subcall function 00DF10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00DF0B9B,?,?,?), ref: 00DF1120
              • Part of subcall function 00DF10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00DF0B9B,?,?,?), ref: 00DF112F
              • Part of subcall function 00DF10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00DF0B9B,?,?,?), ref: 00DF1136
              • Part of subcall function 00DF10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00DF114D
            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00DF0BCC
            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00DF0C00
            • GetLengthSid.ADVAPI32(?), ref: 00DF0C17
            • GetAce.ADVAPI32(?,00000000,?), ref: 00DF0C51
            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00DF0C6D
            • GetLengthSid.ADVAPI32(?), ref: 00DF0C84
            • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00DF0C8C
            • HeapAlloc.KERNEL32(00000000), ref: 00DF0C93
            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00DF0CB4
            • CopySid.ADVAPI32(00000000), ref: 00DF0CBB
            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00DF0CEA
            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00DF0D0C
            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00DF0D1E
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DF0D45
            • HeapFree.KERNEL32(00000000), ref: 00DF0D4C
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DF0D55
            • HeapFree.KERNEL32(00000000), ref: 00DF0D5C
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DF0D65
            • HeapFree.KERNEL32(00000000), ref: 00DF0D6C
            • GetProcessHeap.KERNEL32(00000000,?), ref: 00DF0D78
            • HeapFree.KERNEL32(00000000), ref: 00DF0D7F
              • Part of subcall function 00DF1193: GetProcessHeap.KERNEL32(00000008,00DF0BB1,?,00000000,?,00DF0BB1,?), ref: 00DF11A1
              • Part of subcall function 00DF1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00DF0BB1,?), ref: 00DF11A8
              • Part of subcall function 00DF1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00DF0BB1,?), ref: 00DF11B7
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
            • String ID:
            • API String ID: 4175595110-0
            • Opcode ID: 8a0a8b3c18ee2414a2694721ee7c8f1751e7fc16bf752ad0f1c515f07dc48b15
            • Instruction ID: d5ef4e1d20f4a81ffdea16b2221c7e9d81d673fc9977406d820ac27dae1224a6
            • Opcode Fuzzy Hash: 8a0a8b3c18ee2414a2694721ee7c8f1751e7fc16bf752ad0f1c515f07dc48b15
            • Instruction Fuzzy Hash: CA716B7590020AAFDF209FA5DC45FFEBBBDAF04300F198515EA14A7192D771A949CB70
            Function 00E0EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
            Download Yara Rule
            APIs
            • OpenClipboard.USER32(00E2CC08), ref: 00E0EB29
            • IsClipboardFormatAvailable.USER32(0000000D), ref: 00E0EB37
            • GetClipboardData.USER32(0000000D), ref: 00E0EB43
            • CloseClipboard.USER32 ref: 00E0EB4F
            • GlobalLock.KERNEL32(00000000), ref: 00E0EB87
            • CloseClipboard.USER32 ref: 00E0EB91
            • GlobalUnlock.KERNEL32(00000000,00000000), ref: 00E0EBBC
            • IsClipboardFormatAvailable.USER32(00000001), ref: 00E0EBC9
            • GetClipboardData.USER32(00000001), ref: 00E0EBD1
            • GlobalLock.KERNEL32(00000000), ref: 00E0EBE2
            • GlobalUnlock.KERNEL32(00000000,?), ref: 00E0EC22
            • IsClipboardFormatAvailable.USER32(0000000F), ref: 00E0EC38
            • GetClipboardData.USER32(0000000F), ref: 00E0EC44
            • GlobalLock.KERNEL32(00000000), ref: 00E0EC55
            • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00E0EC77
            • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00E0EC94
            • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00E0ECD2
            • GlobalUnlock.KERNEL32(00000000,?,?), ref: 00E0ECF3
            • CountClipboardFormats.USER32 ref: 00E0ED14
            • CloseClipboard.USER32 ref: 00E0ED59
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
            • String ID:
            • API String ID: 420908878-0
            • Opcode ID: 8b26635bf52d13dee212ecb1c1e38befc8d624b35508bae6a0bb945f6dcba73a
            • Instruction ID: b456c7ebc9961c465c68ea71504512c20bfed7af86240dc90bc9fd1bcee01d24
            • Opcode Fuzzy Hash: 8b26635bf52d13dee212ecb1c1e38befc8d624b35508bae6a0bb945f6dcba73a
            • Instruction Fuzzy Hash: 3461BF35204201AFD720EF25D895F6EB7A4EF84708F14592DF456A72E1CB31D98ACBA2
            Function 00E0698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?), ref: 00E069BE
            • FindClose.KERNEL32(00000000), ref: 00E06A12
            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E06A4E
            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E06A75
              • Part of subcall function 00D99CB3: _wcslen.LIBCMT ref: 00D99CBD
            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00E06AB2
            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00E06ADF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
            • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
            • API String ID: 3830820486-3289030164
            • Opcode ID: 32b7131f0fb2ef00b744f6deb3b4042d8787c8ec20d143c4dac52969386f26b2
            • Instruction ID: 2d138888cd9732b123d93ad95d52555cfc185804a4e1f8522049f68bc0b4f8fe
            • Opcode Fuzzy Hash: 32b7131f0fb2ef00b744f6deb3b4042d8787c8ec20d143c4dac52969386f26b2
            • Instruction Fuzzy Hash: 05D13CB2508300AEC710EBA4C891EABB7FCEF98704F44491DF599D6191EB74DA48CB72
            Function 00E09642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00E09663
            • GetFileAttributesW.KERNEL32(?), ref: 00E096A1
            • SetFileAttributesW.KERNEL32(?,?), ref: 00E096BB
            • FindNextFileW.KERNEL32(00000000,?), ref: 00E096D3
            • FindClose.KERNEL32(00000000), ref: 00E096DE
            • FindFirstFileW.KERNEL32(*.*,?), ref: 00E096FA
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00E0974A
            • SetCurrentDirectoryW.KERNEL32(00E56B7C), ref: 00E09768
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00E09772
            • FindClose.KERNEL32(00000000), ref: 00E0977F
            • FindClose.KERNEL32(00000000), ref: 00E0978F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
            • String ID: *.*
            • API String ID: 1409584000-438819550
            • Opcode ID: 0f722bad5f7992dd8c552554f4509816aa62845d0659a47e8647b407a0e28e8f
            • Instruction ID: 3368cb5cf5062011d98c215a602601f6bf80cb24d92d84bdaadf6ada9a626127
            • Opcode Fuzzy Hash: 0f722bad5f7992dd8c552554f4509816aa62845d0659a47e8647b407a0e28e8f
            • Instruction Fuzzy Hash: 4B31E232541619AECB20EFB5EC09ADE77AC9F09324F245156F805F30E2DB70DA898A64
            Function 00E0979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00E097BE
            • FindNextFileW.KERNEL32(00000000,?), ref: 00E09819
            • FindClose.KERNEL32(00000000), ref: 00E09824
            • FindFirstFileW.KERNEL32(*.*,?), ref: 00E09840
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00E09890
            • SetCurrentDirectoryW.KERNEL32(00E56B7C), ref: 00E098AE
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00E098B8
            • FindClose.KERNEL32(00000000), ref: 00E098C5
            • FindClose.KERNEL32(00000000), ref: 00E098D5
              • Part of subcall function 00DFDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00DFDB00
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
            • String ID: *.*
            • API String ID: 2640511053-438819550
            • Opcode ID: 654126eadf1630a64df6a15cb6c6f9708043358c5044f551aa7ce095e311cea5
            • Instruction ID: 3785e233d90a291fdf59a58b6cc5c0388fae1f7473be2efce3f9027c4dc27518
            • Opcode Fuzzy Hash: 654126eadf1630a64df6a15cb6c6f9708043358c5044f551aa7ce095e311cea5
            • Instruction Fuzzy Hash: 85310332501619AEDB24EFB5EC48ADE73ACDF06324F209155E810B32E2DB30D989CB34
            Function 00E08195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
            Download Yara Rule
            APIs
            • GetLocalTime.KERNEL32(?), ref: 00E08257
            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00E08267
            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00E08273
            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E08310
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00E08324
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00E08356
            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00E0838C
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00E08395
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CurrentDirectoryTime$File$Local$System
            • String ID: *.*
            • API String ID: 1464919966-438819550
            • Opcode ID: 31be88afa7f4af116f8246e4ab2aca69ac65d938a9446e5f1e64eb523457bee1
            • Instruction ID: 89e5784a3aceb9b366b94fd25203a6e8d0c63e1aba939acabb6c8aceeccd9c86
            • Opcode Fuzzy Hash: 31be88afa7f4af116f8246e4ab2aca69ac65d938a9446e5f1e64eb523457bee1
            • Instruction Fuzzy Hash: 7F6181725083459FCB10EF60C9409AEB3E8FF89314F04491EF989E7261EB35E945CBA2
            Function 00DFD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00D93AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D93A97,?,?,00D92E7F,?,?,?,00000000), ref: 00D93AC2
              • Part of subcall function 00DFE199: GetFileAttributesW.KERNEL32(?,00DFCF95), ref: 00DFE19A
            • FindFirstFileW.KERNEL32(?,?), ref: 00DFD122
            • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00DFD1DD
            • MoveFileW.KERNEL32(?,?), ref: 00DFD1F0
            • DeleteFileW.KERNEL32(?,?,?,?), ref: 00DFD20D
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00DFD237
              • Part of subcall function 00DFD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00DFD21C,?,?), ref: 00DFD2B2
            • FindClose.KERNEL32(00000000,?,?,?), ref: 00DFD253
            • FindClose.KERNEL32(00000000), ref: 00DFD264
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
            • String ID: \*.*
            • API String ID: 1946585618-1173974218
            • Opcode ID: 996d0565ccb8a567934b8a1f456e96b50024858cfa45fca0a427857bf151ba7d
            • Instruction ID: d24d51247ea389ff5d9c87663f9ae9b87baefca5d80fa2ab2af03e1e70b59ce6
            • Opcode Fuzzy Hash: 996d0565ccb8a567934b8a1f456e96b50024858cfa45fca0a427857bf151ba7d
            • Instruction Fuzzy Hash: D4615A3180120DAECF15EBA4CA929FDB776EF15304F258169E502771A1EB31AF09CBB1
            Function 00E0ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
            • String ID:
            • API String ID: 1737998785-0
            • Opcode ID: d1b8a7b3379c02959d49c380420d4cf846a68b83b1d48d42d354d891c866ddb5
            • Instruction ID: dcea4793fff5ba687547ad069de1b3aa9fc4d965bae93c800bcdd22a0f5c094e
            • Opcode Fuzzy Hash: d1b8a7b3379c02959d49c380420d4cf846a68b83b1d48d42d354d891c866ddb5
            • Instruction Fuzzy Hash: F641B1352046119FD720DF26D848F19BBE1EF44318F14D4A9E41AAB7A2C735FC86CB90
            Function 00DFE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DF16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DF170D
              • Part of subcall function 00DF16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DF173A
              • Part of subcall function 00DF16C3: GetLastError.KERNEL32 ref: 00DF174A
            • ExitWindowsEx.USER32(?,00000000), ref: 00DFE932
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
            • String ID: $ $@$SeShutdownPrivilege
            • API String ID: 2234035333-3163812486
            • Opcode ID: 1bd0a4e85924fe358c2c7d95ae416a6b135eaaa3a88e516d3d61f2484c227233
            • Instruction ID: 09df135572b92b3c8f97248229607e35def014a7e8430148b2a68a5586fe05e0
            • Opcode Fuzzy Hash: 1bd0a4e85924fe358c2c7d95ae416a6b135eaaa3a88e516d3d61f2484c227233
            • Instruction Fuzzy Hash: 8F01D672610319AFEB6467B59C86FBF739C9B14751F1A8921FE02F21E2D9E09C4489F0
            Function 00E11204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
            Download Yara Rule
            APIs
            • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00E11276
            • WSAGetLastError.WSOCK32 ref: 00E11283
            • bind.WSOCK32(00000000,?,00000010), ref: 00E112BA
            • WSAGetLastError.WSOCK32 ref: 00E112C5
            • closesocket.WSOCK32(00000000), ref: 00E112F4
            • listen.WSOCK32(00000000,00000005), ref: 00E11303
            • WSAGetLastError.WSOCK32 ref: 00E1130D
            • closesocket.WSOCK32(00000000), ref: 00E1133C
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ErrorLast$closesocket$bindlistensocket
            • String ID:
            • API String ID: 540024437-0
            • Opcode ID: e57368f7f6a05dbce7bc2d8922f74d7df6a7c509eeda1a06c95a55d7e1980036
            • Instruction ID: d1a2ef6ce8959ef55580709c735873fbd824e6deaa0a1556f6d27c7ed186b068
            • Opcode Fuzzy Hash: e57368f7f6a05dbce7bc2d8922f74d7df6a7c509eeda1a06c95a55d7e1980036
            • Instruction Fuzzy Hash: 3741A2316001409FD724DF24C484BA9BBE5AF46318F2980C8D956AF2A6C771EC86CBE1
            Function 00DFD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00D93AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D93A97,?,?,00D92E7F,?,?,?,00000000), ref: 00D93AC2
              • Part of subcall function 00DFE199: GetFileAttributesW.KERNEL32(?,00DFCF95), ref: 00DFE19A
            • FindFirstFileW.KERNEL32(?,?), ref: 00DFD420
            • DeleteFileW.KERNEL32(?,?,?,?), ref: 00DFD470
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00DFD481
            • FindClose.KERNEL32(00000000), ref: 00DFD498
            • FindClose.KERNEL32(00000000), ref: 00DFD4A1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
            • String ID: \*.*
            • API String ID: 2649000838-1173974218
            • Opcode ID: 8ef004eb8a965836ec9483e4cd7b048dd562473a2cfa165e9710c5f41383b18d
            • Instruction ID: d8fb897ce627d2b1c362692282b376c2a1f7a1cf65c0fdb32ff28d97a94bbb5e
            • Opcode Fuzzy Hash: 8ef004eb8a965836ec9483e4cd7b048dd562473a2cfa165e9710c5f41383b18d
            • Instruction Fuzzy Hash: 59315C32008345AFC714EF64D8918AFB7A9EEA1304F448A1DF5D5921A1EB30AA099B72
            Function 00DCE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: __floor_pentium4
            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
            • API String ID: 4168288129-2761157908
            • Opcode ID: 00e6c15cb37904da047399a3976b5d9b7eb29531c7c30ae6cd93150de18d0714
            • Instruction ID: 0b2398345367870345c2ac97f124251c41284caf813d7dfc9c19b5302618a493
            • Opcode Fuzzy Hash: 00e6c15cb37904da047399a3976b5d9b7eb29531c7c30ae6cd93150de18d0714
            • Instruction Fuzzy Hash: ECC20AB1E046298FDB25CF289D40BE9B7B6EB48305F1941EED44DE7241E774AE818F60
            Function 00E0648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
            Download Yara Rule
            APIs
            • _wcslen.LIBCMT ref: 00E064DC
            • CoInitialize.OLE32(00000000), ref: 00E06639
            • CoCreateInstance.OLE32(00E2FCF8,00000000,00000001,00E2FB68,?), ref: 00E06650
            • CoUninitialize.OLE32 ref: 00E068D4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CreateInitializeInstanceUninitialize_wcslen
            • String ID: .lnk
            • API String ID: 886957087-24824748
            • Opcode ID: 9da74021911473652a10d45dc687a38062598e5635560c1a22514b5bdd317ac4
            • Instruction ID: f6f570dc5e817c26c051b2e9b62f30b12b162263b585228c5712dd948e55185c
            • Opcode Fuzzy Hash: 9da74021911473652a10d45dc687a38062598e5635560c1a22514b5bdd317ac4
            • Instruction Fuzzy Hash: 55D15871508301AFC714EF24C891A6BB7E9FF98304F10496DF5959B2A1EB70E949CBA2
            Function 00E122DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32(?,?,00000000), ref: 00E122E8
              • Part of subcall function 00E0E4EC: GetWindowRect.USER32(?,?), ref: 00E0E504
            • GetDesktopWindow.USER32 ref: 00E12312
            • GetWindowRect.USER32(00000000), ref: 00E12319
            • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00E12355
            • GetCursorPos.USER32(?), ref: 00E12381
            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00E123DF
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Window$Rectmouse_event$CursorDesktopForeground
            • String ID:
            • API String ID: 2387181109-0
            • Opcode ID: be9dfb3e9f1bbadbb01c3265ea693747d52fe13dbb8e9c437576d7e06dc7c8ec
            • Instruction ID: d3921e0e9741de712e87e614c6ff7ad088a702b6c1d82145819ccf7277b09546
            • Opcode Fuzzy Hash: be9dfb3e9f1bbadbb01c3265ea693747d52fe13dbb8e9c437576d7e06dc7c8ec
            • Instruction Fuzzy Hash: 9D310272104316AFCB20DF15CC44B9BB7A9FF84714F10191DFA94A7191DB34EA59CBA2
            Function 00E09B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00D99CB3: _wcslen.LIBCMT ref: 00D99CBD
            • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00E09B78
            • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00E09C8B
              • Part of subcall function 00E03874: GetInputState.USER32 ref: 00E038CB
              • Part of subcall function 00E03874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E03966
            • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00E09BA8
            • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00E09C75
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
            • String ID: *.*
            • API String ID: 1972594611-438819550
            • Opcode ID: 4bebd625828f711061f2a9bc85075e677a27950f8782b3c1b864627bcba44efa
            • Instruction ID: ee64b4879e59562253e28c5641898dd85019bc9be1aa3204e09a0dfa1a0ca85a
            • Opcode Fuzzy Hash: 4bebd625828f711061f2a9bc85075e677a27950f8782b3c1b864627bcba44efa
            • Instruction Fuzzy Hash: 4D417F71D0020A9FDF14EF64C885AEEBBB8EF05314F24515AE805B21D2EB309E84CF60
            Function 00DA997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00DA9BB2
            • DefDlgProcW.USER32(?,?,?,?,?), ref: 00DA9A4E
            • GetSysColor.USER32(0000000F), ref: 00DA9B23
            • SetBkColor.GDI32(?,00000000), ref: 00DA9B36
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Color$LongProcWindow
            • String ID:
            • API String ID: 3131106179-0
            • Opcode ID: 56fe563b1fb71db1972576ec5cb720363faa42ba2f884ae93218c17c69603826
            • Instruction ID: cdff226fb3feaece7ed6de4ca9d3e40344e3d68a9fad3e56c6ca483c8e54846c
            • Opcode Fuzzy Hash: 56fe563b1fb71db1972576ec5cb720363faa42ba2f884ae93218c17c69603826
            • Instruction Fuzzy Hash: 11A17D71208494BEE769BA3E9CA8E7FB6DDEB83350F1C010AF442E6592CA25DD01D371
            Function 00E11806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00E1304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00E1307A
              • Part of subcall function 00E1304E: _wcslen.LIBCMT ref: 00E1309B
            • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00E1185D
            • WSAGetLastError.WSOCK32 ref: 00E11884
            • bind.WSOCK32(00000000,?,00000010), ref: 00E118DB
            • WSAGetLastError.WSOCK32 ref: 00E118E6
            • closesocket.WSOCK32(00000000), ref: 00E11915
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
            • String ID:
            • API String ID: 1601658205-0
            • Opcode ID: 9f80c334879c6a1c8bf71f8c2cebf8045bf868a02104c096e58a228c226ff6d7
            • Instruction ID: 2c6f51aee57018778ff97c618f8fa0a65e79a675671515369aa529abc817cc27
            • Opcode Fuzzy Hash: 9f80c334879c6a1c8bf71f8c2cebf8045bf868a02104c096e58a228c226ff6d7
            • Instruction Fuzzy Hash: 51519271A002109FDB14AF24C886F6A7BE5EB89718F588098F9196F2D3D771ED418BB1
            Function 00E21C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Window$EnabledForegroundIconicVisibleZoomed
            • String ID:
            • API String ID: 292994002-0
            • Opcode ID: a990258b7e71d39a69fe05a756f9ea6584f30801895b50e96fdfc058521ba7d7
            • Instruction ID: 7f0492301f004bd575267a74298045c0fb924f3a035a6260ce6ffd37254ff56b
            • Opcode Fuzzy Hash: a990258b7e71d39a69fe05a756f9ea6584f30801895b50e96fdfc058521ba7d7
            • Instruction Fuzzy Hash: 862129357402205FD7248F1AE845B6ABBE5FFA4315F1990ACE846EB351C771EE42CB90
            Function 00D98060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID:
            • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
            • API String ID: 0-1546025612
            • Opcode ID: 88f88d2861974fe8a04457afe553d56468fd0d30cdbdecbe7b8c87ff63de44b4
            • Instruction ID: 56fdd0d5b4c655da896e9b9549409475af24fa429daaed537210a357178467db
            • Opcode Fuzzy Hash: 88f88d2861974fe8a04457afe553d56468fd0d30cdbdecbe7b8c87ff63de44b4
            • Instruction Fuzzy Hash: B6A27071E0061ACBDF24CF58C8407AEB7B1BF55710F2881AAE855AB385DB70DD81DBA0
            Function 00DF8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00DF82AA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: lstrlen
            • String ID: ($tb$|
            • API String ID: 1659193697-1968160224
            • Opcode ID: d68c2abc6a740c9b086b6746962e02977e1fa9b3d9bee1e2236cc808fc70452c
            • Instruction ID: f0fce36f5b2e777f036e39a714077a8333cbdb85b5be3d648f2b1542c55184e3
            • Opcode Fuzzy Hash: d68c2abc6a740c9b086b6746962e02977e1fa9b3d9bee1e2236cc808fc70452c
            • Instruction Fuzzy Hash: 88324775A007059FCB28CF59C081A6AB7F0FF48710B16C56EE59ADB3A1EB70E941CB50
            Function 00E1A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
            Download Yara Rule
            APIs
            • CreateToolhelp32Snapshot.KERNEL32 ref: 00E1A6AC
            • Process32FirstW.KERNEL32(00000000,?), ref: 00E1A6BA
              • Part of subcall function 00D99CB3: _wcslen.LIBCMT ref: 00D99CBD
            • Process32NextW.KERNEL32(00000000,?), ref: 00E1A79C
            • CloseHandle.KERNEL32(00000000), ref: 00E1A7AB
              • Part of subcall function 00DACE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00DD3303,?), ref: 00DACE8A
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
            • String ID:
            • API String ID: 1991900642-0
            • Opcode ID: 7854ca4083f8935bf6a0a6e631d20d6c2dcb33963072834578206d5ef5153184
            • Instruction ID: 07e98c31dd2a56a027402304f55f18b42dfdcdcdc45a7d381bc9801f029c5383
            • Opcode Fuzzy Hash: 7854ca4083f8935bf6a0a6e631d20d6c2dcb33963072834578206d5ef5153184
            • Instruction Fuzzy Hash: C9515C71508300AFD710EF25C886A6FBBE8FF89754F44492DF599A7291EB30D904CBA2
            Function 00DFAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00DFAAAC
            • SetKeyboardState.USER32(00000080), ref: 00DFAAC8
            • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00DFAB36
            • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00DFAB88
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: KeyboardState$InputMessagePostSend
            • String ID:
            • API String ID: 432972143-0
            • Opcode ID: bb36a03f838be9ab6e6bd8d63e098294bc3785544c411f0da254949313a9c587
            • Instruction ID: 4d5ae611746d1380fa46daccff4fa979343a41eea2a7c741b8db21237dd225d8
            • Opcode Fuzzy Hash: bb36a03f838be9ab6e6bd8d63e098294bc3785544c411f0da254949313a9c587
            • Instruction Fuzzy Hash: DD3116B0A4034CAEFB358B6DCC05BFA7BA6AB44310F19C21AF699561D0D374C985C772
            Function 00DCBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 00DCBB7F
              • Part of subcall function 00DC29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00DCD7D1,00000000,00000000,00000000,00000000,?,00DCD7F8,00000000,00000007,00000000,?,00DCDBF5,00000000), ref: 00DC29DE
              • Part of subcall function 00DC29C8: GetLastError.KERNEL32(00000000,?,00DCD7D1,00000000,00000000,00000000,00000000,?,00DCD7F8,00000000,00000007,00000000,?,00DCDBF5,00000000,00000000), ref: 00DC29F0
            • GetTimeZoneInformation.KERNEL32 ref: 00DCBB91
            • WideCharToMultiByte.KERNEL32(00000000,?,00E6121C,000000FF,?,0000003F,?,?), ref: 00DCBC09
            • WideCharToMultiByte.KERNEL32(00000000,?,00E61270,000000FF,?,0000003F,?,?,?,00E6121C,000000FF,?,0000003F,?,?), ref: 00DCBC36
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
            • String ID:
            • API String ID: 806657224-0
            • Opcode ID: 310c7c2c09fd51c3e70d37d5d678120ae19df81b844161f818199baf58ae8687
            • Instruction ID: 5d41c154e77cb0837b6f5928f758fc75ceaa0c525e3decafddd703619a5063ab
            • Opcode Fuzzy Hash: 310c7c2c09fd51c3e70d37d5d678120ae19df81b844161f818199baf58ae8687
            • Instruction Fuzzy Hash: 00319270904246DFCB12DF69DC52A2ABBB8FF45760B1842AEE050E72B1D770DD05EB60
            Function 00E0CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
            Download Yara Rule
            APIs
            • InternetReadFile.WININET(?,?,00000400,?), ref: 00E0CE89
            • GetLastError.KERNEL32(?,00000000), ref: 00E0CEEA
            • SetEvent.KERNEL32(?,?,00000000), ref: 00E0CEFE
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ErrorEventFileInternetLastRead
            • String ID:
            • API String ID: 234945975-0
            • Opcode ID: aa3c9ed5305e6095c3d6d076bc9986886b4dd37b5a6c0d18c8d7aa80d88e7f89
            • Instruction ID: 456910fbc273c960698c2c74a0e19608bace06cd2743378ba862bd5ea0ee708b
            • Opcode Fuzzy Hash: aa3c9ed5305e6095c3d6d076bc9986886b4dd37b5a6c0d18c8d7aa80d88e7f89
            • Instruction Fuzzy Hash: 27218E71500705DFD730DFA5C944BAB77F8EB40358F20451AE646E2191E770E98A8B64
            Function 00E05C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?), ref: 00E05CC1
            • FindNextFileW.KERNEL32(00000000,?), ref: 00E05D17
            • FindClose.KERNEL32(?), ref: 00E05D5F
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Find$File$CloseFirstNext
            • String ID:
            • API String ID: 3541575487-0
            • Opcode ID: 8ec2fc54f76db4ebc4af66dffd7fe253c73b4be0fe820965b3492e80b39c22d9
            • Instruction ID: 8219632c04cd413031d3a15e49c1e18b906d18d19a3b7d8eff60869d372ba931
            • Opcode Fuzzy Hash: 8ec2fc54f76db4ebc4af66dffd7fe253c73b4be0fe820965b3492e80b39c22d9
            • Instruction Fuzzy Hash: 3151A936604A019FC714CF28C494E9AB7E4FF49318F14855EE99A9B3A1DB30EC44CFA1
            Function 00DC2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • IsDebuggerPresent.KERNEL32 ref: 00DC271A
            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00DC2724
            • UnhandledExceptionFilter.KERNEL32(?), ref: 00DC2731
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled$DebuggerPresent
            • String ID:
            • API String ID: 3906539128-0
            • Opcode ID: 966932f6ef9ed801f3fdfc73ef6490b0af477cb2c99f966dc003d8f014aa3321
            • Instruction ID: 5d17944d56b8d8d98a7e7ab4665a3f508e05947534898bf816b7c56e2163460b
            • Opcode Fuzzy Hash: 966932f6ef9ed801f3fdfc73ef6490b0af477cb2c99f966dc003d8f014aa3321
            • Instruction Fuzzy Hash: 0431C4759412189BCB21DF64DC88BDDBBB8EF08310F5045EAE41CA72A1E7309F858F54
            Function 00E051CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 00E051DA
            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00E05238
            • SetErrorMode.KERNEL32(00000000), ref: 00E052A1
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ErrorMode$DiskFreeSpace
            • String ID:
            • API String ID: 1682464887-0
            • Opcode ID: 5f0cf488e538fbad737d61421b7bad8d39be5adb0b55821d3c6a040598c1a542
            • Instruction ID: bcca707add3812ef2940a063a42a4957c12d1ec6baf18832e40dd8e7afc266f4
            • Opcode Fuzzy Hash: 5f0cf488e538fbad737d61421b7bad8d39be5adb0b55821d3c6a040598c1a542
            • Instruction Fuzzy Hash: 86316175A00518DFDB00DF55D885EAEBBB5FF49318F148099E805AB3A2DB31EC56CB60
            Function 00DF16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DAFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00DB0668
              • Part of subcall function 00DAFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00DB0685
            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DF170D
            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DF173A
            • GetLastError.KERNEL32 ref: 00DF174A
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
            • String ID:
            • API String ID: 577356006-0
            • Opcode ID: 194afa6a6e034abb661563ceadad4b4cde71712643fd99c1d75334799fefd744
            • Instruction ID: 6c3e3857b9cd9d813af389f8cd1b5dbc5c660b199fc45320ac9496f4f5a39bfc
            • Opcode Fuzzy Hash: 194afa6a6e034abb661563ceadad4b4cde71712643fd99c1d75334799fefd744
            • Instruction Fuzzy Hash: 4F11CEB2400308EFE728AF64DC86D6AB7B9EB04714B20C56EE45693241EB70FC428A70
            Function 00DFD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00DFD608
            • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00DFD645
            • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00DFD650
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CloseControlCreateDeviceFileHandle
            • String ID:
            • API String ID: 33631002-0
            • Opcode ID: b395b2864d4f0bc7ae65ec77d385edfd5ec347e2a55b6931ec2a8f3b53c46b5a
            • Instruction ID: 49289a9b332555ea78918c0184dc31106b3896ec4c0b10926df99723fdbb4446
            • Opcode Fuzzy Hash: b395b2864d4f0bc7ae65ec77d385edfd5ec347e2a55b6931ec2a8f3b53c46b5a
            • Instruction Fuzzy Hash: 8B115E75E05228BFDB208F95DC45FAFBBBDEB45B60F108155F904F7290D6704A058BA1
            Function 00DF1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
            Download Yara Rule
            APIs
            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00DF168C
            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00DF16A1
            • FreeSid.ADVAPI32(?), ref: 00DF16B1
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: AllocateCheckFreeInitializeMembershipToken
            • String ID:
            • API String ID: 3429775523-0
            • Opcode ID: 2a9a66e1248ffa9e827e6cfab08a5f55cb4f5e4c3786de01ee6428ad926e5463
            • Instruction ID: e35e1511f47c3a56ccea43d33c1e69952bab92242a62b0bb81d2c6ffbd4dfc04
            • Opcode Fuzzy Hash: 2a9a66e1248ffa9e827e6cfab08a5f55cb4f5e4c3786de01ee6428ad926e5463
            • Instruction Fuzzy Hash: 0CF0447194030CFFDB00CFE0CC89EAEBBBCFB08240F204460E500E2180E330AA088A60
            Function 00DB4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(00DC28E9,?,00DB4CBE,00DC28E9,00E588B8,0000000C,00DB4E15,00DC28E9,00000002,00000000,?,00DC28E9), ref: 00DB4D09
            • TerminateProcess.KERNEL32(00000000,?,00DB4CBE,00DC28E9,00E588B8,0000000C,00DB4E15,00DC28E9,00000002,00000000,?,00DC28E9), ref: 00DB4D10
            • ExitProcess.KERNEL32 ref: 00DB4D22
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Process$CurrentExitTerminate
            • String ID:
            • API String ID: 1703294689-0
            • Opcode ID: a70ad30c28958eb840798f80aed47d310543f17987318f64677b3a47d938a918
            • Instruction ID: 425b566dae1bfe7b773ade39aa4d0525fb347219b363a1b59b23654d0db91b0e
            • Opcode Fuzzy Hash: a70ad30c28958eb840798f80aed47d310543f17987318f64677b3a47d938a918
            • Instruction Fuzzy Hash: 57E0B631000548EFCF21EF55DD0AA9C3B69FB41795B248458FC069B123CB35DD56DBA4
            Function 00DED27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
            Download Yara Rule
            APIs
            • GetUserNameW.ADVAPI32(?,?), ref: 00DED28C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: NameUser
            • String ID: X64
            • API String ID: 2645101109-893830106
            • Opcode ID: b6af898b02bc29bda7e1a0ac7173b6189935813091f5cc2a902af05a1bfa552a
            • Instruction ID: 2b3450039ccf088b694e31956149cec40812d5adda3d9d6af013bc2d8d06f538
            • Opcode Fuzzy Hash: b6af898b02bc29bda7e1a0ac7173b6189935813091f5cc2a902af05a1bfa552a
            • Instruction Fuzzy Hash: 19D0CAB480112DEECBA0DBA0EC88DDEB3BCBB04305F200292F246A2000DB3496898F20
            Function 00DBCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
            • Instruction ID: 7434fd61c2505fdf254a132aae5cd03f258e51c44303af7dcdf83ee5817755d8
            • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
            • Instruction Fuzzy Hash: 7E021D71E11119DBDF14CFA9C8806EEBBF1FF58314F29516AE81AEB340D731A9418BA4
            Function 00D9CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID:
            • String ID: Variable is not of type 'Object'.$p#
            • API String ID: 0-1086706999
            • Opcode ID: c29573799de967c0892dbea6fb9c3a4ef1c3264da9303a83fc19e5a3c4f2766c
            • Instruction ID: 83341e8b87469319a7fc5d11449f9e9ea4430a7cf33bf3560874335966d5e6c8
            • Opcode Fuzzy Hash: c29573799de967c0892dbea6fb9c3a4ef1c3264da9303a83fc19e5a3c4f2766c
            • Instruction Fuzzy Hash: A932AC70910218DBCF14EF94C885BEDBBB5FF05304F689069E846AB292D775AE85CB70
            Function 00E068EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?), ref: 00E06918
            • FindClose.KERNEL32(00000000), ref: 00E06961
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Find$CloseFileFirst
            • String ID:
            • API String ID: 2295610775-0
            • Opcode ID: 3d00e982a5193079fac4a84e52ec740d3af89a579f46357d60f85e3a4a5deb0f
            • Instruction ID: 9622614db4a83be6a40f5d0ff616abd17565e70eb14dfc566c62199ac53a0583
            • Opcode Fuzzy Hash: 3d00e982a5193079fac4a84e52ec740d3af89a579f46357d60f85e3a4a5deb0f
            • Instruction Fuzzy Hash: 8F1190326146019FC710DF29D484A1ABBE5FF85328F54C699F4699F6A2CB30EC45CBA1
            Function 00E037B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00E14891,?,?,00000035,?), ref: 00E037E4
            • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00E14891,?,?,00000035,?), ref: 00E037F4
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ErrorFormatLastMessage
            • String ID:
            • API String ID: 3479602957-0
            • Opcode ID: 3176dd394cc83af704f073bffdf12bbe509dad2f1ec9a6f9826a8298330d551e
            • Instruction ID: 31f567ca3c05ec0eb04ca7f3355f79128f478f91389674a70ee06d133c22202d
            • Opcode Fuzzy Hash: 3176dd394cc83af704f073bffdf12bbe509dad2f1ec9a6f9826a8298330d551e
            • Instruction Fuzzy Hash: B1F0E5B16042286AEB2057B68C4DFEB7AAEEFC8761F000266F509E22D5D9609945C6B0
            Function 00DFB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
            Download Yara Rule
            APIs
            • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00DFB25D
            • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00DFB270
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: InputSendkeybd_event
            • String ID:
            • API String ID: 3536248340-0
            • Opcode ID: d49bf3874ca39ddd78f2f13b0ab21d1e813d586993ddc762ac8d8b8c212287bf
            • Instruction ID: 3165c2a00f33cfa441c0d344c6561d1ec3a4dfb96448064fa57d83e1721d121f
            • Opcode Fuzzy Hash: d49bf3874ca39ddd78f2f13b0ab21d1e813d586993ddc762ac8d8b8c212287bf
            • Instruction Fuzzy Hash: D1F01D7180424DAFDF159FA1C805BBE7BB4FF08315F14800AF955A5191C379C6159FA4
            Function 00DF10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
            Download Yara Rule
            APIs
            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00DF11FC), ref: 00DF10D4
            • CloseHandle.KERNEL32(?,?,00DF11FC), ref: 00DF10E9
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: AdjustCloseHandlePrivilegesToken
            • String ID:
            • API String ID: 81990902-0
            • Opcode ID: bdd7bd2882d3d4c5f4803180da4410a77e89990cd7242c5315dabb3a9676c0b7
            • Instruction ID: 9b52297fe2e99e040800dd7b7d17bd7431afcb8087a7d45329f50ff7bbbb92d2
            • Opcode Fuzzy Hash: bdd7bd2882d3d4c5f4803180da4410a77e89990cd7242c5315dabb3a9676c0b7
            • Instruction Fuzzy Hash: 27E04F32004600EEE7352B61FC05E7777E9EB04320B24886DF5A5804B1DB626CA1DB64
            Function 00DC676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00DC6766,?,?,00000008,?,?,00DCFEFE,00000000), ref: 00DC6998
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ExceptionRaise
            • String ID:
            • API String ID: 3997070919-0
            • Opcode ID: 87c17d407ffb6e1dc9e7febcef1e84d276bb0cacf897856fc2f0b7fe385540f5
            • Instruction ID: 4f0325b3b67a16c4ac40476194513d215ca7cd7b4b28de5051bbcdb8fe15464d
            • Opcode Fuzzy Hash: 87c17d407ffb6e1dc9e7febcef1e84d276bb0cacf897856fc2f0b7fe385540f5
            • Instruction Fuzzy Hash: EBB1193161060A9FDB15CF28C486B657BA0FF45364F29865CE89ACF2E2C735E991CB50
            Function 00DAB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID: 0-3916222277
            • Opcode ID: 1b78d1e1176ddcdb9d499572ef6ee050b6a93472d59b4b509003db6cbe8cc1e1
            • Instruction ID: 4b47212f96fc2fbebe8d40d07dc52e07d270d6ec2c3325fa9c298c35a300757c
            • Opcode Fuzzy Hash: 1b78d1e1176ddcdb9d499572ef6ee050b6a93472d59b4b509003db6cbe8cc1e1
            • Instruction Fuzzy Hash: A41261719002299FCB14DF59C8806EEB7F5FF49710F14819AE849EB256DB709E81DFA0
            Function 00E0EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
            Download Yara Rule
            APIs
            • BlockInput.USER32(00000001), ref: 00E0EABD
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: BlockInput
            • String ID:
            • API String ID: 3456056419-0
            • Opcode ID: 9a9fcb87924f767b155ddbe2c93449e7cfe16e43fb56acae019c9cbbd5975af7
            • Instruction ID: 33c7653a582834c3566fb8bbbe9e75ea9285c7ed3c09e4db33adae2176f248bf
            • Opcode Fuzzy Hash: 9a9fcb87924f767b155ddbe2c93449e7cfe16e43fb56acae019c9cbbd5975af7
            • Instruction Fuzzy Hash: CBE01A322102049FC710EF5AD804E9AB7E9EF987A0F018426FC49D73A1DA70A8818BA0
            Function 00DB09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
            Download Yara Rule
            APIs
            • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00DB03EE), ref: 00DB09DA
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: 8c6fe2ebac8181b4a5ac6ace3d270f1e7a225fa2131357f43effa1dd485e2d6d
            • Instruction ID: 94e2c70edaec0fbd3504cf6e1a98b998680e5728b4f411c9fbe036d41437bcaf
            • Opcode Fuzzy Hash: 8c6fe2ebac8181b4a5ac6ace3d270f1e7a225fa2131357f43effa1dd485e2d6d
            • Instruction Fuzzy Hash:
            Function 00DB781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID:
            • String ID: 0
            • API String ID: 0-4108050209
            • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
            • Instruction ID: 0290c3186d872deb68145c63c1780b57f0c640221cfc4f3dfc16b7a5b5af4c86
            • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
            • Instruction Fuzzy Hash: 9451567960C705DBDF388968885ABFE6799DBC2340F1C050AD8C7D7282CA15DE01E776
            Function 00E02046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID:
            • String ID: 0&
            • API String ID: 0-2523485602
            • Opcode ID: b7ba3beda5157eaba8b842830eead4d690e94bf06e20e8ae23493e3606df0e0b
            • Instruction ID: a9ea56fd93bf81095e4404e390349e53f9f95c916f02304aad37a619b9097462
            • Opcode Fuzzy Hash: b7ba3beda5157eaba8b842830eead4d690e94bf06e20e8ae23493e3606df0e0b
            • Instruction Fuzzy Hash: 3521E7327206118BDB28CF79C82367E73E5A764310F14862EE5A7E37D0DE76A944CB90
            Function 00DC6DD9 Relevance: .6, Instructions: 637COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ad9577e35232dd8a26845f1d1004e7fc43a101dcbfdf29d691cf79d3e0de248f
            • Instruction ID: a5a0bb3158c87baaae5b4515dbd8676b6a8b9ede75da41fce73da3a3e6b0e8f8
            • Opcode Fuzzy Hash: ad9577e35232dd8a26845f1d1004e7fc43a101dcbfdf29d691cf79d3e0de248f
            • Instruction Fuzzy Hash: 18324631D28F064DD7239636DC26335A689AFB73C5F25C73BF81AB69A5EB29C4834100
            Function 00DACC39 Relevance: .6, Instructions: 635COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 20a8fb1383ca11f3a850022e356d110c53d9f390753d0b4683451e7b52be77f7
            • Instruction ID: 35e7b50b07cdf6800e47889e2d0f948c94e73a2e48dabd3e52a3a7302972f94a
            • Opcode Fuzzy Hash: 20a8fb1383ca11f3a850022e356d110c53d9f390753d0b4683451e7b52be77f7
            • Instruction Fuzzy Hash: 14323A31A241958FCF28EF2AC49067D77A1EF46324F2CA56AD499DB291D230DD83DB70
            Function 00D97920 Relevance: .6, Instructions: 563COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 83e48b298bace884f34765a6b9183b13ee35b86ae2736d9af08c0746d03d8178
            • Instruction ID: 3a3a571c784cab1638243e03eac41e460cc5c9f328c735d50dcdf8b4c3224837
            • Opcode Fuzzy Hash: 83e48b298bace884f34765a6b9183b13ee35b86ae2736d9af08c0746d03d8178
            • Instruction Fuzzy Hash: 94229D70A00609DFDF14CFA8D881AAEB7B5FF44304F14462AE856A7395EB36E914CB70
            Function 00D991C0 Relevance: .5, Instructions: 475COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2b88cb04d28339f7406339f497187298a37a552d93f686cc39b4e3f6aed1f9af
            • Instruction ID: 0aef184cd338fc2125e33999a70b024d743a9e2bd49fb4dd701e2d10198e2a62
            • Opcode Fuzzy Hash: 2b88cb04d28339f7406339f497187298a37a552d93f686cc39b4e3f6aed1f9af
            • Instruction Fuzzy Hash: 1202C7B1A00205EFDF05EF64D881AAEB7B1FF44300F558169E8569B391EB31EA14CBB5
            Function 00DC9EEE Relevance: .3, Instructions: 294COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f2935e6806c4e66b2d8728bcded20c6d86bfe735a648772ffcde8b006b6f9124
            • Instruction ID: de5b3c6ed2457fb3aa4441ebb96bac96fe77b3ba0aab04fb37da42da0e7f7944
            • Opcode Fuzzy Hash: f2935e6806c4e66b2d8728bcded20c6d86bfe735a648772ffcde8b006b6f9124
            • Instruction Fuzzy Hash: 9FB11320D2AF454DC323963A8835336BB5CAFBB6D5F91D31BFC2674D22EB2286874140
            Function 00DB1C77 Relevance: .3, Instructions: 254COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
            • Instruction ID: ac5a080537c2bff1ec8319e0b15734e5f8f3cacba5a3b03034976ff53e2ce693
            • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
            • Instruction Fuzzy Hash: 449177765080E38ADB29463E85740BEFFE15A923A135E079DE4F3CA1C5FE24C968D630
            Function 00DB19B0 Relevance: .2, Instructions: 240COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
            • Instruction ID: 059eaa716d7b4c2b6979842729011f06523d0fe54fbe86c97dc4153ae4ef7ba9
            • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
            • Instruction Fuzzy Hash: 7D91B43A2090E38ADB2D427A84740BEFFE15A923A139E079DD4F3CA1C5FE14D569D630
            Function 00DB7A4A Relevance: .2, Instructions: 237COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 58fcb1bf78fb8f34be3b3b544c28523ffa9fc97f464bd6df51ac0e7594d5b01a
            • Instruction ID: e29f8f24ed1eff493c36524c43688f8d6a4a887a5ff3ce925521ddda2cfd5035
            • Opcode Fuzzy Hash: 58fcb1bf78fb8f34be3b3b544c28523ffa9fc97f464bd6df51ac0e7594d5b01a
            • Instruction Fuzzy Hash: 77614871608709E7DE749A288D95BFE2398DFC1700F18091DE887DB2D1DA11DE42DB79
            Function 00DB7CA7 Relevance: .2, Instructions: 237COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 99b5b89e4e05cb5e4854819ae961dc4519d5fba01db963791503789964134a83
            • Instruction ID: 0e03dc5de443822f9a6e87486c751ee88563ad391f44e24acccae335e2b3f205
            • Opcode Fuzzy Hash: 99b5b89e4e05cb5e4854819ae961dc4519d5fba01db963791503789964134a83
            • Instruction Fuzzy Hash: CF61377160870AD7DE385A2888A5BFE2398EFC2780F18095DF983DF681DA12DD42D375
            Function 00DB1706 Relevance: .2, Instructions: 232COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
            • Instruction ID: 6d4aadd49476e7b2620a955c5fce9b1c0f5b8c0959070551ef987401b03a7657
            • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
            • Instruction Fuzzy Hash: F581523A6090E389DB6D463A85344BEFFE16A923A135E079DD4F3CB1C1EE24C558DA30
            Function 00CF3600 Relevance: .1, Instructions: 92COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1682478802.0000000000CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_cf0000_BOQ Inquiry.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
            • Instruction ID: a504cb2c26f168bb52c78ce3773592c3e69e305754819c2102f0467aa4cf0db8
            • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
            • Instruction Fuzzy Hash: 2841D3B1D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB40
            Function 00CF34F0 Relevance: .0, Instructions: 35COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1682478802.0000000000CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_cf0000_BOQ Inquiry.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
            • Instruction ID: 8983ea3ebe05270b5128ea5b3291f37f493b7580c0de0a689164a80d661753c5
            • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
            • Instruction Fuzzy Hash: A7019279A00149EFCB84DF98C5909AEF7B5FB88310F208599E919A7741D730AF42DB81
            Function 00CF3490 Relevance: .0, Instructions: 35COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1682478802.0000000000CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_cf0000_BOQ Inquiry.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
            • Instruction ID: 5ccd85b9ad66cdf4ed81473fcd1eb4b611672a84d2fe42f98d16cea1d7f5d49a
            • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
            • Instruction Fuzzy Hash: 7B019278A00109EFCB85DF98C5909AEFBB5FB48310F208599E919A7741D730AF41DB91
            Function 00CF1E70 Relevance: .0, Instructions: 6COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1682478802.0000000000CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_cf0000_BOQ Inquiry.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
            • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
            • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
            • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
            Function 00E12ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
            Download Yara Rule
            APIs
            • DeleteObject.GDI32(00000000), ref: 00E12B30
            • DeleteObject.GDI32(00000000), ref: 00E12B43
            • DestroyWindow.USER32 ref: 00E12B52
            • GetDesktopWindow.USER32 ref: 00E12B6D
            • GetWindowRect.USER32(00000000), ref: 00E12B74
            • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00E12CA3
            • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00E12CB1
            • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E12CF8
            • GetClientRect.USER32(00000000,?), ref: 00E12D04
            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00E12D40
            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E12D62
            • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E12D75
            • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E12D80
            • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E12D89
            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E12D98
            • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E12DA1
            • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E12DA8
            • GlobalFree.KERNEL32(00000000), ref: 00E12DB3
            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E12DC5
            • OleLoadPicture.OLEAUT32(?,00000000,00000000,00E2FC38,00000000), ref: 00E12DDB
            • GlobalFree.KERNEL32(00000000), ref: 00E12DEB
            • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00E12E11
            • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00E12E30
            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E12E52
            • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E1303F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
            • String ID: $AutoIt v3$DISPLAY$static
            • API String ID: 2211948467-2373415609
            • Opcode ID: a5166176753f4acfb4c073ac4729f3232804c23eb908d1a46ec4257fae393995
            • Instruction ID: cd2ecdaaae906e7b21116536878fddb7f21b0fa90e871c1cd4d97a4b49c942ad
            • Opcode Fuzzy Hash: a5166176753f4acfb4c073ac4729f3232804c23eb908d1a46ec4257fae393995
            • Instruction Fuzzy Hash: D0026A71A00204EFDB24DF65DC89EAE7BB9EF48714F148158F915BB2A1CB70AD46CB60
            Function 00E270D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
            Download Yara Rule
            APIs
            • SetTextColor.GDI32(?,00000000), ref: 00E2712F
            • GetSysColorBrush.USER32(0000000F), ref: 00E27160
            • GetSysColor.USER32(0000000F), ref: 00E2716C
            • SetBkColor.GDI32(?,000000FF), ref: 00E27186
            • SelectObject.GDI32(?,?), ref: 00E27195
            • InflateRect.USER32(?,000000FF,000000FF), ref: 00E271C0
            • GetSysColor.USER32(00000010), ref: 00E271C8
            • CreateSolidBrush.GDI32(00000000), ref: 00E271CF
            • FrameRect.USER32(?,?,00000000), ref: 00E271DE
            • DeleteObject.GDI32(00000000), ref: 00E271E5
            • InflateRect.USER32(?,000000FE,000000FE), ref: 00E27230
            • FillRect.USER32(?,?,?), ref: 00E27262
            • GetWindowLongW.USER32(?,000000F0), ref: 00E27284
              • Part of subcall function 00E273E8: GetSysColor.USER32(00000012), ref: 00E27421
              • Part of subcall function 00E273E8: SetTextColor.GDI32(?,?), ref: 00E27425
              • Part of subcall function 00E273E8: GetSysColorBrush.USER32(0000000F), ref: 00E2743B
              • Part of subcall function 00E273E8: GetSysColor.USER32(0000000F), ref: 00E27446
              • Part of subcall function 00E273E8: GetSysColor.USER32(00000011), ref: 00E27463
              • Part of subcall function 00E273E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E27471
              • Part of subcall function 00E273E8: SelectObject.GDI32(?,00000000), ref: 00E27482
              • Part of subcall function 00E273E8: SetBkColor.GDI32(?,00000000), ref: 00E2748B
              • Part of subcall function 00E273E8: SelectObject.GDI32(?,?), ref: 00E27498
              • Part of subcall function 00E273E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00E274B7
              • Part of subcall function 00E273E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E274CE
              • Part of subcall function 00E273E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00E274DB
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
            • String ID:
            • API String ID: 4124339563-0
            • Opcode ID: c775c3a22292315ff20a1f796b750de141bc2b658e5a78b92a33d5cc05d44041
            • Instruction ID: 8af636d69f584d4cf54c5494d590ecd940c68158129812742963e1e8cc3cf33b
            • Opcode Fuzzy Hash: c775c3a22292315ff20a1f796b750de141bc2b658e5a78b92a33d5cc05d44041
            • Instruction Fuzzy Hash: 52A1A072009311EFD7209F61DC49E5F7BA9FF49320F201A19F9A2A61E1D770E949CB92
            Function 00DA8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(?,?), ref: 00DA8E14
            • SendMessageW.USER32(?,00001308,?,00000000), ref: 00DE6AC5
            • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00DE6AFE
            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00DE6F43
              • Part of subcall function 00DA8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00DA8BE8,?,00000000,?,?,?,?,00DA8BBA,00000000,?), ref: 00DA8FC5
            • SendMessageW.USER32(?,00001053), ref: 00DE6F7F
            • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00DE6F96
            • ImageList_Destroy.COMCTL32(00000000,?), ref: 00DE6FAC
            • ImageList_Destroy.COMCTL32(00000000,?), ref: 00DE6FB7
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
            • String ID: 0
            • API String ID: 2760611726-4108050209
            • Opcode ID: 722e14de7f748e488b76bc31da6c7b46a4529b7812a036c988f922276782d240
            • Instruction ID: d0aef254a816b79c73a77119a1fff2e9f0fad22d5f8b9632635d0216a87200cf
            • Opcode Fuzzy Hash: 722e14de7f748e488b76bc31da6c7b46a4529b7812a036c988f922276782d240
            • Instruction Fuzzy Hash: D612BF30200281DFC725EF16D844BAABBE1FF65340F284469F4859B2A1CB72ED56DF61
            Function 00E12711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(00000000), ref: 00E1273E
            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00E1286A
            • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00E128A9
            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00E128B9
            • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00E12900
            • GetClientRect.USER32(00000000,?), ref: 00E1290C
            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00E12955
            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00E12964
            • GetStockObject.GDI32(00000011), ref: 00E12974
            • SelectObject.GDI32(00000000,00000000), ref: 00E12978
            • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00E12988
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E12991
            • DeleteDC.GDI32(00000000), ref: 00E1299A
            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00E129C6
            • SendMessageW.USER32(00000030,00000000,00000001), ref: 00E129DD
            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00E12A1D
            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00E12A31
            • SendMessageW.USER32(00000404,00000001,00000000), ref: 00E12A42
            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00E12A77
            • GetStockObject.GDI32(00000011), ref: 00E12A82
            • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00E12A8D
            • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00E12A97
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
            • API String ID: 2910397461-517079104
            • Opcode ID: 767490c58be4178713c291e347cb9d466c08f12288b134368339f54cd02c3711
            • Instruction ID: 6950b37bd49822706fb05ca9739266006355c89c00aa3b029cd9469433d7a4ef
            • Opcode Fuzzy Hash: 767490c58be4178713c291e347cb9d466c08f12288b134368339f54cd02c3711
            • Instruction Fuzzy Hash: 0BB18B71A40205AFEB24DF69DC4AEAF7BB9EB08710F114159FA15E7290D770ED40CBA4
            Function 00E04ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 00E04AED
            • GetDriveTypeW.KERNEL32(?,00E2CB68,?,\\.\,00E2CC08), ref: 00E04BCA
            • SetErrorMode.KERNEL32(00000000,00E2CB68,?,\\.\,00E2CC08), ref: 00E04D36
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ErrorMode$DriveType
            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
            • API String ID: 2907320926-4222207086
            • Opcode ID: c13d580354f652294c1a68b0210c9220326034ff8c7a9574e8ce312fa51f793b
            • Instruction ID: 4bbbaf2d50160a1ca6031d6f40adf2d87d0ae6e1e7576970b2a40c90fed50d2f
            • Opcode Fuzzy Hash: c13d580354f652294c1a68b0210c9220326034ff8c7a9574e8ce312fa51f793b
            • Instruction Fuzzy Hash: 8761B2F1605205EBEB04EF14CBC2AA8F7B1EB44305B646815FA06BB2D1DA31DD85DB61
            Function 00E273E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
            Download Yara Rule
            APIs
            • GetSysColor.USER32(00000012), ref: 00E27421
            • SetTextColor.GDI32(?,?), ref: 00E27425
            • GetSysColorBrush.USER32(0000000F), ref: 00E2743B
            • GetSysColor.USER32(0000000F), ref: 00E27446
            • CreateSolidBrush.GDI32(?), ref: 00E2744B
            • GetSysColor.USER32(00000011), ref: 00E27463
            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E27471
            • SelectObject.GDI32(?,00000000), ref: 00E27482
            • SetBkColor.GDI32(?,00000000), ref: 00E2748B
            • SelectObject.GDI32(?,?), ref: 00E27498
            • InflateRect.USER32(?,000000FF,000000FF), ref: 00E274B7
            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E274CE
            • GetWindowLongW.USER32(00000000,000000F0), ref: 00E274DB
            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E2752A
            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00E27554
            • InflateRect.USER32(?,000000FD,000000FD), ref: 00E27572
            • DrawFocusRect.USER32(?,?), ref: 00E2757D
            • GetSysColor.USER32(00000011), ref: 00E2758E
            • SetTextColor.GDI32(?,00000000), ref: 00E27596
            • DrawTextW.USER32(?,00E270F5,000000FF,?,00000000), ref: 00E275A8
            • SelectObject.GDI32(?,?), ref: 00E275BF
            • DeleteObject.GDI32(?), ref: 00E275CA
            • SelectObject.GDI32(?,?), ref: 00E275D0
            • DeleteObject.GDI32(?), ref: 00E275D5
            • SetTextColor.GDI32(?,?), ref: 00E275DB
            • SetBkColor.GDI32(?,?), ref: 00E275E5
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
            • String ID:
            • API String ID: 1996641542-0
            • Opcode ID: 53a54380d3fe924df9b8ecb703147853395922a9819f0843a598aabd3364163f
            • Instruction ID: 2b5bf580dfd7d0568088f4265c73dd33228ea621a953a38ed34cc8f01696f82f
            • Opcode Fuzzy Hash: 53a54380d3fe924df9b8ecb703147853395922a9819f0843a598aabd3364163f
            • Instruction Fuzzy Hash: A1616B72901228AFDF119FA5DC49EEEBFB9EF08320F244115F915BB2A1D7749941CBA0
            Function 00E20FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
            Download Yara Rule
            APIs
            • GetCursorPos.USER32(?), ref: 00E21128
            • GetDesktopWindow.USER32 ref: 00E2113D
            • GetWindowRect.USER32(00000000), ref: 00E21144
            • GetWindowLongW.USER32(?,000000F0), ref: 00E21199
            • DestroyWindow.USER32(?), ref: 00E211B9
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00E211ED
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E2120B
            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00E2121D
            • SendMessageW.USER32(00000000,00000421,?,?), ref: 00E21232
            • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00E21245
            • IsWindowVisible.USER32(00000000), ref: 00E212A1
            • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00E212BC
            • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00E212D0
            • GetWindowRect.USER32(00000000,?), ref: 00E212E8
            • MonitorFromPoint.USER32(?,?,00000002), ref: 00E2130E
            • GetMonitorInfoW.USER32(00000000,?), ref: 00E21328
            • CopyRect.USER32(?,?), ref: 00E2133F
            • SendMessageW.USER32(00000000,00000412,00000000), ref: 00E213AA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
            • String ID: ($0$tooltips_class32
            • API String ID: 698492251-4156429822
            • Opcode ID: 9fe849a9551346bec63720b9d1c8ca4026665b8ea9b1280b71e5dfc90753e08d
            • Instruction ID: 5f352b9422da7bfedbf49b3e9ce0374c9456980c81306312152fb47ba1c5534b
            • Opcode Fuzzy Hash: 9fe849a9551346bec63720b9d1c8ca4026665b8ea9b1280b71e5dfc90753e08d
            • Instruction Fuzzy Hash: 5CB1CD71604350AFDB10DF25D884B6EBBE5FF98354F00895CF989AB261C731E945CBA2
            Function 00DA8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
            Download Yara Rule
            APIs
            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00DA8968
            • GetSystemMetrics.USER32(00000007), ref: 00DA8970
            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00DA899B
            • GetSystemMetrics.USER32(00000008), ref: 00DA89A3
            • GetSystemMetrics.USER32(00000004), ref: 00DA89C8
            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00DA89E5
            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00DA89F5
            • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00DA8A28
            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00DA8A3C
            • GetClientRect.USER32(00000000,000000FF), ref: 00DA8A5A
            • GetStockObject.GDI32(00000011), ref: 00DA8A76
            • SendMessageW.USER32(00000000,00000030,00000000), ref: 00DA8A81
              • Part of subcall function 00DA912D: GetCursorPos.USER32(?), ref: 00DA9141
              • Part of subcall function 00DA912D: ScreenToClient.USER32(00000000,?), ref: 00DA915E
              • Part of subcall function 00DA912D: GetAsyncKeyState.USER32(00000001), ref: 00DA9183
              • Part of subcall function 00DA912D: GetAsyncKeyState.USER32(00000002), ref: 00DA919D
            • SetTimer.USER32(00000000,00000000,00000028,00DA90FC), ref: 00DA8AA8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
            • String ID: AutoIt v3 GUI
            • API String ID: 1458621304-248962490
            • Opcode ID: f9e273b0ee1e7a0fbdf91cca5a81d2a2b39604c9e7632b067c845b6c4ef79c84
            • Instruction ID: c62fe3e1c0bfb11f4f123292e0f38954cc7e9be8853885f134235a4aa1e9db2f
            • Opcode Fuzzy Hash: f9e273b0ee1e7a0fbdf91cca5a81d2a2b39604c9e7632b067c845b6c4ef79c84
            • Instruction Fuzzy Hash: D3B18C31A002099FDB14EFA9DC89BAE3BB5FB48354F144229FA15E7290DB74E845CF61
            Function 00DF0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DF10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00DF1114
              • Part of subcall function 00DF10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00DF0B9B,?,?,?), ref: 00DF1120
              • Part of subcall function 00DF10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00DF0B9B,?,?,?), ref: 00DF112F
              • Part of subcall function 00DF10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00DF0B9B,?,?,?), ref: 00DF1136
              • Part of subcall function 00DF10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00DF114D
            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00DF0DF5
            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00DF0E29
            • GetLengthSid.ADVAPI32(?), ref: 00DF0E40
            • GetAce.ADVAPI32(?,00000000,?), ref: 00DF0E7A
            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00DF0E96
            • GetLengthSid.ADVAPI32(?), ref: 00DF0EAD
            • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00DF0EB5
            • HeapAlloc.KERNEL32(00000000), ref: 00DF0EBC
            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00DF0EDD
            • CopySid.ADVAPI32(00000000), ref: 00DF0EE4
            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00DF0F13
            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00DF0F35
            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00DF0F47
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DF0F6E
            • HeapFree.KERNEL32(00000000), ref: 00DF0F75
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DF0F7E
            • HeapFree.KERNEL32(00000000), ref: 00DF0F85
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DF0F8E
            • HeapFree.KERNEL32(00000000), ref: 00DF0F95
            • GetProcessHeap.KERNEL32(00000000,?), ref: 00DF0FA1
            • HeapFree.KERNEL32(00000000), ref: 00DF0FA8
              • Part of subcall function 00DF1193: GetProcessHeap.KERNEL32(00000008,00DF0BB1,?,00000000,?,00DF0BB1,?), ref: 00DF11A1
              • Part of subcall function 00DF1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00DF0BB1,?), ref: 00DF11A8
              • Part of subcall function 00DF1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00DF0BB1,?), ref: 00DF11B7
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
            • String ID:
            • API String ID: 4175595110-0
            • Opcode ID: 69d899dc21c2dee4d9bf9d654cfb0e11af56120d0409414096a9d614e855512b
            • Instruction ID: afdfd7d0b257fc5ff01813e5322072cf7055455712e814143c9d1f7d526f6f20
            • Opcode Fuzzy Hash: 69d899dc21c2dee4d9bf9d654cfb0e11af56120d0409414096a9d614e855512b
            • Instruction Fuzzy Hash: 78714A7290420AAFDB209FA5DC45FBEBBB8BF04300F198115FA19B7192D771991ACB70
            Function 00E1C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
            Download Yara Rule
            APIs
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E1C4BD
            • RegCreateKeyExW.ADVAPI32(?,?,00000000,00E2CC08,00000000,?,00000000,?,?), ref: 00E1C544
            • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00E1C5A4
            • _wcslen.LIBCMT ref: 00E1C5F4
            • _wcslen.LIBCMT ref: 00E1C66F
            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00E1C6B2
            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00E1C7C1
            • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00E1C84D
            • RegCloseKey.ADVAPI32(?), ref: 00E1C881
            • RegCloseKey.ADVAPI32(00000000), ref: 00E1C88E
            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00E1C960
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Value$Close$_wcslen$ConnectCreateRegistry
            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
            • API String ID: 9721498-966354055
            • Opcode ID: 5bf2f8121365fa3aadc96789c30af478748f970910aa4dfde58febbc6ef17e0c
            • Instruction ID: 6ab775d4763daaf33fc86a1d44554ecd6b3200ffc43c81b76778a3cee0d1ee32
            • Opcode Fuzzy Hash: 5bf2f8121365fa3aadc96789c30af478748f970910aa4dfde58febbc6ef17e0c
            • Instruction Fuzzy Hash: B3126C356082019FDB14DF24C881A6AB7E5FF88714F15885DF85AAB3A2DB31FD41CBA1
            Function 00E2091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?), ref: 00E209C6
            • _wcslen.LIBCMT ref: 00E20A01
            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E20A54
            • _wcslen.LIBCMT ref: 00E20A8A
            • _wcslen.LIBCMT ref: 00E20B06
            • _wcslen.LIBCMT ref: 00E20B81
              • Part of subcall function 00DAF9F2: _wcslen.LIBCMT ref: 00DAF9FD
              • Part of subcall function 00DF2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00DF2BFA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: _wcslen$MessageSend$BuffCharUpper
            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
            • API String ID: 1103490817-4258414348
            • Opcode ID: 765ed3ca327b623ae1c658bac0f348ce46d6d9e33b635449b1e213acf152403f
            • Instruction ID: 2163606be80d57a9ea6e7093d301c092cc0560a5d585f30c24d8fd2789399955
            • Opcode Fuzzy Hash: 765ed3ca327b623ae1c658bac0f348ce46d6d9e33b635449b1e213acf152403f
            • Instruction Fuzzy Hash: 1DE1BB312083118FCB14DF24D45196AB7E2FF98318B55995CF896AB3A2DB30ED49CBA1
            Function 00E1C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: _wcslen$BuffCharUpper
            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
            • API String ID: 1256254125-909552448
            • Opcode ID: 1723a148d8b5a1446f1f9f46884440972982f28c171b88dba0b64e3c57daf78d
            • Instruction ID: f3d1db9047076b4863f3a2765ac8e3973f16ec7165ca3b94551dde022f72def1
            • Opcode Fuzzy Hash: 1723a148d8b5a1446f1f9f46884440972982f28c171b88dba0b64e3c57daf78d
            • Instruction Fuzzy Hash: B971E63268412A8BCB20DE6CD9519FF3391AFA5758B352929FC56F7284E631CDC4C7A0
            Function 00E2833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
            Download Yara Rule
            APIs
            • _wcslen.LIBCMT ref: 00E2835A
            • _wcslen.LIBCMT ref: 00E2836E
            • _wcslen.LIBCMT ref: 00E28391
            • _wcslen.LIBCMT ref: 00E283B4
            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00E283F2
            • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00E2361A,?), ref: 00E2844E
            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E28487
            • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00E284CA
            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E28501
            • FreeLibrary.KERNEL32(?), ref: 00E2850D
            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E2851D
            • DestroyIcon.USER32(?), ref: 00E2852C
            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00E28549
            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00E28555
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
            • String ID: .dll$.exe$.icl
            • API String ID: 799131459-1154884017
            • Opcode ID: f139f57354685e97b9897db7aa1bfdb6b149707b25c612b4158de68f32c07b67
            • Instruction ID: 5dac3f30bbb850ffcf9f67f49a23449e80bf4d36e5ee5e797fecbd926219a60a
            • Opcode Fuzzy Hash: f139f57354685e97b9897db7aa1bfdb6b149707b25c612b4158de68f32c07b67
            • Instruction Fuzzy Hash: A261AC71540225BEEB24DF64ED41BFE77A8FF08B21F105609F815E60D1DB74AA94CBA0
            Function 00D97778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID:
            • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
            • API String ID: 0-1645009161
            • Opcode ID: d19453de92a9dbf24edcc3fb0e32aaec7b90d3efc3ee7c050663475218703d46
            • Instruction ID: 079aeb467ee2429c85e8070d4ca579b5c3073c67b4163e8a4decbcc0f1f3e068
            • Opcode Fuzzy Hash: d19453de92a9dbf24edcc3fb0e32aaec7b90d3efc3ee7c050663475218703d46
            • Instruction Fuzzy Hash: DB81F471A54705BBDF20AFA0EC43FAE77A9EF15300F044029F905AA296EB71DA15C7B1
            Function 00DF5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
            Download Yara Rule
            APIs
            • LoadIconW.USER32(00000063), ref: 00DF5A2E
            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00DF5A40
            • SetWindowTextW.USER32(?,?), ref: 00DF5A57
            • GetDlgItem.USER32(?,000003EA), ref: 00DF5A6C
            • SetWindowTextW.USER32(00000000,?), ref: 00DF5A72
            • GetDlgItem.USER32(?,000003E9), ref: 00DF5A82
            • SetWindowTextW.USER32(00000000,?), ref: 00DF5A88
            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00DF5AA9
            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00DF5AC3
            • GetWindowRect.USER32(?,?), ref: 00DF5ACC
            • _wcslen.LIBCMT ref: 00DF5B33
            • SetWindowTextW.USER32(?,?), ref: 00DF5B6F
            • GetDesktopWindow.USER32 ref: 00DF5B75
            • GetWindowRect.USER32(00000000), ref: 00DF5B7C
            • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00DF5BD3
            • GetClientRect.USER32(?,?), ref: 00DF5BE0
            • PostMessageW.USER32(?,00000005,00000000,?), ref: 00DF5C05
            • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00DF5C2F
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
            • String ID:
            • API String ID: 895679908-0
            • Opcode ID: 797f5c12b9e2c7bc5ed1bbb3aa2bafc83216ccbf3f2dfa9f91ab26961147e354
            • Instruction ID: 4803f7462e7aa29ce482988e7c6335bf885f422d40f492b3b4fd431e66389277
            • Opcode Fuzzy Hash: 797f5c12b9e2c7bc5ed1bbb3aa2bafc83216ccbf3f2dfa9f91ab26961147e354
            • Instruction Fuzzy Hash: F6719E31900B09AFCB20DFA9DE85B7EBBF5FF48704F158518E682A25A4D771E944CB60
            Function 00DF30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: _wcslen
            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[
            • API String ID: 176396367-1901692981
            • Opcode ID: 30a0aa3f389a888c287dceb1b4b578a2c13ec6bc109c0415689ecb701c5342e3
            • Instruction ID: dab867fe31a596715ccb8e41439d0011a33b74d4a46ae84ed971d321b53a5bc9
            • Opcode Fuzzy Hash: 30a0aa3f389a888c287dceb1b4b578a2c13ec6bc109c0415689ecb701c5342e3
            • Instruction Fuzzy Hash: 61E19532A0061A9BCB14DFB8C4516FDB7A4FF54750F5BC119EA56B7240DB30AE858BB0
            Function 00DB00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
            Download Yara Rule
            APIs
            • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00DB00C6
              • Part of subcall function 00DB00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00E6070C,00000FA0,4A4152D0,?,?,?,?,00DD23B3,000000FF), ref: 00DB011C
              • Part of subcall function 00DB00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00DD23B3,000000FF), ref: 00DB0127
              • Part of subcall function 00DB00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00DD23B3,000000FF), ref: 00DB0138
              • Part of subcall function 00DB00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00DB014E
              • Part of subcall function 00DB00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00DB015C
              • Part of subcall function 00DB00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00DB016A
              • Part of subcall function 00DB00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00DB0195
              • Part of subcall function 00DB00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00DB01A0
            • ___scrt_fastfail.LIBCMT ref: 00DB00E7
              • Part of subcall function 00DB00A3: __onexit.LIBCMT ref: 00DB00A9
            Strings
            • kernel32.dll, xrefs: 00DB0133
            • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00DB0122
            • SleepConditionVariableCS, xrefs: 00DB0154
            • InitializeConditionVariable, xrefs: 00DB0148
            • WakeAllConditionVariable, xrefs: 00DB0162
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
            • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
            • API String ID: 66158676-1714406822
            • Opcode ID: 0470c1339baecc23ad6561d4587cb3fcba0cbeab2400118f68c430b2ee50c2eb
            • Instruction ID: 04748c7b31d7d6f44e0968d48b832f667b5f29767c92a0c7bac0929586cee6e8
            • Opcode Fuzzy Hash: 0470c1339baecc23ad6561d4587cb3fcba0cbeab2400118f68c430b2ee50c2eb
            • Instruction Fuzzy Hash: 1C21AD32945711AFD7246B65FC06B6F77A4EB05B91F140536F903F7291DAA0980489B0
            Function 00E044C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
            Download Yara Rule
            APIs
            • CharLowerBuffW.USER32(00000000,00000000,00E2CC08), ref: 00E04527
            • _wcslen.LIBCMT ref: 00E0453B
            • _wcslen.LIBCMT ref: 00E04599
            • _wcslen.LIBCMT ref: 00E045F4
            • _wcslen.LIBCMT ref: 00E0463F
            • _wcslen.LIBCMT ref: 00E046A7
              • Part of subcall function 00DAF9F2: _wcslen.LIBCMT ref: 00DAF9FD
            • GetDriveTypeW.KERNEL32(?,00E56BF0,00000061), ref: 00E04743
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: _wcslen$BuffCharDriveLowerType
            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
            • API String ID: 2055661098-1000479233
            • Opcode ID: ad2792e6cdcc513ceb99b2cb9274a36cafa14a7ba3f5a29b0e06a0673bf19631
            • Instruction ID: a77ae5143e0bef538cfc1d8a5a357dd6f7ea39a40883050c84d126f1f0d7817c
            • Opcode Fuzzy Hash: ad2792e6cdcc513ceb99b2cb9274a36cafa14a7ba3f5a29b0e06a0673bf19631
            • Instruction Fuzzy Hash: 17B101F16083029BC710DF28DA90A6EB3E4EFA5724F50591DF696E32D1E730D884CB62
            Function 00E2911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00DA9BB2
            • DragQueryPoint.SHELL32(?,?), ref: 00E29147
              • Part of subcall function 00E27674: ClientToScreen.USER32(?,?), ref: 00E2769A
              • Part of subcall function 00E27674: GetWindowRect.USER32(?,?), ref: 00E27710
              • Part of subcall function 00E27674: PtInRect.USER32(?,?,00E28B89), ref: 00E27720
            • SendMessageW.USER32(?,000000B0,?,?), ref: 00E291B0
            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00E291BB
            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00E291DE
            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00E29225
            • SendMessageW.USER32(?,000000B0,?,?), ref: 00E2923E
            • SendMessageW.USER32(?,000000B1,?,?), ref: 00E29255
            • SendMessageW.USER32(?,000000B1,?,?), ref: 00E29277
            • DragFinish.SHELL32(?), ref: 00E2927E
            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00E29371
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#
            • API String ID: 221274066-136824727
            • Opcode ID: c97c7bbe6bc5e1429e439b490093f700d25bbb8e50d4e1c945fb83194e054694
            • Instruction ID: 58383856d3b28dcb1f8fe0538428536006da3bed373912beb8b47fad341f5b94
            • Opcode Fuzzy Hash: c97c7bbe6bc5e1429e439b490093f700d25bbb8e50d4e1c945fb83194e054694
            • Instruction Fuzzy Hash: 2D617972108301AFC701EF65EC85DAFBBE8FF88750F50191EF595A21A1DB709A49CB62
            Function 00E1AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
            Download Yara Rule
            APIs
            • _wcslen.LIBCMT ref: 00E1B198
            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E1B1B0
            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E1B1D4
            • _wcslen.LIBCMT ref: 00E1B200
            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E1B214
            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E1B236
            • _wcslen.LIBCMT ref: 00E1B332
              • Part of subcall function 00E005A7: GetStdHandle.KERNEL32(000000F6), ref: 00E005C6
            • _wcslen.LIBCMT ref: 00E1B34B
            • _wcslen.LIBCMT ref: 00E1B366
            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E1B3B6
            • GetLastError.KERNEL32(00000000), ref: 00E1B407
            • CloseHandle.KERNEL32(?), ref: 00E1B439
            • CloseHandle.KERNEL32(00000000), ref: 00E1B44A
            • CloseHandle.KERNEL32(00000000), ref: 00E1B45C
            • CloseHandle.KERNEL32(00000000), ref: 00E1B46E
            • CloseHandle.KERNEL32(?), ref: 00E1B4E3
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
            • String ID:
            • API String ID: 2178637699-0
            • Opcode ID: f60e53cceb53b0385277468f39a88ffb50dcf5732316a4030d5b81e5313a1f5c
            • Instruction ID: 6285ee3f17778b6a77d58b2a36ea24866cbb03936e67407a553122668bbc4e6a
            • Opcode Fuzzy Hash: f60e53cceb53b0385277468f39a88ffb50dcf5732316a4030d5b81e5313a1f5c
            • Instruction Fuzzy Hash: 60F16B31508240DFCB14EF24C891BAEBBE5EF85314F14955DF495AB2A2DB31EC84CB62
            Function 00D9326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
            Download Yara Rule
            APIs
            • GetMenuItemCount.USER32(00E61990), ref: 00DD2F8D
            • GetMenuItemCount.USER32(00E61990), ref: 00DD303D
            • GetCursorPos.USER32(?), ref: 00DD3081
            • SetForegroundWindow.USER32(00000000), ref: 00DD308A
            • TrackPopupMenuEx.USER32(00E61990,00000000,?,00000000,00000000,00000000), ref: 00DD309D
            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00DD30A9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
            • String ID: 0
            • API String ID: 36266755-4108050209
            • Opcode ID: 4336e6d48e4dc0131612c55ae3ca5579ba7baaea7318cb4457c995ff3337254b
            • Instruction ID: 578260cbba0ff194c75dc3d266ae2870446695cfaa995e98b9dfa44a9f36d59e
            • Opcode Fuzzy Hash: 4336e6d48e4dc0131612c55ae3ca5579ba7baaea7318cb4457c995ff3337254b
            • Instruction Fuzzy Hash: BF712731644205BEEB218F25CC49FBABF68FF05364F244207F5246A2E0C7B1A914CBB1
            Function 00E26CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(?,?), ref: 00E26DEB
              • Part of subcall function 00D96B57: _wcslen.LIBCMT ref: 00D96B6A
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00E26E5F
            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00E26E81
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E26E94
            • DestroyWindow.USER32(?), ref: 00E26EB5
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00D90000,00000000), ref: 00E26EE4
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E26EFD
            • GetDesktopWindow.USER32 ref: 00E26F16
            • GetWindowRect.USER32(00000000), ref: 00E26F1D
            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00E26F35
            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00E26F4D
              • Part of subcall function 00DA9944: GetWindowLongW.USER32(?,000000EB), ref: 00DA9952
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
            • String ID: 0$tooltips_class32
            • API String ID: 2429346358-3619404913
            • Opcode ID: 269f20651cd183ab5e424b26d602a3847c3ca364cd7c5743bcab54c7c8f82141
            • Instruction ID: a069283ca59ef09558bd80170e0f787802903041fa609e5f2d9a39f734a8b5ba
            • Opcode Fuzzy Hash: 269f20651cd183ab5e424b26d602a3847c3ca364cd7c5743bcab54c7c8f82141
            • Instruction Fuzzy Hash: 7D714C74104244AFEB21CF19EC44AABBBF9FB89708F14151DF999A7261D770E90ACB12
            Function 00E0C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
            Download Yara Rule
            APIs
            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00E0C4B0
            • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00E0C4C3
            • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00E0C4D7
            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00E0C4F0
            • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00E0C533
            • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00E0C549
            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E0C554
            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00E0C584
            • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00E0C5DC
            • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00E0C5F0
            • InternetCloseHandle.WININET(00000000), ref: 00E0C5FB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
            • String ID:
            • API String ID: 3800310941-3916222277
            • Opcode ID: ad902ac6a4e1a748766453aee6f4d8bb44f1e7f7b4eff2c02e9e76c3c36b001c
            • Instruction ID: b8c89e5256cd1b3a5b537dc303ee31bf99f48f58f5eafea06236c149cecec7d6
            • Opcode Fuzzy Hash: ad902ac6a4e1a748766453aee6f4d8bb44f1e7f7b4eff2c02e9e76c3c36b001c
            • Instruction Fuzzy Hash: 675151B5500604BFDB318F61CD48AAB7BFCFF08758F20551AF945A6190DB34E989DB60
            Function 00E2856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00E28592
            • GetFileSize.KERNEL32(00000000,00000000), ref: 00E285A2
            • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00E285AD
            • CloseHandle.KERNEL32(00000000), ref: 00E285BA
            • GlobalLock.KERNEL32(00000000), ref: 00E285C8
            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00E285D7
            • GlobalUnlock.KERNEL32(00000000), ref: 00E285E0
            • CloseHandle.KERNEL32(00000000), ref: 00E285E7
            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00E285F8
            • OleLoadPicture.OLEAUT32(?,00000000,00000000,00E2FC38,?), ref: 00E28611
            • GlobalFree.KERNEL32(00000000), ref: 00E28621
            • GetObjectW.GDI32(?,00000018,000000FF), ref: 00E28641
            • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00E28671
            • DeleteObject.GDI32(00000000), ref: 00E28699
            • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00E286AF
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
            • String ID:
            • API String ID: 3840717409-0
            • Opcode ID: 32e1e371ce41b23ed267d9dae8f5fb87e37d063330f32b9bb23c32d0779c3345
            • Instruction ID: 4ab4bb4be19449812542b9a7f086da1f54f7d400b7b7c12db32115a36732dfe1
            • Opcode Fuzzy Hash: 32e1e371ce41b23ed267d9dae8f5fb87e37d063330f32b9bb23c32d0779c3345
            • Instruction Fuzzy Hash: F641FC75601218AFDB21DF65DD48EAE7BB8FF89715F204058F905E7260DB70A905CB60
            Function 00E014BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(00000000), ref: 00E01502
            • VariantCopy.OLEAUT32(?,?), ref: 00E0150B
            • VariantClear.OLEAUT32(?), ref: 00E01517
            • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00E015FB
            • VarR8FromDec.OLEAUT32(?,?), ref: 00E01657
            • VariantInit.OLEAUT32(?), ref: 00E01708
            • SysFreeString.OLEAUT32(?), ref: 00E0178C
            • VariantClear.OLEAUT32(?), ref: 00E017D8
            • VariantClear.OLEAUT32(?), ref: 00E017E7
            • VariantInit.OLEAUT32(00000000), ref: 00E01823
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
            • String ID: %4d%02d%02d%02d%02d%02d$Default
            • API String ID: 1234038744-3931177956
            • Opcode ID: 7d7c62fcb9e312e366414fe2998c4e853c9dc319107ef6963483fce183a38b1a
            • Instruction ID: daaa98dbe95fbe9381d9bbb1ea60c1357eb2eab961da6b464a1eae5c7994787b
            • Opcode Fuzzy Hash: 7d7c62fcb9e312e366414fe2998c4e853c9dc319107ef6963483fce183a38b1a
            • Instruction Fuzzy Hash: 01D1AE72A00615DBDB10AFA5E885BBDB7B5FF45700F24809AE446BF1C0DB30E985DBA1
            Function 00E1B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00D99CB3: _wcslen.LIBCMT ref: 00D99CBD
              • Part of subcall function 00E1C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E1B6AE,?,?), ref: 00E1C9B5
              • Part of subcall function 00E1C998: _wcslen.LIBCMT ref: 00E1C9F1
              • Part of subcall function 00E1C998: _wcslen.LIBCMT ref: 00E1CA68
              • Part of subcall function 00E1C998: _wcslen.LIBCMT ref: 00E1CA9E
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E1B6F4
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E1B772
            • RegDeleteValueW.ADVAPI32(?,?), ref: 00E1B80A
            • RegCloseKey.ADVAPI32(?), ref: 00E1B87E
            • RegCloseKey.ADVAPI32(?), ref: 00E1B89C
            • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00E1B8F2
            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00E1B904
            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00E1B922
            • FreeLibrary.KERNEL32(00000000), ref: 00E1B983
            • RegCloseKey.ADVAPI32(00000000), ref: 00E1B994
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
            • String ID: RegDeleteKeyExW$advapi32.dll
            • API String ID: 146587525-4033151799
            • Opcode ID: 9c1d5c2c6aacdeffc988cb1f6db8dbb7f826a5597d804545c900d24b042fa1e9
            • Instruction ID: 242e2b834c6ffae5e8fbcbb78ba5344f1a3707f3e3b2b7574bdc77ea5c1f927d
            • Opcode Fuzzy Hash: 9c1d5c2c6aacdeffc988cb1f6db8dbb7f826a5597d804545c900d24b042fa1e9
            • Instruction Fuzzy Hash: 08C19F31208201AFD714DF24C495F6ABBE5FF84318F54955CF49A9B2A2CB71EC86CBA1
            Function 00E1255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
            Download Yara Rule
            APIs
            • GetDC.USER32(00000000), ref: 00E125D8
            • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00E125E8
            • CreateCompatibleDC.GDI32(?), ref: 00E125F4
            • SelectObject.GDI32(00000000,?), ref: 00E12601
            • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00E1266D
            • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00E126AC
            • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00E126D0
            • SelectObject.GDI32(?,?), ref: 00E126D8
            • DeleteObject.GDI32(?), ref: 00E126E1
            • DeleteDC.GDI32(?), ref: 00E126E8
            • ReleaseDC.USER32(00000000,?), ref: 00E126F3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
            • String ID: (
            • API String ID: 2598888154-3887548279
            • Opcode ID: cbd8d339cb89b07a81e5abfb0a4f387fe43602ec2bd53035d462c91767243512
            • Instruction ID: 136561429ed685095cf76b7c82f03fe747c0be99936b07b7936e1bcd8f642c6c
            • Opcode Fuzzy Hash: cbd8d339cb89b07a81e5abfb0a4f387fe43602ec2bd53035d462c91767243512
            • Instruction Fuzzy Hash: 2161D175D00219EFCF14CFA4D885AAEBBF6FF48310F208529EA55B7250D770A9518FA0
            Function 00DCDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • ___free_lconv_mon.LIBCMT ref: 00DCDAA1
              • Part of subcall function 00DCD63C: _free.LIBCMT ref: 00DCD659
              • Part of subcall function 00DCD63C: _free.LIBCMT ref: 00DCD66B
              • Part of subcall function 00DCD63C: _free.LIBCMT ref: 00DCD67D
              • Part of subcall function 00DCD63C: _free.LIBCMT ref: 00DCD68F
              • Part of subcall function 00DCD63C: _free.LIBCMT ref: 00DCD6A1
              • Part of subcall function 00DCD63C: _free.LIBCMT ref: 00DCD6B3
              • Part of subcall function 00DCD63C: _free.LIBCMT ref: 00DCD6C5
              • Part of subcall function 00DCD63C: _free.LIBCMT ref: 00DCD6D7
              • Part of subcall function 00DCD63C: _free.LIBCMT ref: 00DCD6E9
              • Part of subcall function 00DCD63C: _free.LIBCMT ref: 00DCD6FB
              • Part of subcall function 00DCD63C: _free.LIBCMT ref: 00DCD70D
              • Part of subcall function 00DCD63C: _free.LIBCMT ref: 00DCD71F
              • Part of subcall function 00DCD63C: _free.LIBCMT ref: 00DCD731
            • _free.LIBCMT ref: 00DCDA96
              • Part of subcall function 00DC29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00DCD7D1,00000000,00000000,00000000,00000000,?,00DCD7F8,00000000,00000007,00000000,?,00DCDBF5,00000000), ref: 00DC29DE
              • Part of subcall function 00DC29C8: GetLastError.KERNEL32(00000000,?,00DCD7D1,00000000,00000000,00000000,00000000,?,00DCD7F8,00000000,00000007,00000000,?,00DCDBF5,00000000,00000000), ref: 00DC29F0
            • _free.LIBCMT ref: 00DCDAB8
            • _free.LIBCMT ref: 00DCDACD
            • _free.LIBCMT ref: 00DCDAD8
            • _free.LIBCMT ref: 00DCDAFA
            • _free.LIBCMT ref: 00DCDB0D
            • _free.LIBCMT ref: 00DCDB1B
            • _free.LIBCMT ref: 00DCDB26
            • _free.LIBCMT ref: 00DCDB5E
            • _free.LIBCMT ref: 00DCDB65
            • _free.LIBCMT ref: 00DCDB82
            • _free.LIBCMT ref: 00DCDB9A
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
            • String ID:
            • API String ID: 161543041-0
            • Opcode ID: fdf65e0d6b597c0c27aa5959c800aa928b3409b637f93e104c2e93eccd7f6bb9
            • Instruction ID: fab81179f256653396f7f41fe86042ba8f70162b7c8128b5d57814e5cceee0c5
            • Opcode Fuzzy Hash: fdf65e0d6b597c0c27aa5959c800aa928b3409b637f93e104c2e93eccd7f6bb9
            • Instruction Fuzzy Hash: 693137316446069FEB22AA79EC45F6AB7EAFF10311F29492DE459D7191DF31AC808B30
            Function 00DF365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
            Download Yara Rule
            APIs
            • GetClassNameW.USER32(?,?,00000100), ref: 00DF369C
            • _wcslen.LIBCMT ref: 00DF36A7
            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00DF3797
            • GetClassNameW.USER32(?,?,00000400), ref: 00DF380C
            • GetDlgCtrlID.USER32(?), ref: 00DF385D
            • GetWindowRect.USER32(?,?), ref: 00DF3882
            • GetParent.USER32(?), ref: 00DF38A0
            • ScreenToClient.USER32(00000000), ref: 00DF38A7
            • GetClassNameW.USER32(?,?,00000100), ref: 00DF3921
            • GetWindowTextW.USER32(?,?,00000400), ref: 00DF395D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
            • String ID: %s%u
            • API String ID: 4010501982-679674701
            • Opcode ID: a15c4eab3a33c76edbcc142d56436ee34e1d024de3a63faa07bcd5ed3d530904
            • Instruction ID: 9052a657aabfbfd30af5ec41f86cc4a5ab2cc5e66f7f649e354c9ae0041fd45a
            • Opcode Fuzzy Hash: a15c4eab3a33c76edbcc142d56436ee34e1d024de3a63faa07bcd5ed3d530904
            • Instruction Fuzzy Hash: 4B91C37120460AAFD714DF24C885BBAF7A8FF44350F068619FA9AD2150DB70EA49CBB1
            Function 00DF4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
            Download Yara Rule
            APIs
            • GetClassNameW.USER32(?,?,00000400), ref: 00DF4994
            • GetWindowTextW.USER32(?,?,00000400), ref: 00DF49DA
            • _wcslen.LIBCMT ref: 00DF49EB
            • CharUpperBuffW.USER32(?,00000000), ref: 00DF49F7
            • _wcsstr.LIBVCRUNTIME ref: 00DF4A2C
            • GetClassNameW.USER32(00000018,?,00000400), ref: 00DF4A64
            • GetWindowTextW.USER32(?,?,00000400), ref: 00DF4A9D
            • GetClassNameW.USER32(00000018,?,00000400), ref: 00DF4AE6
            • GetClassNameW.USER32(?,?,00000400), ref: 00DF4B20
            • GetWindowRect.USER32(?,?), ref: 00DF4B8B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
            • String ID: ThumbnailClass
            • API String ID: 1311036022-1241985126
            • Opcode ID: bb863af492a679a19919ce9bc1255d35337961d9e74a3be7e82986f4493f0929
            • Instruction ID: 9d1fb88b830a3127edb83436a8735d90ed208e3135be43c8e1208adc785963cc
            • Opcode Fuzzy Hash: bb863af492a679a19919ce9bc1255d35337961d9e74a3be7e82986f4493f0929
            • Instruction Fuzzy Hash: EF919C711042099FDB14CF14C985BBBB7A8FF84714F098469FE8A9A196DB30ED49CBB1
            Function 00E1CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
            Download Yara Rule
            APIs
            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00E1CC64
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00E1CC8D
            • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00E1CD48
              • Part of subcall function 00E1CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00E1CCAA
              • Part of subcall function 00E1CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00E1CCBD
              • Part of subcall function 00E1CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00E1CCCF
              • Part of subcall function 00E1CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00E1CD05
              • Part of subcall function 00E1CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00E1CD28
            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00E1CCF3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
            • String ID: RegDeleteKeyExW$advapi32.dll
            • API String ID: 2734957052-4033151799
            • Opcode ID: 01725dd869f273f45892a89e8c7bbe40e0546618ceb28040c3455f03e2b82556
            • Instruction ID: baad7633b5dda743a094eb9f992ff88e9b0abe206ccc287684455980da8d2b70
            • Opcode Fuzzy Hash: 01725dd869f273f45892a89e8c7bbe40e0546618ceb28040c3455f03e2b82556
            • Instruction Fuzzy Hash: 9C318E71941129BFDB308B51EC88EFFBB7CEF05744F201165A905F2240DA709E8ADAE0
            Function 00E03D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
            Download Yara Rule
            APIs
            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E03D40
            • _wcslen.LIBCMT ref: 00E03D6D
            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00E03D9D
            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00E03DBE
            • RemoveDirectoryW.KERNEL32(?), ref: 00E03DCE
            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00E03E55
            • CloseHandle.KERNEL32(00000000), ref: 00E03E60
            • CloseHandle.KERNEL32(00000000), ref: 00E03E6B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
            • String ID: :$\$\??\%s
            • API String ID: 1149970189-3457252023
            • Opcode ID: f409ae734471050ff914d0158fb8d7b7d4bf8684351f80f993a3dc7d91078df3
            • Instruction ID: 2a5932182bea9a8fb012ce730c5198db9bc7a94e7cb84c4401d239d8de8b8c6e
            • Opcode Fuzzy Hash: f409ae734471050ff914d0158fb8d7b7d4bf8684351f80f993a3dc7d91078df3
            • Instruction Fuzzy Hash: B031A372900209ABDB21DBA1DC49FEF37BDEF88704F2041A6F505E61A0EB7097858B34
            Function 00DFE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
            Download Yara Rule
            APIs
            • timeGetTime.WINMM ref: 00DFE6B4
              • Part of subcall function 00DAE551: timeGetTime.WINMM(?,?,00DFE6D4), ref: 00DAE555
            • Sleep.KERNEL32(0000000A), ref: 00DFE6E1
            • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00DFE705
            • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00DFE727
            • SetActiveWindow.USER32 ref: 00DFE746
            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00DFE754
            • SendMessageW.USER32(00000010,00000000,00000000), ref: 00DFE773
            • Sleep.KERNEL32(000000FA), ref: 00DFE77E
            • IsWindow.USER32 ref: 00DFE78A
            • EndDialog.USER32(00000000), ref: 00DFE79B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
            • String ID: BUTTON
            • API String ID: 1194449130-3405671355
            • Opcode ID: 0ef09177c3d97b1bb247753eb394c41b5ac436136209f99834434d20f04e60ab
            • Instruction ID: 534a2029f63c85fb5dab4657b72925d58179f2e9ec1327a101618218a63383ac
            • Opcode Fuzzy Hash: 0ef09177c3d97b1bb247753eb394c41b5ac436136209f99834434d20f04e60ab
            • Instruction Fuzzy Hash: 6021C570200608AFEB106F27FC8DA3E3B69F754788B154825F702A1171DBB19C199B30
            Function 00DFE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00D99CB3: _wcslen.LIBCMT ref: 00D99CBD
            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00DFEA5D
            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00DFEA73
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DFEA84
            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00DFEA96
            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00DFEAA7
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: SendString$_wcslen
            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
            • API String ID: 2420728520-1007645807
            • Opcode ID: 1d53d8afaa19dc445a8317c61a75709297d5f492bf0eda8e2063bf6a87afbc48
            • Instruction ID: 13cb855b6c43e0ff05731dd5a3e719cd0b886a7ae26fda7fc28373907be651d7
            • Opcode Fuzzy Hash: 1d53d8afaa19dc445a8317c61a75709297d5f492bf0eda8e2063bf6a87afbc48
            • Instruction Fuzzy Hash: 05119171A9025979DB20A7A6DC4ADFF7B7CEBD1F00F444829B801A30E1EE700909C5B0
            Function 00DF5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
            Download Yara Rule
            APIs
            • GetDlgItem.USER32(?,00000001), ref: 00DF5CE2
            • GetWindowRect.USER32(00000000,?), ref: 00DF5CFB
            • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00DF5D59
            • GetDlgItem.USER32(?,00000002), ref: 00DF5D69
            • GetWindowRect.USER32(00000000,?), ref: 00DF5D7B
            • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00DF5DCF
            • GetDlgItem.USER32(?,000003E9), ref: 00DF5DDD
            • GetWindowRect.USER32(00000000,?), ref: 00DF5DEF
            • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00DF5E31
            • GetDlgItem.USER32(?,000003EA), ref: 00DF5E44
            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00DF5E5A
            • InvalidateRect.USER32(?,00000000,00000001), ref: 00DF5E67
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Window$ItemMoveRect$Invalidate
            • String ID:
            • API String ID: 3096461208-0
            • Opcode ID: c2165f24ef3f12433ac90eacc1ada9df39d2ddac6e994d0fc904ea070a34382d
            • Instruction ID: 3a944f04b345dc244c6c0c74570b653e9bee23fe174841a10f34cf187aa20181
            • Opcode Fuzzy Hash: c2165f24ef3f12433ac90eacc1ada9df39d2ddac6e994d0fc904ea070a34382d
            • Instruction Fuzzy Hash: 81512F70A00609AFDB18CF69DD89AAE7BB5FB48700F258129F615E7294D7709E05CB60
            Function 00DA8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DA8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00DA8BE8,?,00000000,?,?,?,?,00DA8BBA,00000000,?), ref: 00DA8FC5
            • DestroyWindow.USER32(?), ref: 00DA8C81
            • KillTimer.USER32(00000000,?,?,?,?,00DA8BBA,00000000,?), ref: 00DA8D1B
            • DestroyAcceleratorTable.USER32(00000000), ref: 00DE6973
            • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00DA8BBA,00000000,?), ref: 00DE69A1
            • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00DA8BBA,00000000,?), ref: 00DE69B8
            • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00DA8BBA,00000000), ref: 00DE69D4
            • DeleteObject.GDI32(00000000), ref: 00DE69E6
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
            • String ID:
            • API String ID: 641708696-0
            • Opcode ID: eada8ca3146263c1ec8f01f4d09c39783298871094bab1ba9e66f78a12e45226
            • Instruction ID: adff06f61ddb5c83fe01d3cfa4eae74572eb3d8d37d16810f8d8d6761a2c5a70
            • Opcode Fuzzy Hash: eada8ca3146263c1ec8f01f4d09c39783298871094bab1ba9e66f78a12e45226
            • Instruction Fuzzy Hash: 88619D30502740DFCB369F16D948B2AB7F1FB51362F184568E482A7560CB71E995EF70
            Function 00DA9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DA9944: GetWindowLongW.USER32(?,000000EB), ref: 00DA9952
            • GetSysColor.USER32(0000000F), ref: 00DA9862
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ColorLongWindow
            • String ID:
            • API String ID: 259745315-0
            • Opcode ID: e0d71c49f6f59187f96c602d21e34c5a5f534f90268a0d101f87afc5b4d60108
            • Instruction ID: 6c66bb97b499f38ce3f2a9e6bd4aaa0896948f7a3db6bf7011b4d11d1b7470f7
            • Opcode Fuzzy Hash: e0d71c49f6f59187f96c602d21e34c5a5f534f90268a0d101f87afc5b4d60108
            • Instruction Fuzzy Hash: CE41AF31105640AFDB309F39DC99BBA7BA5AB07320F284605F9A29B1E1C7399C42DB31
            Function 00DF96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00DDF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00DF9717
            • LoadStringW.USER32(00000000,?,00DDF7F8,00000001), ref: 00DF9720
              • Part of subcall function 00D99CB3: _wcslen.LIBCMT ref: 00D99CBD
            • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00DDF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00DF9742
            • LoadStringW.USER32(00000000,?,00DDF7F8,00000001), ref: 00DF9745
            • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00DF9866
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: HandleLoadModuleString$Message_wcslen
            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
            • API String ID: 747408836-2268648507
            • Opcode ID: fe18f20705702ca18da5e8d0107a4984d66950829a50cc0a3fcc2bf3d0596cb4
            • Instruction ID: 1f26593cc7c388d86bfb8ebc4856010ce34f565b04d37f0e5aba06e4e6fb63fe
            • Opcode Fuzzy Hash: fe18f20705702ca18da5e8d0107a4984d66950829a50cc0a3fcc2bf3d0596cb4
            • Instruction Fuzzy Hash: 0C412772800209AACF04FBE4DE96EEEB778EF55340F604069F60572092EA756F48CB71
            Function 00DF06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00D96B57: _wcslen.LIBCMT ref: 00D96B6A
            • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00DF07A2
            • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00DF07BE
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00DF07DA
            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00DF0804
            • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00DF082C
            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00DF0837
            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00DF083C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
            • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
            • API String ID: 323675364-22481851
            • Opcode ID: 9308788c31800758f2c102fc88f8c24b4971c397dc67347a7211feefc69e24be
            • Instruction ID: 296c773c96514aad3f72dcddb69658906efef2837465c0fae5ba6d2d367ac500
            • Opcode Fuzzy Hash: 9308788c31800758f2c102fc88f8c24b4971c397dc67347a7211feefc69e24be
            • Instruction Fuzzy Hash: FE410472C10229ABCF25EBA4DC95CEDB778FF54350B158169E911B3161EB30AE48CBB0
            Function 00E13C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 00E13C5C
            • CoInitialize.OLE32(00000000), ref: 00E13C8A
            • CoUninitialize.OLE32 ref: 00E13C94
            • _wcslen.LIBCMT ref: 00E13D2D
            • GetRunningObjectTable.OLE32(00000000,?), ref: 00E13DB1
            • SetErrorMode.KERNEL32(00000001,00000029), ref: 00E13ED5
            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00E13F0E
            • CoGetObject.OLE32(?,00000000,00E2FB98,?), ref: 00E13F2D
            • SetErrorMode.KERNEL32(00000000), ref: 00E13F40
            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00E13FC4
            • VariantClear.OLEAUT32(?), ref: 00E13FD8
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
            • String ID:
            • API String ID: 429561992-0
            • Opcode ID: fbd46346542d6c0b194b29f6f94f3ccb606c295a0e756ff8e3c6131119c3535d
            • Instruction ID: 33980adf297b5092e78cbd7cd83832791f15d79cec8da7a8d1dd844cc6ffc1b7
            • Opcode Fuzzy Hash: fbd46346542d6c0b194b29f6f94f3ccb606c295a0e756ff8e3c6131119c3535d
            • Instruction Fuzzy Hash: DCC169716083059FD700DF68C8849ABB7E9FF89748F10591DF98AAB251D730ED86CB62
            Function 00E07A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
            Download Yara Rule
            APIs
            • CoInitialize.OLE32(00000000), ref: 00E07AF3
            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00E07B8F
            • SHGetDesktopFolder.SHELL32(?), ref: 00E07BA3
            • CoCreateInstance.OLE32(00E2FD08,00000000,00000001,00E56E6C,?), ref: 00E07BEF
            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00E07C74
            • CoTaskMemFree.OLE32(?,?), ref: 00E07CCC
            • SHBrowseForFolderW.SHELL32(?), ref: 00E07D57
            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00E07D7A
            • CoTaskMemFree.OLE32(00000000), ref: 00E07D81
            • CoTaskMemFree.OLE32(00000000), ref: 00E07DD6
            • CoUninitialize.OLE32 ref: 00E07DDC
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
            • String ID:
            • API String ID: 2762341140-0
            • Opcode ID: 33af4d5927adc3dd3cc347c56af7997bd7c287c55212d36f0bd333b5ac44bacf
            • Instruction ID: 44d34aeb9414437624dd338b948fecb5a5addb654f20af4adbfd118694b48ef1
            • Opcode Fuzzy Hash: 33af4d5927adc3dd3cc347c56af7997bd7c287c55212d36f0bd333b5ac44bacf
            • Instruction Fuzzy Hash: 2AC11D75A04109AFDB14DFA4C884DAEBBF5FF48304B148499E556EB361D730EE85CBA0
            Function 00E2541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00E25504
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E25515
            • CharNextW.USER32(00000158), ref: 00E25544
            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00E25585
            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00E2559B
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E255AC
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: MessageSend$CharNext
            • String ID:
            • API String ID: 1350042424-0
            • Opcode ID: 8f339bcf972d08ce432f939a37459af18aa92c67cdea089f95a8e405bf15aa2f
            • Instruction ID: 7a9306ad0d019485b06042da9ec0e137fee5277ab4903a4c9e7a607791dba1f0
            • Opcode Fuzzy Hash: 8f339bcf972d08ce432f939a37459af18aa92c67cdea089f95a8e405bf15aa2f
            • Instruction Fuzzy Hash: FB61CC32900628EFDF209F95ED84AFE7BB9FF09724F109045F925B6290C7708A81CB61
            Function 00DEFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
            Download Yara Rule
            APIs
            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00DEFAAF
            • SafeArrayAllocData.OLEAUT32(?), ref: 00DEFB08
            • VariantInit.OLEAUT32(?), ref: 00DEFB1A
            • SafeArrayAccessData.OLEAUT32(?,?), ref: 00DEFB3A
            • VariantCopy.OLEAUT32(?,?), ref: 00DEFB8D
            • SafeArrayUnaccessData.OLEAUT32(?), ref: 00DEFBA1
            • VariantClear.OLEAUT32(?), ref: 00DEFBB6
            • SafeArrayDestroyData.OLEAUT32(?), ref: 00DEFBC3
            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00DEFBCC
            • VariantClear.OLEAUT32(?), ref: 00DEFBDE
            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00DEFBE9
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
            • String ID:
            • API String ID: 2706829360-0
            • Opcode ID: 342821c86813a84089ae060d7eaf650ee10a4a3dceba661c11ff5b1f92356fc8
            • Instruction ID: 72215949647712904c4f63e1f44b32d36d951b8e08738db0da55efebb7dc5929
            • Opcode Fuzzy Hash: 342821c86813a84089ae060d7eaf650ee10a4a3dceba661c11ff5b1f92356fc8
            • Instruction Fuzzy Hash: ED413F35A002199FCF10EF69DC549AEBBB9FF48354F108069E956A7261DB30E946CFB0
            Function 00DF9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?), ref: 00DF9CA1
            • GetAsyncKeyState.USER32(000000A0), ref: 00DF9D22
            • GetKeyState.USER32(000000A0), ref: 00DF9D3D
            • GetAsyncKeyState.USER32(000000A1), ref: 00DF9D57
            • GetKeyState.USER32(000000A1), ref: 00DF9D6C
            • GetAsyncKeyState.USER32(00000011), ref: 00DF9D84
            • GetKeyState.USER32(00000011), ref: 00DF9D96
            • GetAsyncKeyState.USER32(00000012), ref: 00DF9DAE
            • GetKeyState.USER32(00000012), ref: 00DF9DC0
            • GetAsyncKeyState.USER32(0000005B), ref: 00DF9DD8
            • GetKeyState.USER32(0000005B), ref: 00DF9DEA
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: State$Async$Keyboard
            • String ID:
            • API String ID: 541375521-0
            • Opcode ID: 1c5eb35eb043c467bc202f4a5280f7c806b077d5acecaa39ae25a45a27548b26
            • Instruction ID: 7df4d9e3cc027975bbd9078dded07fe0c9543436effdc18c15efa9308c4f1039
            • Opcode Fuzzy Hash: 1c5eb35eb043c467bc202f4a5280f7c806b077d5acecaa39ae25a45a27548b26
            • Instruction Fuzzy Hash: 0641B234D04BCD6DFF309661C8243B5EEA06B12344F1DC05ADBC65A5C2EBA499C887B2
            Function 00E1055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
            Download Yara Rule
            APIs
            • WSAStartup.WSOCK32(00000101,?), ref: 00E105BC
            • inet_addr.WSOCK32(?), ref: 00E1061C
            • gethostbyname.WSOCK32(?), ref: 00E10628
            • IcmpCreateFile.IPHLPAPI ref: 00E10636
            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00E106C6
            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00E106E5
            • IcmpCloseHandle.IPHLPAPI(?), ref: 00E107B9
            • WSACleanup.WSOCK32 ref: 00E107BF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
            • String ID: Ping
            • API String ID: 1028309954-2246546115
            • Opcode ID: 23477fbec1d42119bbc37c8b6979dd78110baf91f51a42873783931ce773e562
            • Instruction ID: 268524cb7d2ce39b70961cbc0c0d05c37d8ab1ae9791ae5123fc8c9d34f50f6c
            • Opcode Fuzzy Hash: 23477fbec1d42119bbc37c8b6979dd78110baf91f51a42873783931ce773e562
            • Instruction Fuzzy Hash: 9A91AD356042019FD720DF15C489F5ABBE1EF44318F1485AAF469AB6A2C7B0EDC5CF91
            Function 00E18CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: _wcslen$BuffCharLower
            • String ID: cdecl$none$stdcall$winapi
            • API String ID: 707087890-567219261
            • Opcode ID: db5d2211442077a13650b96d729d781016f3cb712190bf3c58dac0ff7494829d
            • Instruction ID: 6bb2a38952da3f831fe0e8f567d549984607405e5fbc6e04b63162acd0dd3ae9
            • Opcode Fuzzy Hash: db5d2211442077a13650b96d729d781016f3cb712190bf3c58dac0ff7494829d
            • Instruction Fuzzy Hash: 17517F31A001169ACF14DF68CA518FEB7A6FF65728B215229E866B72C5DB31DD80C7A0
            Function 00E1372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
            Download Yara Rule
            APIs
            • CoInitialize.OLE32 ref: 00E13774
            • CoUninitialize.OLE32 ref: 00E1377F
            • CoCreateInstance.OLE32(?,00000000,00000017,00E2FB78,?), ref: 00E137D9
            • IIDFromString.OLE32(?,?), ref: 00E1384C
            • VariantInit.OLEAUT32(?), ref: 00E138E4
            • VariantClear.OLEAUT32(?), ref: 00E13936
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
            • API String ID: 636576611-1287834457
            • Opcode ID: a55a7dea6a7ff9475201ef2f40b6b7dbc717cee6c414f27521b1deb26bb2b532
            • Instruction ID: ea227ad246f646d9cca8fa9766d81b86c5f8f3c7aa4c3a3faa22fc5d2b106c5e
            • Opcode Fuzzy Hash: a55a7dea6a7ff9475201ef2f40b6b7dbc717cee6c414f27521b1deb26bb2b532
            • Instruction Fuzzy Hash: 1A61B2716083019FD714DF64C885BABBBE8EF45714F10481AF985A7291C770EE88CBA2
            Function 00E03388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
            Download Yara Rule
            APIs
            • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00E033CF
              • Part of subcall function 00D99CB3: _wcslen.LIBCMT ref: 00D99CBD
            • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00E033F0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: LoadString$_wcslen
            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
            • API String ID: 4099089115-3080491070
            • Opcode ID: 1466310f4c46aa1a7d925faff1fc7e8b881a24a32e826da3a912174c7d961cce
            • Instruction ID: 7cdcb77dedf4bb5153ff0d3e5b1d0df24d0d4a4e82cdefef47fdfcec0876093b
            • Opcode Fuzzy Hash: 1466310f4c46aa1a7d925faff1fc7e8b881a24a32e826da3a912174c7d961cce
            • Instruction Fuzzy Hash: 3B519972800209AADF15EBE4DD52EEEB378EF14340F244166F505721A2EB716F98DB70
            Function 00DFB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: _wcslen$BuffCharUpper
            • String ID: APPEND$EXISTS$KEYS$REMOVE
            • API String ID: 1256254125-769500911
            • Opcode ID: 59d45f063a025c5c77cb6c5903820fa45c1c8106d6566747decd886c5af4209e
            • Instruction ID: e87bf06142cf4bd634165caf3f08384bc47035af17fe1edcb995197850d1cf1a
            • Opcode Fuzzy Hash: 59d45f063a025c5c77cb6c5903820fa45c1c8106d6566747decd886c5af4209e
            • Instruction Fuzzy Hash: DC41BB32A0012A9BCB106F7DC8915BE77A5AF64774B2A812BE565DF284F731CD81C7B0
            Function 00E05393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 00E053A0
            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00E05416
            • GetLastError.KERNEL32 ref: 00E05420
            • SetErrorMode.KERNEL32(00000000,READY), ref: 00E054A7
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Error$Mode$DiskFreeLastSpace
            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
            • API String ID: 4194297153-14809454
            • Opcode ID: 71b54542e0a2660f2292171f297ceac2ccd3344a470f2aec0d714f82b4c45f9e
            • Instruction ID: 584df194a8d8f72e092aba2e90e377f53b672622983f442a3e34f33adb9846c6
            • Opcode Fuzzy Hash: 71b54542e0a2660f2292171f297ceac2ccd3344a470f2aec0d714f82b4c45f9e
            • Instruction Fuzzy Hash: 6A31D236A005059FCB10DF68C485AEEBBB4EF44309F549469E812EB292DB30DDC6CFA1
            Function 00E23C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
            Download Yara Rule
            APIs
            • CreateMenu.USER32 ref: 00E23C79
            • SetMenu.USER32(?,00000000), ref: 00E23C88
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E23D10
            • IsMenu.USER32(?), ref: 00E23D24
            • CreatePopupMenu.USER32 ref: 00E23D2E
            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E23D5B
            • DrawMenuBar.USER32 ref: 00E23D63
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Menu$CreateItem$DrawInfoInsertPopup
            • String ID: 0$F
            • API String ID: 161812096-3044882817
            • Opcode ID: 72cf4887a3d73db641e7b5c1b4b034abb76b435ae72298fb89ca3a14bae9824a
            • Instruction ID: 01d58ed75e6cdb1b87822cd9678dfc17a8045af1e37ea5235bfddd02b188b912
            • Opcode Fuzzy Hash: 72cf4887a3d73db641e7b5c1b4b034abb76b435ae72298fb89ca3a14bae9824a
            • Instruction Fuzzy Hash: 8B419A75A01219EFDB24CF65E844AEA7BB5FF49344F140028F946A7360D774EA14CF90
            Function 00DF1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00D99CB3: _wcslen.LIBCMT ref: 00D99CBD
              • Part of subcall function 00DF3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00DF3CCA
            • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00DF1F64
            • GetDlgCtrlID.USER32 ref: 00DF1F6F
            • GetParent.USER32 ref: 00DF1F8B
            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00DF1F8E
            • GetDlgCtrlID.USER32(?), ref: 00DF1F97
            • GetParent.USER32(?), ref: 00DF1FAB
            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00DF1FAE
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: MessageSend$CtrlParent$ClassName_wcslen
            • String ID: ComboBox$ListBox
            • API String ID: 711023334-1403004172
            • Opcode ID: 860bb59d7282e8520788756675567127d53f0a13242c28abe5705a6faa265fa1
            • Instruction ID: a28e578e666aa1c65988545b3c65263b19f598ccba0d73aebb3b033a2cd55856
            • Opcode Fuzzy Hash: 860bb59d7282e8520788756675567127d53f0a13242c28abe5705a6faa265fa1
            • Instruction Fuzzy Hash: 0621FF75900218BFCF10AFA5CC94DFEBBB8EF05300B10410AFA65A72A1CB349919CB71
            Function 00E23A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00E23A9D
            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00E23AA0
            • GetWindowLongW.USER32(?,000000F0), ref: 00E23AC7
            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E23AEA
            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00E23B62
            • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00E23BAC
            • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00E23BC7
            • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00E23BE2
            • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00E23BF6
            • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00E23C13
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: MessageSend$LongWindow
            • String ID:
            • API String ID: 312131281-0
            • Opcode ID: 16e1ce4d6c2f9b5072322d5a504645bbd0cc9c91402df04023f163a5e6f8da8d
            • Instruction ID: 8adbc7658c2edf57c1f9411e947cb2d1b82f78b48bbad4688e00123c46526a8d
            • Opcode Fuzzy Hash: 16e1ce4d6c2f9b5072322d5a504645bbd0cc9c91402df04023f163a5e6f8da8d
            • Instruction Fuzzy Hash: FF617875900218AFDB11DFA8DC81EEEB7B8EB49704F14009AFA15B72A1C774AE45DF60
            Function 00DC2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 00DC2C94
              • Part of subcall function 00DC29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00DCD7D1,00000000,00000000,00000000,00000000,?,00DCD7F8,00000000,00000007,00000000,?,00DCDBF5,00000000), ref: 00DC29DE
              • Part of subcall function 00DC29C8: GetLastError.KERNEL32(00000000,?,00DCD7D1,00000000,00000000,00000000,00000000,?,00DCD7F8,00000000,00000007,00000000,?,00DCDBF5,00000000,00000000), ref: 00DC29F0
            • _free.LIBCMT ref: 00DC2CA0
            • _free.LIBCMT ref: 00DC2CAB
            • _free.LIBCMT ref: 00DC2CB6
            • _free.LIBCMT ref: 00DC2CC1
            • _free.LIBCMT ref: 00DC2CCC
            • _free.LIBCMT ref: 00DC2CD7
            • _free.LIBCMT ref: 00DC2CE2
            • _free.LIBCMT ref: 00DC2CED
            • _free.LIBCMT ref: 00DC2CFB
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: 63fdf2f65b3b53bdf7512b33ad77fb5d79e99469404c790735a0ba1c81ceeeee
            • Instruction ID: 28cdabc39b0be2be30cd39da7ec6e0b27c8163bcb63f9c643176bd67c6ff8875
            • Opcode Fuzzy Hash: 63fdf2f65b3b53bdf7512b33ad77fb5d79e99469404c790735a0ba1c81ceeeee
            • Instruction Fuzzy Hash: E5115076540109AFCB02EF54D982EAD3BA5FF05350F5145A9FA489B222DB31EA509FB0
            Function 00D91410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
            Download Yara Rule
            APIs
            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00D91459
            • OleUninitialize.OLE32(?,00000000), ref: 00D914F8
            • UnregisterHotKey.USER32(?), ref: 00D916DD
            • DestroyWindow.USER32(?), ref: 00DD24B9
            • FreeLibrary.KERNEL32(?), ref: 00DD251E
            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00DD254B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
            • String ID: close all
            • API String ID: 469580280-3243417748
            • Opcode ID: b83535d15eb9c5cc8e2f74cb877ae63eaab3178c4479bac6ff81d89e008675af
            • Instruction ID: e6a01896c75168acd9078e425a09303edcd47f9cb55386e8eac22199e3f8e73d
            • Opcode Fuzzy Hash: b83535d15eb9c5cc8e2f74cb877ae63eaab3178c4479bac6ff81d89e008675af
            • Instruction Fuzzy Hash: 21D156357012228FCB29EF65D895A29F7A4FF55700F2542AEE44A6B261DB30ED12CF70
            Function 00E07DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
            Download Yara Rule
            APIs
            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E07FAD
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00E07FC1
            • GetFileAttributesW.KERNEL32(?), ref: 00E07FEB
            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00E08005
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00E08017
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00E08060
            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00E080B0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CurrentDirectory$AttributesFile
            • String ID: *.*
            • API String ID: 769691225-438819550
            • Opcode ID: c320847ef91c823b98c4c343194c502c16bc5376fd643d03239065131a3430f6
            • Instruction ID: 0648981ef7f4d38f713038d30997718273da48b3390ac8ec641670a2059130d7
            • Opcode Fuzzy Hash: c320847ef91c823b98c4c343194c502c16bc5376fd643d03239065131a3430f6
            • Instruction Fuzzy Hash: E981A2729082459BDB20DF14C4449AEB3D8FF84354F14586EF4C5E7290EB35ED86CB62
            Function 00D95BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
            Download Yara Rule
            APIs
            • SetWindowLongW.USER32(?,000000EB), ref: 00D95C7A
              • Part of subcall function 00D95D0A: GetClientRect.USER32(?,?), ref: 00D95D30
              • Part of subcall function 00D95D0A: GetWindowRect.USER32(?,?), ref: 00D95D71
              • Part of subcall function 00D95D0A: ScreenToClient.USER32(?,?), ref: 00D95D99
            • GetDC.USER32 ref: 00DD46F5
            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00DD4708
            • SelectObject.GDI32(00000000,00000000), ref: 00DD4716
            • SelectObject.GDI32(00000000,00000000), ref: 00DD472B
            • ReleaseDC.USER32(?,00000000), ref: 00DD4733
            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00DD47C4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
            • String ID: U
            • API String ID: 4009187628-3372436214
            • Opcode ID: 1252c06741a51e829f5b2870289e9a0665da683aaa1e7a59aa9c782920aaec72
            • Instruction ID: fcaa3307cdd3e6c9ca642392ed72b3385d5856ffe5dbfd6117e0422b57e6ba7d
            • Opcode Fuzzy Hash: 1252c06741a51e829f5b2870289e9a0665da683aaa1e7a59aa9c782920aaec72
            • Instruction Fuzzy Hash: 1571C331500205EFCF228F64D984AFA7BB5FF46360F18426AE9566A26AC731DC45DFB0
            Function 00E0359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
            Download Yara Rule
            APIs
            • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00E035E4
              • Part of subcall function 00D99CB3: _wcslen.LIBCMT ref: 00D99CBD
            • LoadStringW.USER32(00E62390,?,00000FFF,?), ref: 00E0360A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: LoadString$_wcslen
            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
            • API String ID: 4099089115-2391861430
            • Opcode ID: 7cad135b367f0725e78ca60d4061bc62d37651d095654f5fa290888b34e5d010
            • Instruction ID: e6feb4192dcf3b9ec939eb58ef6dafa498a09606831fd4dd0f18a8ed805c6e1b
            • Opcode Fuzzy Hash: 7cad135b367f0725e78ca60d4061bc62d37651d095654f5fa290888b34e5d010
            • Instruction Fuzzy Hash: 9E518E72C00209BACF15EBA4DC52EEEBB38EF14340F185169F515721A2EB711A98DFB0
            Function 00E0C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
            Download Yara Rule
            APIs
            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00E0C272
            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E0C29A
            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00E0C2CA
            • GetLastError.KERNEL32 ref: 00E0C322
            • SetEvent.KERNEL32(?), ref: 00E0C336
            • InternetCloseHandle.WININET(00000000), ref: 00E0C341
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
            • String ID:
            • API String ID: 3113390036-3916222277
            • Opcode ID: 6072fc850d20a7e9110d19b5ac91a2adc0a94bc6b66af49c5b4cff53eb3d78e5
            • Instruction ID: c6bf00f1d52b965b7003744f7e33c0a006fbc83fd3edeb668b0ef4cca200c3c4
            • Opcode Fuzzy Hash: 6072fc850d20a7e9110d19b5ac91a2adc0a94bc6b66af49c5b4cff53eb3d78e5
            • Instruction Fuzzy Hash: A53171B1500604AFD7219FA5CC84AAF7BFCEB49744F20961EF446B2290DB34DD8A9B61
            Function 00DF989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00DD3AAF,?,?,Bad directive syntax error,00E2CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00DF98BC
            • LoadStringW.USER32(00000000,?,00DD3AAF,?), ref: 00DF98C3
              • Part of subcall function 00D99CB3: _wcslen.LIBCMT ref: 00D99CBD
            • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00DF9987
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: HandleLoadMessageModuleString_wcslen
            • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
            • API String ID: 858772685-4153970271
            • Opcode ID: d64b3e14a481009a8519262ddd4b520f7bb01cc809f5f922cd64b50cbbb54a88
            • Instruction ID: 27cbc0e88537723bed6e6b836d6a0a1ce8659cc96ebbbeb91bee8684ed6a632b
            • Opcode Fuzzy Hash: d64b3e14a481009a8519262ddd4b520f7bb01cc809f5f922cd64b50cbbb54a88
            • Instruction Fuzzy Hash: 19215C31C4021AABCF11AF90CC16EEEB735FF18301F04946AFA15720A2EA719618CB71
            Function 00DF209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32 ref: 00DF20AB
            • GetClassNameW.USER32(00000000,?,00000100), ref: 00DF20C0
            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00DF214D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ClassMessageNameParentSend
            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
            • API String ID: 1290815626-3381328864
            • Opcode ID: 5d10049f092a5c480008e4c4768932629aa59ed62c5a8f25b937c450458eafde
            • Instruction ID: a468cad8ed65befad1eb308f7b0d497c390cb3af57b60e6c985becad36637e09
            • Opcode Fuzzy Hash: 5d10049f092a5c480008e4c4768932629aa59ed62c5a8f25b937c450458eafde
            • Instruction Fuzzy Hash: A41136772C870AF9FA116220DC1BDFA739CCF05725B214116FB05B40E2FE61A80A5639
            Function 00DCCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
            • String ID:
            • API String ID: 1282221369-0
            • Opcode ID: 7986192acd79820e783b4632654ae9c4451b013a8f13b310edf0be64fd92e6d1
            • Instruction ID: 683d59a698a52473158e10ec4c8179ff01eead1f99eb119e9d9c1dfe6eb02bc5
            • Opcode Fuzzy Hash: 7986192acd79820e783b4632654ae9c4451b013a8f13b310edf0be64fd92e6d1
            • Instruction Fuzzy Hash: 7E61E471905313AFDF21AFB99C81F6A7BA9EF05360F08426DFA49A7281DA7199018770
            Function 00E250D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00E25186
            • ShowWindow.USER32(?,00000000), ref: 00E251C7
            • ShowWindow.USER32(?,00000005,?,00000000), ref: 00E251CD
            • SetFocus.USER32(?,?,00000005,?,00000000), ref: 00E251D1
              • Part of subcall function 00E26FBA: DeleteObject.GDI32(00000000), ref: 00E26FE6
            • GetWindowLongW.USER32(?,000000F0), ref: 00E2520D
            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00E2521A
            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00E2524D
            • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00E25287
            • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00E25296
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
            • String ID:
            • API String ID: 3210457359-0
            • Opcode ID: 166a3c88fc1ba340e2a5bf5f9cb98c754648805be59d10651a4a100206dc3556
            • Instruction ID: 79827b36efd6e650e662aef450710fb6dfeabec29bdf45516209c27ebaf892f8
            • Opcode Fuzzy Hash: 166a3c88fc1ba340e2a5bf5f9cb98c754648805be59d10651a4a100206dc3556
            • Instruction Fuzzy Hash: 6751D232A51A28FEEF309F24EE49BD93BB5FB05324F245001F615B62E0C375A994DB51
            Function 00DA8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
            Download Yara Rule
            APIs
            • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00DE6890
            • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00DE68A9
            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00DE68B9
            • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00DE68D1
            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00DE68F2
            • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00DA8874,00000000,00000000,00000000,000000FF,00000000), ref: 00DE6901
            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00DE691E
            • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00DA8874,00000000,00000000,00000000,000000FF,00000000), ref: 00DE692D
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Icon$DestroyExtractImageLoadMessageSend
            • String ID:
            • API String ID: 1268354404-0
            • Opcode ID: 5bc195499190b657c18fb99a85956b71eb57ebb1d97f5e8ea1bc58e5a61adf5b
            • Instruction ID: e31e073c2e54cd049fb95678d31b7ce4b316922d3de74a9d3087dbb9293bfeb6
            • Opcode Fuzzy Hash: 5bc195499190b657c18fb99a85956b71eb57ebb1d97f5e8ea1bc58e5a61adf5b
            • Instruction Fuzzy Hash: AC51AA70600209EFDB20DF26CC95BAA7BB5FF58790F144518F956A72A0DB70E950DB70
            Function 00E0C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
            Download Yara Rule
            APIs
            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00E0C182
            • GetLastError.KERNEL32 ref: 00E0C195
            • SetEvent.KERNEL32(?), ref: 00E0C1A9
              • Part of subcall function 00E0C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00E0C272
              • Part of subcall function 00E0C253: GetLastError.KERNEL32 ref: 00E0C322
              • Part of subcall function 00E0C253: SetEvent.KERNEL32(?), ref: 00E0C336
              • Part of subcall function 00E0C253: InternetCloseHandle.WININET(00000000), ref: 00E0C341
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
            • String ID:
            • API String ID: 337547030-0
            • Opcode ID: 30b93cfde23000d72581629915f3ff93d8ae75585d9961af5881521ab1675b13
            • Instruction ID: ae4c9c7b2f34fa18da17ca8d355690a01114772c111d81ad060524b284ef6bcf
            • Opcode Fuzzy Hash: 30b93cfde23000d72581629915f3ff93d8ae75585d9961af5881521ab1675b13
            • Instruction Fuzzy Hash: E631A371501A01FFDB219FF5DD04A6A7BF8FF18304B20561DF956A3660D730E8569BA0
            Function 00DF25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DF3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DF3A57
              • Part of subcall function 00DF3A3D: GetCurrentThreadId.KERNEL32 ref: 00DF3A5E
              • Part of subcall function 00DF3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00DF25B3), ref: 00DF3A65
            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00DF25BD
            • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00DF25DB
            • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00DF25DF
            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00DF25E9
            • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00DF2601
            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00DF2605
            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00DF260F
            • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00DF2623
            • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00DF2627
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
            • String ID:
            • API String ID: 2014098862-0
            • Opcode ID: 32e8f7c255b3dec7eff3c98486a20f86cf6849b6d2badecab30b59cf25854691
            • Instruction ID: 56fd6412f05bbb023d09b818d7c6b3573ced481eca9200a96a1c5967c32c95ff
            • Opcode Fuzzy Hash: 32e8f7c255b3dec7eff3c98486a20f86cf6849b6d2badecab30b59cf25854691
            • Instruction Fuzzy Hash: 3D01D830390614BBFB20676ADC8BF693F59DF4EB11F214001F354BE1D1C9E254898A7A
            Function 00DF1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
            Download Yara Rule
            APIs
            • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00DF1449,?,?,00000000), ref: 00DF180C
            • HeapAlloc.KERNEL32(00000000,?,00DF1449,?,?,00000000), ref: 00DF1813
            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00DF1449,?,?,00000000), ref: 00DF1828
            • GetCurrentProcess.KERNEL32(?,00000000,?,00DF1449,?,?,00000000), ref: 00DF1830
            • DuplicateHandle.KERNEL32(00000000,?,00DF1449,?,?,00000000), ref: 00DF1833
            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00DF1449,?,?,00000000), ref: 00DF1843
            • GetCurrentProcess.KERNEL32(00DF1449,00000000,?,00DF1449,?,?,00000000), ref: 00DF184B
            • DuplicateHandle.KERNEL32(00000000,?,00DF1449,?,?,00000000), ref: 00DF184E
            • CreateThread.KERNEL32(00000000,00000000,00DF1874,00000000,00000000,00000000), ref: 00DF1868
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
            • String ID:
            • API String ID: 1957940570-0
            • Opcode ID: ec84005965069041aef53a1dbd0e9cd627b55475d3f8064e684eac5806761e39
            • Instruction ID: e654009385fbb7354b7c70a32fe397e9591f1799165e3bedb035beba6392dade
            • Opcode Fuzzy Hash: ec84005965069041aef53a1dbd0e9cd627b55475d3f8064e684eac5806761e39
            • Instruction Fuzzy Hash: BB01BF75641308BFE720AB65DC4EF6B3B6CEB89B11F214411FA05DB192C6709815CB60
            Function 00E1A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DFD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00DFD501
              • Part of subcall function 00DFD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00DFD50F
              • Part of subcall function 00DFD4DC: CloseHandle.KERNEL32(00000000), ref: 00DFD5DC
            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E1A16D
            • GetLastError.KERNEL32 ref: 00E1A180
            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E1A1B3
            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00E1A268
            • GetLastError.KERNEL32(00000000), ref: 00E1A273
            • CloseHandle.KERNEL32(00000000), ref: 00E1A2C4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
            • String ID: SeDebugPrivilege
            • API String ID: 2533919879-2896544425
            • Opcode ID: a58dfd367e02e2c43781eca64bbfe3ae31879ee8bfd41cf1870dbb3a50b5d263
            • Instruction ID: 1c176f952dc92ff1b7e802d8a86472ed73b7564287a5b93584344adf0290c776
            • Opcode Fuzzy Hash: a58dfd367e02e2c43781eca64bbfe3ae31879ee8bfd41cf1870dbb3a50b5d263
            • Instruction Fuzzy Hash: 5D61E471206201AFD720DF14C494F69BBE1EF44318F58849CE4669B7A3C772EC89CBA2
            Function 00E23886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00E23925
            • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00E2393A
            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00E23954
            • _wcslen.LIBCMT ref: 00E23999
            • SendMessageW.USER32(?,00001057,00000000,?), ref: 00E239C6
            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00E239F4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: MessageSend$Window_wcslen
            • String ID: SysListView32
            • API String ID: 2147712094-78025650
            • Opcode ID: 887018dee09329ce1402d265eeb73b854c9f698d9971d6d9fccc3fb2f3c08295
            • Instruction ID: f26c8305a3a198eff6beaa2f1ff53aad12add6d1e9c94f397406fca69faaf907
            • Opcode Fuzzy Hash: 887018dee09329ce1402d265eeb73b854c9f698d9971d6d9fccc3fb2f3c08295
            • Instruction Fuzzy Hash: 9F41C171A00228ABEB259F64DC45BEA7BA9EF48354F101526F948F7281D3759984CFA0
            Function 00DFBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
            Download Yara Rule
            APIs
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DFBCFD
            • IsMenu.USER32(00000000), ref: 00DFBD1D
            • CreatePopupMenu.USER32 ref: 00DFBD53
            • GetMenuItemCount.USER32(01425550), ref: 00DFBDA4
            • InsertMenuItemW.USER32(01425550,?,00000001,00000030), ref: 00DFBDCC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Menu$Item$CountCreateInfoInsertPopup
            • String ID: 0$2
            • API String ID: 93392585-3793063076
            • Opcode ID: b04847aa7d7eae4b5a3c3a2988c35b6aa212e3276146f8237c930c2fe2fce050
            • Instruction ID: 07c0f2c930eb54c5f3267bcf6b349f53ec79eef3295bf5e8975c5e0279b6bdaf
            • Opcode Fuzzy Hash: b04847aa7d7eae4b5a3c3a2988c35b6aa212e3276146f8237c930c2fe2fce050
            • Instruction Fuzzy Hash: 4C518F7060020D9BDB20DFA9DC84BBEBBF4EF45324F29C11AE652A7290D7709945CB72
            Function 00DFC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
            Download Yara Rule
            APIs
            • LoadIconW.USER32(00000000,00007F03), ref: 00DFC913
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: IconLoad
            • String ID: blank$info$question$stop$warning
            • API String ID: 2457776203-404129466
            • Opcode ID: dbd4b0f3a70894ada7b44747fb0fe6785477ded8b9feff9bc7dea573c7d1bdd5
            • Instruction ID: 3c8078e09fbf945214cb0040259d606b803ce5272794c5a8ef88fd7758ca993c
            • Opcode Fuzzy Hash: dbd4b0f3a70894ada7b44747fb0fe6785477ded8b9feff9bc7dea573c7d1bdd5
            • Instruction Fuzzy Hash: E7115B3169930EBBEB009B10DD82CFE639CCF1935AB61502BFA00B7182E7A1DE545674
            Function 00DFED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: _wcslen$LocalTime
            • String ID:
            • API String ID: 952045576-0
            • Opcode ID: fb9275eeabc083992d93837c6c7c3674c9b5f77e225a4c5626b5d41c77e95144
            • Instruction ID: ece8f454f92ef5d9ee5b666c0572ad8dad992caa41826097a9b1604ad7bc0b7a
            • Opcode Fuzzy Hash: fb9275eeabc083992d93837c6c7c3674c9b5f77e225a4c5626b5d41c77e95144
            • Instruction Fuzzy Hash: D041A165C10218B6DB11EBF48C8A9DFB7A8EF45310F508466F619E3122FB38E245C7B9
            Function 00DAF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
            Download Yara Rule
            APIs
            • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00DE682C,00000004,00000000,00000000), ref: 00DAF953
            • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00DE682C,00000004,00000000,00000000), ref: 00DEF3D1
            • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00DE682C,00000004,00000000,00000000), ref: 00DEF454
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ShowWindow
            • String ID:
            • API String ID: 1268545403-0
            • Opcode ID: 258bae430bfc2a088a51a480c96050837016641a4b6d7d8dfac4f206efda2945
            • Instruction ID: 7baca1fc61870c0fe183bfd5e0011e4ec6bac593d0775bd965efd1bd92499f37
            • Opcode Fuzzy Hash: 258bae430bfc2a088a51a480c96050837016641a4b6d7d8dfac4f206efda2945
            • Instruction Fuzzy Hash: 90410931604680BEC7799B7AC88876F7B91AF57314F1C48BDE087625A0C672E885CF71
            Function 00E22D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
            Download Yara Rule
            APIs
            • DeleteObject.GDI32(00000000), ref: 00E22D1B
            • GetDC.USER32(00000000), ref: 00E22D23
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E22D2E
            • ReleaseDC.USER32(00000000,00000000), ref: 00E22D3A
            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00E22D76
            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00E22D87
            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00E25A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00E22DC2
            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00E22DE1
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
            • String ID:
            • API String ID: 3864802216-0
            • Opcode ID: af25b022f29d29cec13d55111b5e6686c2539c590ce34e9a83fd355c5a1c2a78
            • Instruction ID: 134b35b2d5655ac6c59618592603dd411815b0cfa4a0575a60af5f07f4b8e581
            • Opcode Fuzzy Hash: af25b022f29d29cec13d55111b5e6686c2539c590ce34e9a83fd355c5a1c2a78
            • Instruction Fuzzy Hash: 2931BF72201220BFEB204F11DC8AFEB3BA9EF09715F044055FE08AA291C6758C41C7A4
            Function 00DF5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: _memcmp
            • String ID:
            • API String ID: 2931989736-0
            • Opcode ID: 969729b11ba188478ecf1bdc7f31c9f228d590d40ff2f9e923fab9868bba5e23
            • Instruction ID: 5ce43013e93b8e2d453e62d09787d2f4abda6b5c182230f5997f4f4b5b197982
            • Opcode Fuzzy Hash: 969729b11ba188478ecf1bdc7f31c9f228d590d40ff2f9e923fab9868bba5e23
            • Instruction Fuzzy Hash: 4421AA65644A1DB7D6146510BD92FFA739CEF113C4F998030FF16EA645F720EE1081B5
            Function 00E14FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID:
            • String ID: NULL Pointer assignment$Not an Object type
            • API String ID: 0-572801152
            • Opcode ID: 15c9ac31378ee617be0917b83e648e05f2abe9bd749b72d68b30300a449abe5d
            • Instruction ID: 4d57b97b6bc5c184ddbbea1db369d8a4950d570f04ba2ce7e2eccf8cd6ce249c
            • Opcode Fuzzy Hash: 15c9ac31378ee617be0917b83e648e05f2abe9bd749b72d68b30300a449abe5d
            • Instruction Fuzzy Hash: 8BD18072A0060AEFDB10DF98D881BEEB7B5BF88344F149469E915BB281D770DD85CB60
            Function 00DD1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
            Download Yara Rule
            APIs
            • GetCPInfo.KERNEL32(?,?), ref: 00DD15CE
            • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00DD1651
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00DD16E4
            • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00DD16FB
              • Part of subcall function 00DC3820: RtlAllocateHeap.NTDLL(00000000,?,00E61444,?,00DAFDF5,?,?,00D9A976,00000010,00E61440,00D913FC,?,00D913C6,?,00D91129), ref: 00DC3852
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00DD1777
            • __freea.LIBCMT ref: 00DD17A2
            • __freea.LIBCMT ref: 00DD17AE
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
            • String ID:
            • API String ID: 2829977744-0
            • Opcode ID: 8e70cddb90ca572454b3922a90ae153d1e62637d738e2711c7945de4f5765886
            • Instruction ID: 2844d7fb147a594f6b1866d2ef0aa08eac6469c46aa1818878acf1145ce461bb
            • Opcode Fuzzy Hash: 8e70cddb90ca572454b3922a90ae153d1e62637d738e2711c7945de4f5765886
            • Instruction Fuzzy Hash: 9691B279E00216BEDB208E64DC81AEE7BB5EF49310F18465AE806E7391D739DD44CB70
            Function 00E14523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Variant$ClearInit
            • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
            • API String ID: 2610073882-625585964
            • Opcode ID: 881a69cf88c2b8f2482109e3b4b598d464acb1cb5fcbfb1f13f262b055211d21
            • Instruction ID: 78416fdc5313b44751402ec67d1aaf6d5d0781b1361a38c3e0fcc7e4f6564d7f
            • Opcode Fuzzy Hash: 881a69cf88c2b8f2482109e3b4b598d464acb1cb5fcbfb1f13f262b055211d21
            • Instruction Fuzzy Hash: DA918EB1A00219ABDF20CFA5D844FEEBBB8EF46714F10955AF515BB2C0D7709985CBA0
            Function 00E01187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
            Download Yara Rule
            APIs
            • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00E0125C
            • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00E01284
            • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00E012A8
            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00E012D8
            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00E0135F
            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00E013C4
            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00E01430
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ArraySafe$Data$Access$UnaccessVartype
            • String ID:
            • API String ID: 2550207440-0
            • Opcode ID: 6ef0da4e0337df03f99e051c87fab90d686171c0b1928d526162f0587a13fdb5
            • Instruction ID: 9fc33b093403612457db5b965d857bf38d21d725620c89ffcbb14c87ee2ce47e
            • Opcode Fuzzy Hash: 6ef0da4e0337df03f99e051c87fab90d686171c0b1928d526162f0587a13fdb5
            • Instruction Fuzzy Hash: 5691D071A00208AFDB00DFA4C884BBEB7B5FF45314F1150A9E951FB2E1D774A981CBA0
            Function 00DA948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ObjectSelect$BeginCreatePath
            • String ID:
            • API String ID: 3225163088-0
            • Opcode ID: d9083cd0c7688ee6accb4b7bb0ecf750b8d60140fc31103832737a80025532b0
            • Instruction ID: 3fea702caba42b76f4eb6cc5edfe71d534594462cdbc459a6cc86b8cc93c587e
            • Opcode Fuzzy Hash: d9083cd0c7688ee6accb4b7bb0ecf750b8d60140fc31103832737a80025532b0
            • Instruction Fuzzy Hash: 85912471D00219AFCB54CFA9C885AEEBBB9FF49320F248459E515B7251D378AA42CB70
            Function 00E13947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 00E1396B
            • CharUpperBuffW.USER32(?,?), ref: 00E13A7A
            • _wcslen.LIBCMT ref: 00E13A8A
            • VariantClear.OLEAUT32(?), ref: 00E13C1F
              • Part of subcall function 00E00CDF: VariantInit.OLEAUT32(00000000), ref: 00E00D1F
              • Part of subcall function 00E00CDF: VariantCopy.OLEAUT32(?,?), ref: 00E00D28
              • Part of subcall function 00E00CDF: VariantClear.OLEAUT32(?), ref: 00E00D34
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
            • String ID: AUTOIT.ERROR$Incorrect Parameter format
            • API String ID: 4137639002-1221869570
            • Opcode ID: 219fdacb4b357f0d4d4a087285098651833afce8ed45641d8433d0685f03d38d
            • Instruction ID: 0ee09360f278cccddc5786038a4705893a06fe9837ca6fc2337469517742b4a7
            • Opcode Fuzzy Hash: 219fdacb4b357f0d4d4a087285098651833afce8ed45641d8433d0685f03d38d
            • Instruction Fuzzy Hash: 2C916D756083059FCB04DF28C4919AAB7E4FF89314F14896DF89AA7351DB30EE45CBA2
            Function 00E14BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DF000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DEFF41,80070057,?,?,?,00DF035E), ref: 00DF002B
              • Part of subcall function 00DF000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DEFF41,80070057,?,?), ref: 00DF0046
              • Part of subcall function 00DF000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DEFF41,80070057,?,?), ref: 00DF0054
              • Part of subcall function 00DF000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DEFF41,80070057,?), ref: 00DF0064
            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00E14C51
            • _wcslen.LIBCMT ref: 00E14D59
            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00E14DCF
            • CoTaskMemFree.OLE32(?), ref: 00E14DDA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
            • String ID: NULL Pointer assignment
            • API String ID: 614568839-2785691316
            • Opcode ID: b5b41dfb3402df469d46520e0f3895ef79b2c9a1f4a5c26de9a9dd34c957ac8e
            • Instruction ID: 860703cbec4f3f714e0bd38e11a30aec52b9a9131c3c84095f057d61358b8c80
            • Opcode Fuzzy Hash: b5b41dfb3402df469d46520e0f3895ef79b2c9a1f4a5c26de9a9dd34c957ac8e
            • Instruction Fuzzy Hash: 9991E7B1D0021DAFDF14DFA4D891AEEB7B9FF08314F108569E915BB291DB309A458FA0
            Function 00E220FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
            Download Yara Rule
            APIs
            • GetMenu.USER32(?), ref: 00E22183
            • GetMenuItemCount.USER32(00000000), ref: 00E221B5
            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00E221DD
            • _wcslen.LIBCMT ref: 00E22213
            • GetMenuItemID.USER32(?,?), ref: 00E2224D
            • GetSubMenu.USER32(?,?), ref: 00E2225B
              • Part of subcall function 00DF3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DF3A57
              • Part of subcall function 00DF3A3D: GetCurrentThreadId.KERNEL32 ref: 00DF3A5E
              • Part of subcall function 00DF3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00DF25B3), ref: 00DF3A65
            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00E222E3
              • Part of subcall function 00DFE97B: Sleep.KERNEL32 ref: 00DFE9F3
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
            • String ID:
            • API String ID: 4196846111-0
            • Opcode ID: 60780662883a09d92fef3bb5748d5b602017a37885c1bbd080b7cac788f709ab
            • Instruction ID: f7edca2b925b5c1440bf758f5f84c50eaaca19d09d6696c9908670bb819422a6
            • Opcode Fuzzy Hash: 60780662883a09d92fef3bb5748d5b602017a37885c1bbd080b7cac788f709ab
            • Instruction Fuzzy Hash: 4671AC36A00215EFCB14DFA4D841AAEB7F1EF88310F108458EA16BB351DB35EE418BA0
            Function 00DFAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32(?), ref: 00DFAEF9
            • GetKeyboardState.USER32(?), ref: 00DFAF0E
            • SetKeyboardState.USER32(?), ref: 00DFAF6F
            • PostMessageW.USER32(?,00000101,00000010,?), ref: 00DFAF9D
            • PostMessageW.USER32(?,00000101,00000011,?), ref: 00DFAFBC
            • PostMessageW.USER32(?,00000101,00000012,?), ref: 00DFAFFD
            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00DFB020
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: MessagePost$KeyboardState$Parent
            • String ID:
            • API String ID: 87235514-0
            • Opcode ID: 8dfb6a4cfb9de3dabe63a119f33fd0a038cbc58b26f86dd4a3e2f3ca95dfde00
            • Instruction ID: 72f71dbd202e08b0a0e3276a9808297635bbede6d3abc351795c86866b704538
            • Opcode Fuzzy Hash: 8dfb6a4cfb9de3dabe63a119f33fd0a038cbc58b26f86dd4a3e2f3ca95dfde00
            • Instruction Fuzzy Hash: F25191E06046D93DFB364238CC45BBA7EA96F06314F0DC58AF6D9594C2C798AC88D771
            Function 00DFACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32(00000000), ref: 00DFAD19
            • GetKeyboardState.USER32(?), ref: 00DFAD2E
            • SetKeyboardState.USER32(?), ref: 00DFAD8F
            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00DFADBB
            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00DFADD8
            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00DFAE17
            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00DFAE38
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: MessagePost$KeyboardState$Parent
            • String ID:
            • API String ID: 87235514-0
            • Opcode ID: eb46f3d887cc2a59299d5082e8b522270aadff3a1ef0de7603fbccc28b900e95
            • Instruction ID: aef383aa66ca47045a3868c6d67cf001edff9f93dde271d7b71252ea34b7e79a
            • Opcode Fuzzy Hash: eb46f3d887cc2a59299d5082e8b522270aadff3a1ef0de7603fbccc28b900e95
            • Instruction Fuzzy Hash: 0C51D5E16047D93DFB368228CC55B7A7EA96B45300F0DC489F2DD5A8C2D294EC88D772
            Function 00DC542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetConsoleCP.KERNEL32(00DD3CD6,?,?,?,?,?,?,?,?,00DC5BA3,?,?,00DD3CD6,?,?), ref: 00DC5470
            • __fassign.LIBCMT ref: 00DC54EB
            • __fassign.LIBCMT ref: 00DC5506
            • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00DD3CD6,00000005,00000000,00000000), ref: 00DC552C
            • WriteFile.KERNEL32(?,00DD3CD6,00000000,00DC5BA3,00000000,?,?,?,?,?,?,?,?,?,00DC5BA3,?), ref: 00DC554B
            • WriteFile.KERNEL32(?,?,00000001,00DC5BA3,00000000,?,?,?,?,?,?,?,?,?,00DC5BA3,?), ref: 00DC5584
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
            • String ID:
            • API String ID: 1324828854-0
            • Opcode ID: cecd465be1f286af1c7c51a46bf78d874f7ae498d0a10845cc7e46ae88072df7
            • Instruction ID: 0a8bf47a4174284a60b1e3fd6d71c447828e597a7f81022187e4315adda72e2a
            • Opcode Fuzzy Hash: cecd465be1f286af1c7c51a46bf78d874f7ae498d0a10845cc7e46ae88072df7
            • Instruction Fuzzy Hash: 6451A270A00609AFDF10CFA8E845FEEBBF9EF09300F24455EE555E7291D670AA81CB60
            Function 00DB2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
            Download Yara Rule
            APIs
            • _ValidateLocalCookies.LIBCMT ref: 00DB2D4B
            • ___except_validate_context_record.LIBVCRUNTIME ref: 00DB2D53
            • _ValidateLocalCookies.LIBCMT ref: 00DB2DE1
            • __IsNonwritableInCurrentImage.LIBCMT ref: 00DB2E0C
            • _ValidateLocalCookies.LIBCMT ref: 00DB2E61
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
            • String ID: csm
            • API String ID: 1170836740-1018135373
            • Opcode ID: 55b981fa7745f14402a5a2e9c9ec821724ee37e25ba4c36014b089b1f2e36feb
            • Instruction ID: 37336a24ad5f9c208d2acf3a86591668b116e91b7ea1b8cbcad6d11feaeba9b7
            • Opcode Fuzzy Hash: 55b981fa7745f14402a5a2e9c9ec821724ee37e25ba4c36014b089b1f2e36feb
            • Instruction Fuzzy Hash: 1141A135A00209EBCF10DF69C855AEEBBA5FF44324F188155E8166B392D731EA05CBF1
            Function 00E110B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00E1304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00E1307A
              • Part of subcall function 00E1304E: _wcslen.LIBCMT ref: 00E1309B
            • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00E11112
            • WSAGetLastError.WSOCK32 ref: 00E11121
            • WSAGetLastError.WSOCK32 ref: 00E111C9
            • closesocket.WSOCK32(00000000), ref: 00E111F9
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
            • String ID:
            • API String ID: 2675159561-0
            • Opcode ID: 5501ee5e6c1e0e3adafaefb4c2dc51fccfe93037d996d7c744c62c703432dcca
            • Instruction ID: 882ef1d0b338bba481e19f180a2498b503d85d5e0b8b7112c1ce3a8976cefe34
            • Opcode Fuzzy Hash: 5501ee5e6c1e0e3adafaefb4c2dc51fccfe93037d996d7c744c62c703432dcca
            • Instruction Fuzzy Hash: 0C41C331601214AFDB209F24C884BEDB7E9EF45368F148099FA19AB291D770AD85CBA1
            Function 00DFCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DFDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00DFCF22,?), ref: 00DFDDFD
              • Part of subcall function 00DFDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00DFCF22,?), ref: 00DFDE16
            • lstrcmpiW.KERNEL32(?,?), ref: 00DFCF45
            • MoveFileW.KERNEL32(?,?), ref: 00DFCF7F
            • _wcslen.LIBCMT ref: 00DFD005
            • _wcslen.LIBCMT ref: 00DFD01B
            • SHFileOperationW.SHELL32(?), ref: 00DFD061
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
            • String ID: \*.*
            • API String ID: 3164238972-1173974218
            • Opcode ID: 377b7652960ffaa985f07fabd6d320a252b275746ce292fbf088bff78fc5aaf2
            • Instruction ID: 40e03f57b9fc67a4c79a17dba58c27144e81b9780b4d7d23f8a2112f7e84ba33
            • Opcode Fuzzy Hash: 377b7652960ffaa985f07fabd6d320a252b275746ce292fbf088bff78fc5aaf2
            • Instruction Fuzzy Hash: 7C41787180621C9FDF12EFA4CE81AEDB7B9EF48340F1540E6E605EB151EA34A648CB70
            Function 00E22DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00E22E1C
            • GetWindowLongW.USER32(00000000,000000F0), ref: 00E22E4F
            • GetWindowLongW.USER32(00000000,000000F0), ref: 00E22E84
            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00E22EB6
            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00E22EE0
            • GetWindowLongW.USER32(00000000,000000F0), ref: 00E22EF1
            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00E22F0B
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: LongWindow$MessageSend
            • String ID:
            • API String ID: 2178440468-0
            • Opcode ID: 9691898bc03e7178ac0328d54e6012cc918d136c7e616c663da00d0f9bbf4e04
            • Instruction ID: 95587d1b7122e083029c4b2fa2f241640687f6fd61a23844b01a6ee31a0c4bdd
            • Opcode Fuzzy Hash: 9691898bc03e7178ac0328d54e6012cc918d136c7e616c663da00d0f9bbf4e04
            • Instruction Fuzzy Hash: 15310A30644160AFDB22CF59EC84F6537E1FB99754F2A11A8F610AF2B1CBB1A845EF41
            Function 00DF7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DF7769
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DF778F
            • SysAllocString.OLEAUT32(00000000), ref: 00DF7792
            • SysAllocString.OLEAUT32(?), ref: 00DF77B0
            • SysFreeString.OLEAUT32(?), ref: 00DF77B9
            • StringFromGUID2.OLE32(?,?,00000028), ref: 00DF77DE
            • SysAllocString.OLEAUT32(?), ref: 00DF77EC
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
            • String ID:
            • API String ID: 3761583154-0
            • Opcode ID: ffbad3310862c60e79bcf0576b467a6a7e2e6d852f81dc78db8061856f232953
            • Instruction ID: 0cdcf92def4d1c15828199b6c8b386366887689e6a40fd8bde6bddd1df099a83
            • Opcode Fuzzy Hash: ffbad3310862c60e79bcf0576b467a6a7e2e6d852f81dc78db8061856f232953
            • Instruction Fuzzy Hash: F221A17660421DAFDB10EFA9DC88CFB73ACEB093647158025FA14DB150D670DD468BB0
            Function 00DF77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DF7842
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DF7868
            • SysAllocString.OLEAUT32(00000000), ref: 00DF786B
            • SysAllocString.OLEAUT32 ref: 00DF788C
            • SysFreeString.OLEAUT32 ref: 00DF7895
            • StringFromGUID2.OLE32(?,?,00000028), ref: 00DF78AF
            • SysAllocString.OLEAUT32(?), ref: 00DF78BD
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
            • String ID:
            • API String ID: 3761583154-0
            • Opcode ID: d3d4bdeefbd7d3501acf7d597eff8606e934288ae3c4d202eb9b4bf0adcd829e
            • Instruction ID: 651761de02d25f4fdffb899910d093c1a5a27f1267f8c474e76fef1aff674491
            • Opcode Fuzzy Hash: d3d4bdeefbd7d3501acf7d597eff8606e934288ae3c4d202eb9b4bf0adcd829e
            • Instruction Fuzzy Hash: E1217431604108AFDB20AFA9DC89DBB77ECEB097A0725C125FA15DB2A1D670DC45CB74
            Function 00E004D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
            Download Yara Rule
            APIs
            • GetStdHandle.KERNEL32(0000000C), ref: 00E004F2
            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E0052E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CreateHandlePipe
            • String ID: nul
            • API String ID: 1424370930-2873401336
            • Opcode ID: 0aedc8f8828ebd8560cdad0eb84712c6e8c4e118f2e7c74291188b641708d739
            • Instruction ID: 1bb43fcfdc2546ae28c00f7f3f4cf06a17055a2bc0430f3acc3b1f1f65795971
            • Opcode Fuzzy Hash: 0aedc8f8828ebd8560cdad0eb84712c6e8c4e118f2e7c74291188b641708d739
            • Instruction Fuzzy Hash: 09217771600305AFDB308F29DC04B9A7BB4AF44728F204A29E8A1F62E0E7709985CF20
            Function 00E005A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
            Download Yara Rule
            APIs
            • GetStdHandle.KERNEL32(000000F6), ref: 00E005C6
            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E00601
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CreateHandlePipe
            • String ID: nul
            • API String ID: 1424370930-2873401336
            • Opcode ID: da5b0b1295ae74ec9254cad1a3048d9bcc659752d0bf0f003c83219d8ddc6594
            • Instruction ID: eaea57ac0a7b35976434a26605f6e80bbdf67cc26e8ae79863f674925a87efbf
            • Opcode Fuzzy Hash: da5b0b1295ae74ec9254cad1a3048d9bcc659752d0bf0f003c83219d8ddc6594
            • Instruction Fuzzy Hash: B521A1755003059FDB208F69EC04B9A77E5AF95734F301A19F8A1F32E0DB7199A1CB10
            Function 00E240AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00D9600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00D9604C
              • Part of subcall function 00D9600E: GetStockObject.GDI32(00000011), ref: 00D96060
              • Part of subcall function 00D9600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D9606A
            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00E24112
            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00E2411F
            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00E2412A
            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00E24139
            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00E24145
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: MessageSend$CreateObjectStockWindow
            • String ID: Msctls_Progress32
            • API String ID: 1025951953-3636473452
            • Opcode ID: bc51be5e6c4741109edda01cf3e3be19e01540d2f237d4bd8f78439d06b889cf
            • Instruction ID: 1c5774a80f4a1cbf77336171dbf5f978d7d61312e68024d76cb299c03be725a1
            • Opcode Fuzzy Hash: bc51be5e6c4741109edda01cf3e3be19e01540d2f237d4bd8f78439d06b889cf
            • Instruction Fuzzy Hash: D91193B21402297EEF118F64DC85EE77F5DEF08798F015110FA18A2090CA729C61DBA4
            Function 00DCD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00DCD7A3: _free.LIBCMT ref: 00DCD7CC
            • _free.LIBCMT ref: 00DCD82D
              • Part of subcall function 00DC29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00DCD7D1,00000000,00000000,00000000,00000000,?,00DCD7F8,00000000,00000007,00000000,?,00DCDBF5,00000000), ref: 00DC29DE
              • Part of subcall function 00DC29C8: GetLastError.KERNEL32(00000000,?,00DCD7D1,00000000,00000000,00000000,00000000,?,00DCD7F8,00000000,00000007,00000000,?,00DCDBF5,00000000,00000000), ref: 00DC29F0
            • _free.LIBCMT ref: 00DCD838
            • _free.LIBCMT ref: 00DCD843
            • _free.LIBCMT ref: 00DCD897
            • _free.LIBCMT ref: 00DCD8A2
            • _free.LIBCMT ref: 00DCD8AD
            • _free.LIBCMT ref: 00DCD8B8
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
            • Instruction ID: 52666855dee7d943894daae390af7fc9b33e28fa564da9ae037af7362ba2fa39
            • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
            • Instruction Fuzzy Hash: F111F971580B05AADA21BFB0CC46FDB7B9DEF04700F50582DB29EA7892DB75A5058A70
            Function 00DFDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00DFDA74
            • LoadStringW.USER32(00000000), ref: 00DFDA7B
            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00DFDA91
            • LoadStringW.USER32(00000000), ref: 00DFDA98
            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00DFDADC
            Strings
            • %s (%d) : ==> %s: %s %s, xrefs: 00DFDAB9
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: HandleLoadModuleString$Message
            • String ID: %s (%d) : ==> %s: %s %s
            • API String ID: 4072794657-3128320259
            • Opcode ID: edc8940c48d8fd2e0202e67b6a8c1e5db9f2add8c20bdca240676dd4d42cd1a3
            • Instruction ID: a073f0a1b360876503277f8e237ba8c5dfab189333763e6cc95dc56e334d506e
            • Opcode Fuzzy Hash: edc8940c48d8fd2e0202e67b6a8c1e5db9f2add8c20bdca240676dd4d42cd1a3
            • Instruction Fuzzy Hash: 1F0186F29002087FE7109BA1DD89EFB736CEB08701F504492B746F2041E6749E898F74
            Function 00E0096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
            Download Yara Rule
            APIs
            • InterlockedExchange.KERNEL32(0141E2F8,0141E2F8), ref: 00E0097B
            • EnterCriticalSection.KERNEL32(0141E2D8,00000000), ref: 00E0098D
            • TerminateThread.KERNEL32(01419AB8,000001F6), ref: 00E0099B
            • WaitForSingleObject.KERNEL32(01419AB8,000003E8), ref: 00E009A9
            • CloseHandle.KERNEL32(01419AB8), ref: 00E009B8
            • InterlockedExchange.KERNEL32(0141E2F8,000001F6), ref: 00E009C8
            • LeaveCriticalSection.KERNEL32(0141E2D8), ref: 00E009CF
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
            • String ID:
            • API String ID: 3495660284-0
            • Opcode ID: 80602046ed97d342553eda2ee0b1cc6b51b59767075895ee978318ee4531ff3b
            • Instruction ID: 0d7ed2ef067d95e377c0382d74771ba4779867c008bc2a3340d89c2dd030a844
            • Opcode Fuzzy Hash: 80602046ed97d342553eda2ee0b1cc6b51b59767075895ee978318ee4531ff3b
            • Instruction Fuzzy Hash: 85F01D32442902EFD7615B95EE89BDA7B35BF41702FA02015F101608B1CB7494AACF90
            Function 00D95D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
            Download Yara Rule
            APIs
            • GetClientRect.USER32(?,?), ref: 00D95D30
            • GetWindowRect.USER32(?,?), ref: 00D95D71
            • ScreenToClient.USER32(?,?), ref: 00D95D99
            • GetClientRect.USER32(?,?), ref: 00D95ED7
            • GetWindowRect.USER32(?,?), ref: 00D95EF8
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Rect$Client$Window$Screen
            • String ID:
            • API String ID: 1296646539-0
            • Opcode ID: aebf7da9da13909570a20aaba021979a04908003cc42a89071dbf5570c6bcb11
            • Instruction ID: f5e2cd74a25ae4f3ed42ec9a537a6a40928c9a3a14c11e906b21d77d9834ec4a
            • Opcode Fuzzy Hash: aebf7da9da13909570a20aaba021979a04908003cc42a89071dbf5570c6bcb11
            • Instruction Fuzzy Hash: 9FB15935A0064ADBDF14CFA9D4806EEB7F1FF48310F18852AE8A9D7254DB30EA51DB60
            Function 00DC01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
            Download Yara Rule
            APIs
            • __allrem.LIBCMT ref: 00DC00BA
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DC00D6
            • __allrem.LIBCMT ref: 00DC00ED
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DC010B
            • __allrem.LIBCMT ref: 00DC0122
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DC0140
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
            • String ID:
            • API String ID: 1992179935-0
            • Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
            • Instruction ID: 081a9e4957631b84aba34647e5921f06fea6e7c6f14e50d636845bdbd71c4e3c
            • Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
            • Instruction Fuzzy Hash: 6081C376A00B07DBE7209F68CC42FAAB7A9EF45724F28452EF552D7281E770D9048B70
            Function 00E11D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00E13149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00E1101C,00000000,?,?,00000000), ref: 00E13195
            • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00E11DC0
            • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00E11DE1
            • WSAGetLastError.WSOCK32 ref: 00E11DF2
            • inet_ntoa.WSOCK32(?), ref: 00E11E8C
            • htons.WSOCK32(?,?,?,?,?), ref: 00E11EDB
            • _strlen.LIBCMT ref: 00E11F35
              • Part of subcall function 00DF39E8: _strlen.LIBCMT ref: 00DF39F2
              • Part of subcall function 00D96D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00DACF58,?,?,?), ref: 00D96DBA
              • Part of subcall function 00D96D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00DACF58,?,?,?), ref: 00D96DED
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
            • String ID:
            • API String ID: 1923757996-0
            • Opcode ID: 05212b8f2f64a2c14996062cd8cd654eeb455a3e9842b4dc8ee42f524d94d990
            • Instruction ID: 85a36d68cefa81e8a34cb3c060b8804aa8503687b2d624a0b826034eb1387dc5
            • Opcode Fuzzy Hash: 05212b8f2f64a2c14996062cd8cd654eeb455a3e9842b4dc8ee42f524d94d990
            • Instruction Fuzzy Hash: 1BA1F731204340AFC724DF24C885FAA7BE5EF89318F54558CF5566B2A2CB71ED86CBA1
            Function 00DC61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00DB82D9,00DB82D9,?,?,?,00DC644F,00000001,00000001,8BE85006), ref: 00DC6258
            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00DC644F,00000001,00000001,8BE85006,?,?,?), ref: 00DC62DE
            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00DC63D8
            • __freea.LIBCMT ref: 00DC63E5
              • Part of subcall function 00DC3820: RtlAllocateHeap.NTDLL(00000000,?,00E61444,?,00DAFDF5,?,?,00D9A976,00000010,00E61440,00D913FC,?,00D913C6,?,00D91129), ref: 00DC3852
            • __freea.LIBCMT ref: 00DC63EE
            • __freea.LIBCMT ref: 00DC6413
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ByteCharMultiWide__freea$AllocateHeap
            • String ID:
            • API String ID: 1414292761-0
            • Opcode ID: 68f7ee578ee3d4303c068e57664cd9417cfd51453a02b047e4d4f00a6a5d33aa
            • Instruction ID: bc33f15f59dd4fa2170d737aa21773e26312963c81c1cf37a09c3ceee31914c0
            • Opcode Fuzzy Hash: 68f7ee578ee3d4303c068e57664cd9417cfd51453a02b047e4d4f00a6a5d33aa
            • Instruction Fuzzy Hash: BB519D72600257ABEB268F64CC81FAF7BA9EF44750B29462DF805D7181DB34DC54C670
            Function 00E1BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00D99CB3: _wcslen.LIBCMT ref: 00D99CBD
              • Part of subcall function 00E1C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E1B6AE,?,?), ref: 00E1C9B5
              • Part of subcall function 00E1C998: _wcslen.LIBCMT ref: 00E1C9F1
              • Part of subcall function 00E1C998: _wcslen.LIBCMT ref: 00E1CA68
              • Part of subcall function 00E1C998: _wcslen.LIBCMT ref: 00E1CA9E
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E1BCCA
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E1BD25
            • RegCloseKey.ADVAPI32(00000000), ref: 00E1BD6A
            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00E1BD99
            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00E1BDF3
            • RegCloseKey.ADVAPI32(?), ref: 00E1BDFF
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
            • String ID:
            • API String ID: 1120388591-0
            • Opcode ID: c7f0561040a16d272d35493dc52a0d7cf5bf2efbeabeade612a655c0ba460b9f
            • Instruction ID: e07f416fd6727598f3b95dab52fc7bd375208574c8b18eb97d7ed1e0894dcbc1
            • Opcode Fuzzy Hash: c7f0561040a16d272d35493dc52a0d7cf5bf2efbeabeade612a655c0ba460b9f
            • Instruction Fuzzy Hash: 2781B171208241EFD714DF24C895E6ABBE5FF84308F14895CF4599B2A2DB31ED85CBA2
            Function 00DEF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(00000035), ref: 00DEF7B9
            • SysAllocString.OLEAUT32(00000001), ref: 00DEF860
            • VariantCopy.OLEAUT32(00DEFA64,00000000), ref: 00DEF889
            • VariantClear.OLEAUT32(00DEFA64), ref: 00DEF8AD
            • VariantCopy.OLEAUT32(00DEFA64,00000000), ref: 00DEF8B1
            • VariantClear.OLEAUT32(?), ref: 00DEF8BB
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Variant$ClearCopy$AllocInitString
            • String ID:
            • API String ID: 3859894641-0
            • Opcode ID: 65a166d92b94d21fad1e9a144daeb5981cac8d255bfd1c72a837cb688605c291
            • Instruction ID: a756660fdaab2fb15c81354bd0161942fcad26bbc5628baf9aa7d1f447bb6f89
            • Opcode Fuzzy Hash: 65a166d92b94d21fad1e9a144daeb5981cac8d255bfd1c72a837cb688605c291
            • Instruction Fuzzy Hash: B751B532500750BADF24BB66DCD5B2DB3A9EF45310B249467E945EF292DB708C40CBB6
            Function 00E0910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00D97620: _wcslen.LIBCMT ref: 00D97625
              • Part of subcall function 00D96B57: _wcslen.LIBCMT ref: 00D96B6A
            • GetOpenFileNameW.COMDLG32(00000058), ref: 00E094E5
            • _wcslen.LIBCMT ref: 00E09506
            • _wcslen.LIBCMT ref: 00E0952D
            • GetSaveFileNameW.COMDLG32(00000058), ref: 00E09585
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: _wcslen$FileName$OpenSave
            • String ID: X
            • API String ID: 83654149-3081909835
            • Opcode ID: e63fde84b7980ad5901227168e96ec2ce56948b39e838050c7fdb18c9ab9fcba
            • Instruction ID: dbe5a03d6e5152e9a3355a796b1c88c02b39ac09c9828e6a8a247c03077a88c0
            • Opcode Fuzzy Hash: e63fde84b7980ad5901227168e96ec2ce56948b39e838050c7fdb18c9ab9fcba
            • Instruction Fuzzy Hash: 7AE17D715083009FCB24DF25C881A6AB7E4FF85314F15896DE899AB2A3DB31DD45CBA2
            Function 00DA920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00DA9BB2
            • BeginPaint.USER32(?,?,?), ref: 00DA9241
            • GetWindowRect.USER32(?,?), ref: 00DA92A5
            • ScreenToClient.USER32(?,?), ref: 00DA92C2
            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00DA92D3
            • EndPaint.USER32(?,?,?,?,?), ref: 00DA9321
            • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00DE71EA
              • Part of subcall function 00DA9339: BeginPath.GDI32(00000000), ref: 00DA9357
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
            • String ID:
            • API String ID: 3050599898-0
            • Opcode ID: cf61b680d564ec1a9e676b07cb3169776a407a055827d0199092a196edbb9b89
            • Instruction ID: d300f6bd8aa09616f04430de111af4fd0f28b8bf7122e035c4630681799a76b0
            • Opcode Fuzzy Hash: cf61b680d564ec1a9e676b07cb3169776a407a055827d0199092a196edbb9b89
            • Instruction Fuzzy Hash: 9441CF30104300AFDB21DF26DC95FABBBB8EF86760F180269F994971A1C7709849DB71
            Function 00E007EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
            Download Yara Rule
            APIs
            • InterlockedExchange.KERNEL32(?,000001F5), ref: 00E0080C
            • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00E00847
            • EnterCriticalSection.KERNEL32(?), ref: 00E00863
            • LeaveCriticalSection.KERNEL32(?), ref: 00E008DC
            • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00E008F3
            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00E00921
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
            • String ID:
            • API String ID: 3368777196-0
            • Opcode ID: 5b056fb563a588693e6fb5968d6412863af6fcf5d6bae34135c59386d261a097
            • Instruction ID: a2c838bf7facce37df5c8f859fd145297eabace0bd34ea7075129da3727d8cce
            • Opcode Fuzzy Hash: 5b056fb563a588693e6fb5968d6412863af6fcf5d6bae34135c59386d261a097
            • Instruction Fuzzy Hash: 70414A71900205EFDF14AF95DC85AAA77B8FF44314F1480A5FD00AA29ADB30EE65DBB4
            Function 00E281DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
            Download Yara Rule
            APIs
            • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00DEF3AB,00000000,?,?,00000000,?,00DE682C,00000004,00000000,00000000), ref: 00E2824C
            • EnableWindow.USER32(00000000,00000000), ref: 00E28272
            • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00E282D1
            • ShowWindow.USER32(00000000,00000004), ref: 00E282E5
            • EnableWindow.USER32(00000000,00000001), ref: 00E2830B
            • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00E2832F
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Window$Show$Enable$MessageSend
            • String ID:
            • API String ID: 642888154-0
            • Opcode ID: 3c5c0901a2c71797224539581e2b81eaa4de203c3e0ac13c34a7ddaf5b9604dc
            • Instruction ID: 6571e01d4a2014bcf6160de7ba32884a6dae1776843c03ea1bd36b837d4b7608
            • Opcode Fuzzy Hash: 3c5c0901a2c71797224539581e2b81eaa4de203c3e0ac13c34a7ddaf5b9604dc
            • Instruction Fuzzy Hash: 05412831202610EFDB22CF15E994BE43BE0FB45718F1C21A9E5086F272CB71A845CF41
            Function 00DF4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
            Download Yara Rule
            APIs
            • IsWindowVisible.USER32(?), ref: 00DF4C95
            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00DF4CB2
            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00DF4CEA
            • _wcslen.LIBCMT ref: 00DF4D08
            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00DF4D10
            • _wcsstr.LIBVCRUNTIME ref: 00DF4D1A
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
            • String ID:
            • API String ID: 72514467-0
            • Opcode ID: 5b3a676daaefacf68441d6e1436d362a31e25ce5819b2ee7864346533610a656
            • Instruction ID: 2ba9a8d2f1eaf34f80594e13129fb5acf42e049687aace91012124a170d80227
            • Opcode Fuzzy Hash: 5b3a676daaefacf68441d6e1436d362a31e25ce5819b2ee7864346533610a656
            • Instruction Fuzzy Hash: B9212632204208BFEB255B7AEC09E7F7B9CDF45B50F15C069F905DA192EA61CD0186B0
            Function 00E0581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00D93AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D93A97,?,?,00D92E7F,?,?,?,00000000), ref: 00D93AC2
            • _wcslen.LIBCMT ref: 00E0587B
            • CoInitialize.OLE32(00000000), ref: 00E05995
            • CoCreateInstance.OLE32(00E2FCF8,00000000,00000001,00E2FB68,?), ref: 00E059AE
            • CoUninitialize.OLE32 ref: 00E059CC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
            • String ID: .lnk
            • API String ID: 3172280962-24824748
            • Opcode ID: 266da2cd0ab18ecb50f98756a967054e9275f79572d859000e02075d3a4de879
            • Instruction ID: 369ca75a54a1f93e852ff1ccbd14cb1a119f1491ee2d1e20558383585dca3849
            • Opcode Fuzzy Hash: 266da2cd0ab18ecb50f98756a967054e9275f79572d859000e02075d3a4de879
            • Instruction Fuzzy Hash: 21D153726087019FCB14DF14C48092BBBE5EF89714F15885DF899AB2A1DB31ED85CFA2
            Function 00DF175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DF0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00DF0FCA
              • Part of subcall function 00DF0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00DF0FD6
              • Part of subcall function 00DF0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00DF0FE5
              • Part of subcall function 00DF0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00DF0FEC
              • Part of subcall function 00DF0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00DF1002
            • GetLengthSid.ADVAPI32(?,00000000,00DF1335), ref: 00DF17AE
            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00DF17BA
            • HeapAlloc.KERNEL32(00000000), ref: 00DF17C1
            • CopySid.ADVAPI32(00000000,00000000,?), ref: 00DF17DA
            • GetProcessHeap.KERNEL32(00000000,00000000,00DF1335), ref: 00DF17EE
            • HeapFree.KERNEL32(00000000), ref: 00DF17F5
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
            • String ID:
            • API String ID: 3008561057-0
            • Opcode ID: 34074707bcb3771433e64f448cfbca497e299240f9330a88d343b7cc7235ca86
            • Instruction ID: 5b7aed58dd74eecea413de1bd2e14c8b4db8a52ba4061800305b9f36ef8ae6d5
            • Opcode Fuzzy Hash: 34074707bcb3771433e64f448cfbca497e299240f9330a88d343b7cc7235ca86
            • Instruction Fuzzy Hash: BB118935901209EFDB20ABA5CC4ABBF7BB9FB41355F258018E585A7210C735A949CB60
            Function 00DF14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00DF14FF
            • OpenProcessToken.ADVAPI32(00000000), ref: 00DF1506
            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00DF1515
            • CloseHandle.KERNEL32(00000004), ref: 00DF1520
            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00DF154F
            • DestroyEnvironmentBlock.USERENV(00000000), ref: 00DF1563
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
            • String ID:
            • API String ID: 1413079979-0
            • Opcode ID: 38e80879e6c8500290289c36853f8e3e8202b7ae8eb57ed402ead3410b8abf4f
            • Instruction ID: 3e47cd0bf4c6ebfe8ca6aaca5c6b4d84ce8459465e8340361ad1ec103fc885c2
            • Opcode Fuzzy Hash: 38e80879e6c8500290289c36853f8e3e8202b7ae8eb57ed402ead3410b8abf4f
            • Instruction Fuzzy Hash: B311477650020DEFDB218FA8DD49FEE7BA9EF48704F298015FA05A2160C371CE659B60
            Function 00DB3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(?,?,00DB3379,00DB2FE5), ref: 00DB3390
            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00DB339E
            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00DB33B7
            • SetLastError.KERNEL32(00000000,?,00DB3379,00DB2FE5), ref: 00DB3409
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ErrorLastValue___vcrt_
            • String ID:
            • API String ID: 3852720340-0
            • Opcode ID: 52fce2fbdd77bd5b5002015bf7f2267ad054be7848306b9e44ad3214ee715dac
            • Instruction ID: 25c62575d7a6e0d3ba77d1c0853f7b14d02322bec15cddd2269875d4bc35d400
            • Opcode Fuzzy Hash: 52fce2fbdd77bd5b5002015bf7f2267ad054be7848306b9e44ad3214ee715dac
            • Instruction Fuzzy Hash: 9F012832608311FEE6282779FC966E72B94DB05376734022DF413912F0EF118D0AB574
            Function 00DC2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(?,?,00DC5686,00DD3CD6,?,00000000,?,00DC5B6A,?,?,?,?,?,00DBE6D1,?,00E58A48), ref: 00DC2D78
            • _free.LIBCMT ref: 00DC2DAB
            • _free.LIBCMT ref: 00DC2DD3
            • SetLastError.KERNEL32(00000000,?,?,?,?,00DBE6D1,?,00E58A48,00000010,00D94F4A,?,?,00000000,00DD3CD6), ref: 00DC2DE0
            • SetLastError.KERNEL32(00000000,?,?,?,?,00DBE6D1,?,00E58A48,00000010,00D94F4A,?,?,00000000,00DD3CD6), ref: 00DC2DEC
            • _abort.LIBCMT ref: 00DC2DF2
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ErrorLast$_free$_abort
            • String ID:
            • API String ID: 3160817290-0
            • Opcode ID: 4d9752d00af9dd83d192dd77a131f59be315b6b5d4b52aa4d9f1df0ac38fbd56
            • Instruction ID: ea24456cea30b051e28df4c7a70f7dd02f01fc5566bbd4166b64b2b1c215ef68
            • Opcode Fuzzy Hash: 4d9752d00af9dd83d192dd77a131f59be315b6b5d4b52aa4d9f1df0ac38fbd56
            • Instruction Fuzzy Hash: ACF08131545B036BCA226735AC16F3E2669EBD17B1B38491CF825A31D2EE248C0641B1
            Function 00E28A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DA9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00DA9693
              • Part of subcall function 00DA9639: SelectObject.GDI32(?,00000000), ref: 00DA96A2
              • Part of subcall function 00DA9639: BeginPath.GDI32(?), ref: 00DA96B9
              • Part of subcall function 00DA9639: SelectObject.GDI32(?,00000000), ref: 00DA96E2
            • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00E28A4E
            • LineTo.GDI32(?,00000003,00000000), ref: 00E28A62
            • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00E28A70
            • LineTo.GDI32(?,00000000,00000003), ref: 00E28A80
            • EndPath.GDI32(?), ref: 00E28A90
            • StrokePath.GDI32(?), ref: 00E28AA0
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
            • String ID:
            • API String ID: 43455801-0
            • Opcode ID: 8113634f9afb228c83094ee46994aaf209f972d735d4e5ce6a826cf6d1f02cfe
            • Instruction ID: 45c2425944b9bc0acead6cf78aa9a9ba919dd6ff8bf785c4199e8d6a3967b0b2
            • Opcode Fuzzy Hash: 8113634f9afb228c83094ee46994aaf209f972d735d4e5ce6a826cf6d1f02cfe
            • Instruction Fuzzy Hash: 40110C76000118FFEF129F95EC48E9A7F6CEB08394F148051FA15A5161C7719D59DBA0
            Function 00DF51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
            Download Yara Rule
            APIs
            • GetDC.USER32(00000000), ref: 00DF5218
            • GetDeviceCaps.GDI32(00000000,00000058), ref: 00DF5229
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DF5230
            • ReleaseDC.USER32(00000000,00000000), ref: 00DF5238
            • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00DF524F
            • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00DF5261
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CapsDevice$Release
            • String ID:
            • API String ID: 1035833867-0
            • Opcode ID: f85a3e56559ce8f920ab93afca41e746044f7fe4c206a713e57eec5e9fa4a08f
            • Instruction ID: 55b18ab8e15037176769812b9c55667ac092fa5094b42f11b48b9f5968af77f3
            • Opcode Fuzzy Hash: f85a3e56559ce8f920ab93afca41e746044f7fe4c206a713e57eec5e9fa4a08f
            • Instruction Fuzzy Hash: AE018F75E00708BFEB109BA6DC49E5EBFB8EF48751F144165FB04A7281D6709805CBA0
            Function 00D91BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
            Download Yara Rule
            APIs
            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00D91BF4
            • MapVirtualKeyW.USER32(00000010,00000000), ref: 00D91BFC
            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00D91C07
            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00D91C12
            • MapVirtualKeyW.USER32(00000011,00000000), ref: 00D91C1A
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D91C22
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Virtual
            • String ID:
            • API String ID: 4278518827-0
            • Opcode ID: 670584f567790da4fc0524d666b0f7197c2406d1d30f4743d10c7d450b379694
            • Instruction ID: f611afbfe4e94835566727710b9ab2f23a100cd6cdc164b024695a908c835d24
            • Opcode Fuzzy Hash: 670584f567790da4fc0524d666b0f7197c2406d1d30f4743d10c7d450b379694
            • Instruction Fuzzy Hash: D7016CB09027597DE3008F5A8C85B56FFA8FF19754F00411B915C47941C7F5A864CBE5
            Function 00DFEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00DFEB30
            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00DFEB46
            • GetWindowThreadProcessId.USER32(?,?), ref: 00DFEB55
            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DFEB64
            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DFEB6E
            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DFEB75
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
            • String ID:
            • API String ID: 839392675-0
            • Opcode ID: 51f9c8ef09b75e34874ec58824ab5eb769672a33741c4b9f7ed9e357d5214042
            • Instruction ID: 6a07868af1ee5ced0dd151bd2bd70a9beb8a0c4c0dca45130c76b6ec5c4157ad
            • Opcode Fuzzy Hash: 51f9c8ef09b75e34874ec58824ab5eb769672a33741c4b9f7ed9e357d5214042
            • Instruction Fuzzy Hash: 68F01772241568BFE6315B63DC0EEAF3A7CEBCAF11F104158F601E109196A05A0A86B5
            Function 00DE7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
            Download Yara Rule
            APIs
            • GetClientRect.USER32(?), ref: 00DE7452
            • SendMessageW.USER32(?,00001328,00000000,?), ref: 00DE7469
            • GetWindowDC.USER32(?), ref: 00DE7475
            • GetPixel.GDI32(00000000,?,?), ref: 00DE7484
            • ReleaseDC.USER32(?,00000000), ref: 00DE7496
            • GetSysColor.USER32(00000005), ref: 00DE74B0
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ClientColorMessagePixelRectReleaseSendWindow
            • String ID:
            • API String ID: 272304278-0
            • Opcode ID: 5463a8ced6de256da906908c5a07af91e6e1e1d6339ed885d284e5dae5bece27
            • Instruction ID: 64ea00f3c209684cb21ffebaa66978fd06d046d43fa39daabca656c16449b7c2
            • Opcode Fuzzy Hash: 5463a8ced6de256da906908c5a07af91e6e1e1d6339ed885d284e5dae5bece27
            • Instruction Fuzzy Hash: 6D018B31400205EFDB616F66DC08BAE7BB5FF04711F250060F916A21A0CF311E56ABA1
            Function 00DF1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
            Download Yara Rule
            APIs
            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00DF187F
            • UnloadUserProfile.USERENV(?,?), ref: 00DF188B
            • CloseHandle.KERNEL32(?), ref: 00DF1894
            • CloseHandle.KERNEL32(?), ref: 00DF189C
            • GetProcessHeap.KERNEL32(00000000,?), ref: 00DF18A5
            • HeapFree.KERNEL32(00000000), ref: 00DF18AC
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
            • String ID:
            • API String ID: 146765662-0
            • Opcode ID: 82634ebd9cbf94867f656cd4277548448e35169bd019cb8c9f7fed69461bf941
            • Instruction ID: 6898dd328e10d23fe96dbf1f96638a1c78bfdebd0d7c54c30ad33291659ff6ac
            • Opcode Fuzzy Hash: 82634ebd9cbf94867f656cd4277548448e35169bd019cb8c9f7fed69461bf941
            • Instruction Fuzzy Hash: CEE0C236004501BFDA115BA2ED0D90ABB39FF49B22B308621F225A1075CB32947ADB50
            Function 00D9BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON
            Download Yara Rule
            APIs
            • __Init_thread_footer.LIBCMT ref: 00D9BEB3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Init_thread_footer
            • String ID: D%$D%$D%$D%
            • API String ID: 1385522511-2722557190
            • Opcode ID: cec88f294cca5d9cedc7479d7a90309fa24e7be5d563cb30e89f22e3010b510b
            • Instruction ID: ca21abefe954a7dd381eb4faa88c3f2b4d755495f4e413ba9267ff35f42413cb
            • Opcode Fuzzy Hash: cec88f294cca5d9cedc7479d7a90309fa24e7be5d563cb30e89f22e3010b510b
            • Instruction Fuzzy Hash: 53913D75A0060ACFCF14CF69E1906AAB7F1FF58320B25415ED586AB350D771ED81CBA0
            Function 00DFC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00D97620: _wcslen.LIBCMT ref: 00D97625
            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00DFC6EE
            • _wcslen.LIBCMT ref: 00DFC735
            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00DFC79C
            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00DFC7CA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ItemMenu$Info_wcslen$Default
            • String ID: 0
            • API String ID: 1227352736-4108050209
            • Opcode ID: 679c6db5abe5f673c8be176b97559cf4715b78d7921df75bbd6b575d15d5b03b
            • Instruction ID: 71e98274ff5503c3cce69eb8e6ae068dd6b76dbaa2f6092bd0bc07e594954faa
            • Opcode Fuzzy Hash: 679c6db5abe5f673c8be176b97559cf4715b78d7921df75bbd6b575d15d5b03b
            • Instruction Fuzzy Hash: 3751F37162430C9BC715AF28CA45A7B77E4EF85314F09A92DF691E21A0DB60D924CBB2
            Function 00E1AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
            Download Yara Rule
            APIs
            • ShellExecuteExW.SHELL32(0000003C), ref: 00E1AEA3
              • Part of subcall function 00D97620: _wcslen.LIBCMT ref: 00D97625
            • GetProcessId.KERNEL32(00000000), ref: 00E1AF38
            • CloseHandle.KERNEL32(00000000), ref: 00E1AF67
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CloseExecuteHandleProcessShell_wcslen
            • String ID: <$@
            • API String ID: 146682121-1426351568
            • Opcode ID: de45933bf0eaa73e1ff73a5d04c06994a288044b16636ed8950fc172bf3a3a2a
            • Instruction ID: 207c7efac855a53ef69e412d83bafc456a3650be9bbd756629ab5e645deca7ed
            • Opcode Fuzzy Hash: de45933bf0eaa73e1ff73a5d04c06994a288044b16636ed8950fc172bf3a3a2a
            • Instruction Fuzzy Hash: 93713871A01615DFCF14DF54C484AAEBBF0EF08314F1984A9E85AAB392C774ED85CBA1
            Function 00DF719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
            Download Yara Rule
            APIs
            • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00DF7206
            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00DF723C
            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00DF724D
            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00DF72CF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ErrorMode$AddressCreateInstanceProc
            • String ID: DllGetClassObject
            • API String ID: 753597075-1075368562
            • Opcode ID: 4ff2080ea7718161cca081459804c358a50d92197240c63721cfcf34d3638ea3
            • Instruction ID: 1c08ac4fc6ed90d47f905648c2b08087cde22c3db953cb3bcc095741d62305ea
            • Opcode Fuzzy Hash: 4ff2080ea7718161cca081459804c358a50d92197240c63721cfcf34d3638ea3
            • Instruction Fuzzy Hash: E5415271605208AFDB15CF54C885AEA7BB9EF44310F15C0ADBE05AF20AD7B1D945CBB4
            Function 00E23D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
            Download Yara Rule
            APIs
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E23E35
            • IsMenu.USER32(?), ref: 00E23E4A
            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E23E92
            • DrawMenuBar.USER32 ref: 00E23EA5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Menu$Item$DrawInfoInsert
            • String ID: 0
            • API String ID: 3076010158-4108050209
            • Opcode ID: 8af0c5cf933f52664b6e70d4256855e8d27c615e36543c3cded0767db33b2951
            • Instruction ID: b51745a82d94904ab4502669c597d67667a437dc447421164b58ed7616815eee
            • Opcode Fuzzy Hash: 8af0c5cf933f52664b6e70d4256855e8d27c615e36543c3cded0767db33b2951
            • Instruction Fuzzy Hash: 4C416A75A00319EFDB10DF60E884AEABBB5FF48354F154129E905A7250D734EE49CFA1
            Function 00DF1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00D99CB3: _wcslen.LIBCMT ref: 00D99CBD
              • Part of subcall function 00DF3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00DF3CCA
            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00DF1E66
            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00DF1E79
            • SendMessageW.USER32(?,00000189,?,00000000), ref: 00DF1EA9
              • Part of subcall function 00D96B57: _wcslen.LIBCMT ref: 00D96B6A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: MessageSend$_wcslen$ClassName
            • String ID: ComboBox$ListBox
            • API String ID: 2081771294-1403004172
            • Opcode ID: 3278bf496c65274f54b4035a2146123cc0c5f381377e808d4becc7845611de0d
            • Instruction ID: 68f169ee06b21d18f8293c9dc58105dfae2cef03b24cce49a1aab60e175d97dc
            • Opcode Fuzzy Hash: 3278bf496c65274f54b4035a2146123cc0c5f381377e808d4becc7845611de0d
            • Instruction Fuzzy Hash: 1C214476A00108BEDF14ABA5DC56CFFB7B8EF42350B158119F921A71E0DB344A0AC630
            Function 00E1C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: _wcslen
            • String ID: HKEY_LOCAL_MACHINE$HKLM
            • API String ID: 176396367-4004644295
            • Opcode ID: 82328cb6195e80733afd802a6167c6ec7a919f2c8366edee93083c2a4636d597
            • Instruction ID: 9b0518ccaf29f74a7f0d852c279badaf19540f24c95bb3cb60962f652c240bcc
            • Opcode Fuzzy Hash: 82328cb6195e80733afd802a6167c6ec7a919f2c8366edee93083c2a4636d597
            • Instruction Fuzzy Hash: 3C31F572A801698ACB22DE6C98501FF33919FA1798B256029EC57FB245E671CDC4D3B0
            Function 00E22F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00E22F8D
            • LoadLibraryW.KERNEL32(?), ref: 00E22F94
            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00E22FA9
            • DestroyWindow.USER32(?), ref: 00E22FB1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: MessageSend$DestroyLibraryLoadWindow
            • String ID: SysAnimate32
            • API String ID: 3529120543-1011021900
            • Opcode ID: 315a6f63af0563a35a9015461027893ad61feb204e785a05d2fef54561130d39
            • Instruction ID: ca388249a0c4cb2d64aec4c76f7eacac9cbd531358b2fe981781b88ca5146922
            • Opcode Fuzzy Hash: 315a6f63af0563a35a9015461027893ad61feb204e785a05d2fef54561130d39
            • Instruction Fuzzy Hash: 51218872200225BFFB208F64ED80EBB37B9EB59368F10661CFA50B21A0D671DC519760
            Function 00DB4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00DB4D1E,00DC28E9,?,00DB4CBE,00DC28E9,00E588B8,0000000C,00DB4E15,00DC28E9,00000002), ref: 00DB4D8D
            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00DB4DA0
            • FreeLibrary.KERNEL32(00000000,?,?,?,00DB4D1E,00DC28E9,?,00DB4CBE,00DC28E9,00E588B8,0000000C,00DB4E15,00DC28E9,00000002,00000000), ref: 00DB4DC3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: AddressFreeHandleLibraryModuleProc
            • String ID: CorExitProcess$mscoree.dll
            • API String ID: 4061214504-1276376045
            • Opcode ID: 55655afcc46da196986d267041e0caac4a667f70a65726b1aed24167291190af
            • Instruction ID: e50c2197599234f97a1a30c7b24a941501b538cce18c23c9d253ecfa0e86e71c
            • Opcode Fuzzy Hash: 55655afcc46da196986d267041e0caac4a667f70a65726b1aed24167291190af
            • Instruction Fuzzy Hash: A9F03C34A40308EFDB259B91DC49BEEBFB5EF44752F1400A5E80AB22A1CB309955CAA1
            Function 00DED3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32 ref: 00DED3AD
            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00DED3BF
            • FreeLibrary.KERNEL32(00000000), ref: 00DED3E5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Library$AddressFreeLoadProc
            • String ID: GetSystemWow64DirectoryW$X64
            • API String ID: 145871493-2590602151
            • Opcode ID: 74f4ef82f16502c936f4a805d4f10bd80139c2262f42462c25f42b5bd143d7db
            • Instruction ID: 192ce74c0dfc7236ad44bec428e1baa8bbb369ba0a7119bc12ee01e216dad2f7
            • Opcode Fuzzy Hash: 74f4ef82f16502c936f4a805d4f10bd80139c2262f42462c25f42b5bd143d7db
            • Instruction Fuzzy Hash: 85F05530802AA1DBC3313B13CC4992D3222AF00702B789095F986F1110DF70CC4486F7
            Function 00D94E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00D94EDD,?,00E61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D94E9C
            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00D94EAE
            • FreeLibrary.KERNEL32(00000000,?,?,00D94EDD,?,00E61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D94EC0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Library$AddressFreeLoadProc
            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
            • API String ID: 145871493-3689287502
            • Opcode ID: b65a186af51342237effde227c4211b9f99f10a68dcdcf3575b3cfab19714bc7
            • Instruction ID: ee339a9d0e3378d3604b35d51752fa89ecb54070e2d9266e239713d6bef3655b
            • Opcode Fuzzy Hash: b65a186af51342237effde227c4211b9f99f10a68dcdcf3575b3cfab19714bc7
            • Instruction Fuzzy Hash: E1E08635A026225F97311726EC19E5F6564AF81B637190115FC01F2101DB60CD0781F1
            Function 00D94E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00DD3CDE,?,00E61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D94E62
            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00D94E74
            • FreeLibrary.KERNEL32(00000000,?,?,00DD3CDE,?,00E61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D94E87
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Library$AddressFreeLoadProc
            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
            • API String ID: 145871493-1355242751
            • Opcode ID: d3f5b83e565313e5db21d25a62e78118505c0e022d5e9b4e54d5b23c9043990d
            • Instruction ID: e799d41230d2778562625838ad3a25773cbbe5a2ad60b66eba0a0f84e59576bf
            • Opcode Fuzzy Hash: d3f5b83e565313e5db21d25a62e78118505c0e022d5e9b4e54d5b23c9043990d
            • Instruction Fuzzy Hash: 58D0C232903A315B4B321B26FC09D8F2A28BF85B513190510BC00B2211CF30CD17C1E0
            Function 00E1A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
            Download Yara Rule
            APIs
            • GetCurrentProcessId.KERNEL32 ref: 00E1A427
            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00E1A435
            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00E1A468
            • CloseHandle.KERNEL32(?), ref: 00E1A63D
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Process$CloseCountersCurrentHandleOpen
            • String ID:
            • API String ID: 3488606520-0
            • Opcode ID: 354d311976e453e3a5be9a5532cbfce2964f87bae66eaa4a45680d4b48e9d5b4
            • Instruction ID: 8ac1914bc162f99f24b71ee3842a11aa85b7e06e9918651df021b07d8053abf5
            • Opcode Fuzzy Hash: 354d311976e453e3a5be9a5532cbfce2964f87bae66eaa4a45680d4b48e9d5b4
            • Instruction Fuzzy Hash: F9A1B1716053009FD720DF24D886F2AB7E5EF88714F18986DF55A9B292D7B0EC41CBA2
            Function 00DFE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DFDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00DFCF22,?), ref: 00DFDDFD
              • Part of subcall function 00DFDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00DFCF22,?), ref: 00DFDE16
              • Part of subcall function 00DFE199: GetFileAttributesW.KERNEL32(?,00DFCF95), ref: 00DFE19A
            • lstrcmpiW.KERNEL32(?,?), ref: 00DFE473
            • MoveFileW.KERNEL32(?,?), ref: 00DFE4AC
            • _wcslen.LIBCMT ref: 00DFE5EB
            • _wcslen.LIBCMT ref: 00DFE603
            • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00DFE650
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
            • String ID:
            • API String ID: 3183298772-0
            • Opcode ID: e1e7ba4c66eb6d3d88bd35c42207f8d1e1e6a90f6177fefd7b8593785bb4a5f6
            • Instruction ID: 613d944425667e2d1cecc78e91c2ad96c29a382115aa88cf24b9bda6af62a788
            • Opcode Fuzzy Hash: e1e7ba4c66eb6d3d88bd35c42207f8d1e1e6a90f6177fefd7b8593785bb4a5f6
            • Instruction Fuzzy Hash: 535141B24083499BC724EB94DC919EFB3DCEF84340F14491EF689D3151EE74A6888776
            Function 00E1B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00D99CB3: _wcslen.LIBCMT ref: 00D99CBD
              • Part of subcall function 00E1C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E1B6AE,?,?), ref: 00E1C9B5
              • Part of subcall function 00E1C998: _wcslen.LIBCMT ref: 00E1C9F1
              • Part of subcall function 00E1C998: _wcslen.LIBCMT ref: 00E1CA68
              • Part of subcall function 00E1C998: _wcslen.LIBCMT ref: 00E1CA9E
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E1BAA5
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E1BB00
            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00E1BB63
            • RegCloseKey.ADVAPI32(?,?), ref: 00E1BBA6
            • RegCloseKey.ADVAPI32(00000000), ref: 00E1BBB3
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
            • String ID:
            • API String ID: 826366716-0
            • Opcode ID: 877ec9ef6271b125a80c8d28bdb530068a9b0bbf3d86588f5813d1a3e3d00648
            • Instruction ID: bc6cd890195c5e0b42630b9a4039914c25dc90f9a972371d915650ab15458dc0
            • Opcode Fuzzy Hash: 877ec9ef6271b125a80c8d28bdb530068a9b0bbf3d86588f5813d1a3e3d00648
            • Instruction Fuzzy Hash: 5661C531208241EFD714DF14C490E6ABBE5FF84308F54955CF4999B2A2DB31ED85CBA2
            Function 00DF8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 00DF8BCD
            • VariantClear.OLEAUT32 ref: 00DF8C3E
            • VariantClear.OLEAUT32 ref: 00DF8C9D
            • VariantClear.OLEAUT32(?), ref: 00DF8D10
            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00DF8D3B
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Variant$Clear$ChangeInitType
            • String ID:
            • API String ID: 4136290138-0
            • Opcode ID: 5a1ea8a4a089b85de4c83df707606bf3195f270d1600ec603008acabe5b7b721
            • Instruction ID: be13d30d010e4900a51ebeea4552a9ea467ee5395027c5bfd5681dc1c7ca7f19
            • Opcode Fuzzy Hash: 5a1ea8a4a089b85de4c83df707606bf3195f270d1600ec603008acabe5b7b721
            • Instruction Fuzzy Hash: 77517CB5A00619EFCB10CF69C884AAAB7F8FF89310B168559F915DB354E730E911CFA0
            Function 00E08AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
            Download Yara Rule
            APIs
            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00E08BAE
            • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00E08BDA
            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00E08C32
            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00E08C57
            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00E08C5F
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: PrivateProfile$SectionWrite$String
            • String ID:
            • API String ID: 2832842796-0
            • Opcode ID: 287c8d8c96a086a19fc2ec2de76cc3d248397775e611079b31f71252884eaf5e
            • Instruction ID: a60f51a9afa13a91d5a6a25c930866e7a06b4a58d3b06f0159a66f2d7d1d4a5b
            • Opcode Fuzzy Hash: 287c8d8c96a086a19fc2ec2de76cc3d248397775e611079b31f71252884eaf5e
            • Instruction Fuzzy Hash: EC513735A006149FDF11DF65C880A69BBF5FF49314F098498E849AB3A2DB31ED51CBA1
            Function 00E18EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00E18F40
            • GetProcAddress.KERNEL32(00000000,?), ref: 00E18FD0
            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00E18FEC
            • GetProcAddress.KERNEL32(00000000,?), ref: 00E19032
            • FreeLibrary.KERNEL32(00000000), ref: 00E19052
              • Part of subcall function 00DAF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00E01043,?,753CE610), ref: 00DAF6E6
              • Part of subcall function 00DAF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00DEFA64,00000000,00000000,?,?,00E01043,?,753CE610,?,00DEFA64), ref: 00DAF70D
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
            • String ID:
            • API String ID: 666041331-0
            • Opcode ID: d450c35db939748f190be735a3428b4c75b681390cf6c19ba45eb1e8a4bfcff6
            • Instruction ID: 9e8b577cda6c0e3d4201fb5ce5b1f7ad2622fbac08296f6c3bcdd2072b61e628
            • Opcode Fuzzy Hash: d450c35db939748f190be735a3428b4c75b681390cf6c19ba45eb1e8a4bfcff6
            • Instruction Fuzzy Hash: 3E513A35605205DFCB15DF58C4948EDBBF1FF49324B099099E806AB362DB31ED86CBA0
            Function 00E26B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
            Download Yara Rule
            APIs
            • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00E26C33
            • SetWindowLongW.USER32(?,000000EC,?), ref: 00E26C4A
            • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00E26C73
            • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00E0AB79,00000000,00000000), ref: 00E26C98
            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00E26CC7
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Window$Long$MessageSendShow
            • String ID:
            • API String ID: 3688381893-0
            • Opcode ID: d9525c3fbee93f274f3aff3234e370036bfc67d4d8667d57f199519d6eb0f445
            • Instruction ID: 26febb94f06ee01e0983bb51e2b6024011234bb716ef724872602c57ed7c8f49
            • Opcode Fuzzy Hash: d9525c3fbee93f274f3aff3234e370036bfc67d4d8667d57f199519d6eb0f445
            • Instruction Fuzzy Hash: 04412835600124AFDB24EF29EC4AFA9BBA4EB49364F141368F895B72E0C371ED41CA50
            Function 00DC2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: _free
            • String ID:
            • API String ID: 269201875-0
            • Opcode ID: f0b4551ea898d8f9e84ac17f7eb5b22fbc52ba94816b24480a2666a85d2de967
            • Instruction ID: f4fe9a59458d2026447b5ef95cde9efc92eb55492ce4f8ba545bd000f57b614b
            • Opcode Fuzzy Hash: f0b4551ea898d8f9e84ac17f7eb5b22fbc52ba94816b24480a2666a85d2de967
            • Instruction Fuzzy Hash: 65419232A003019FCB24DF78C881F69B7A5EF89314B1945ADE555EB395DA31AE01DBA0
            Function 00DA912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
            Download Yara Rule
            APIs
            • GetCursorPos.USER32(?), ref: 00DA9141
            • ScreenToClient.USER32(00000000,?), ref: 00DA915E
            • GetAsyncKeyState.USER32(00000001), ref: 00DA9183
            • GetAsyncKeyState.USER32(00000002), ref: 00DA919D
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: AsyncState$ClientCursorScreen
            • String ID:
            • API String ID: 4210589936-0
            • Opcode ID: 8507fbe9adc13f3fcf4e57c75a4558d28353b080c21e9a9148d5af55f41081ec
            • Instruction ID: 670f3a9b7699334096ff6b7c4d682b2c208a61554a9f9e76f6e403615930d4bc
            • Opcode Fuzzy Hash: 8507fbe9adc13f3fcf4e57c75a4558d28353b080c21e9a9148d5af55f41081ec
            • Instruction Fuzzy Hash: 8C419F31A0875ABBDF15AF65C854BEEF774FF06320F248219E429A72D0C730A954CBA1
            Function 00E03874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
            Download Yara Rule
            APIs
            • GetInputState.USER32 ref: 00E038CB
            • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00E03922
            • TranslateMessage.USER32(?), ref: 00E0394B
            • DispatchMessageW.USER32(?), ref: 00E03955
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E03966
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Message$Translate$AcceleratorDispatchInputPeekState
            • String ID:
            • API String ID: 2256411358-0
            • Opcode ID: 1778815989674d1d8db053b98459e91895447c761cf7082000219235c14d0636
            • Instruction ID: 6f1db8278b1b21919dde4404afdd4c24b6289baf7294083a17d1d4b6bbdd5131
            • Opcode Fuzzy Hash: 1778815989674d1d8db053b98459e91895447c761cf7082000219235c14d0636
            • Instruction Fuzzy Hash: 3431F7709043419EEB39CB35E808BB737ACAB41348F5815ADE462F21E4E3F496C9CB21
            Function 00E0CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
            Download Yara Rule
            APIs
            • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 00E0CF38
            • InternetReadFile.WININET(?,00000000,?,?), ref: 00E0CF6F
            • GetLastError.KERNEL32(?,00000000,?,?,?,00E0C21E,00000000), ref: 00E0CFB4
            • SetEvent.KERNEL32(?,?,00000000,?,?,?,00E0C21E,00000000), ref: 00E0CFC8
            • SetEvent.KERNEL32(?,?,00000000,?,?,?,00E0C21E,00000000), ref: 00E0CFF2
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
            • String ID:
            • API String ID: 3191363074-0
            • Opcode ID: 31703e466b3c9d3c13dbee100dbbac6057c2da46f2ea0ad24e20622ade4a40f3
            • Instruction ID: 9dc3893555bcc73d71833f9dbb3ce412de981920a49fcf3d388600edd4279be4
            • Opcode Fuzzy Hash: 31703e466b3c9d3c13dbee100dbbac6057c2da46f2ea0ad24e20622ade4a40f3
            • Instruction Fuzzy Hash: F1318071600606EFDB20DFA5C8849AFBBF9EF04358B20456EF506F2190DB30AE85DB61
            Function 00DF1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(?,?), ref: 00DF1915
            • PostMessageW.USER32(00000001,00000201,00000001), ref: 00DF19C1
            • Sleep.KERNEL32(00000000,?,?,?), ref: 00DF19C9
            • PostMessageW.USER32(00000001,00000202,00000000), ref: 00DF19DA
            • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00DF19E2
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: MessagePostSleep$RectWindow
            • String ID:
            • API String ID: 3382505437-0
            • Opcode ID: db95224bade26a169a384459813e01b8a6e59b13c71b8967c19d06a5137f44bd
            • Instruction ID: 45206c2b4aea2c29d14b144a60213e079502fde667f5fd0c4c5d348de90d5e95
            • Opcode Fuzzy Hash: db95224bade26a169a384459813e01b8a6e59b13c71b8967c19d06a5137f44bd
            • Instruction Fuzzy Hash: 2431E27590021DEFCB14CFA8CD99AEE3BB5EB04314F118229FA21A72D0C3B09954CFA1
            Function 00E25706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00E25745
            • SendMessageW.USER32(?,00001074,?,00000001), ref: 00E2579D
            • _wcslen.LIBCMT ref: 00E257AF
            • _wcslen.LIBCMT ref: 00E257BA
            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00E25816
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: MessageSend$_wcslen
            • String ID:
            • API String ID: 763830540-0
            • Opcode ID: 6eb711a523de7016e27b5a48f75ae8a00e29faa962196a73d3d6f1ad05afa0fb
            • Instruction ID: 21cd3544b2e88ce2b0b6666916cc3cc69e63c009011ea5e13e6dd7d2c17d3cf3
            • Opcode Fuzzy Hash: 6eb711a523de7016e27b5a48f75ae8a00e29faa962196a73d3d6f1ad05afa0fb
            • Instruction Fuzzy Hash: F421B632904628DADB209F60ED84AEEB7B8FF44724F109216F92AFB180D770C985CF51
            Function 00E10930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
            Download Yara Rule
            APIs
            • IsWindow.USER32(00000000), ref: 00E10951
            • GetForegroundWindow.USER32 ref: 00E10968
            • GetDC.USER32(00000000), ref: 00E109A4
            • GetPixel.GDI32(00000000,?,00000003), ref: 00E109B0
            • ReleaseDC.USER32(00000000,00000003), ref: 00E109E8
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Window$ForegroundPixelRelease
            • String ID:
            • API String ID: 4156661090-0
            • Opcode ID: 73ee1fdc4c827fbee3a89e5d047e191d974bcfbfa38f3b053f28dd079af1d649
            • Instruction ID: 038e47913e6aab291891299c9ed41aa6c068cf0dc7fca2b6392dd8d21fc71f2d
            • Opcode Fuzzy Hash: 73ee1fdc4c827fbee3a89e5d047e191d974bcfbfa38f3b053f28dd079af1d649
            • Instruction Fuzzy Hash: F021C335600204AFD714EF65D884AAEBBF5EF84700F108069F85AE7762CB70AC45CBA0
            Function 00DCCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
            Download Yara Rule
            APIs
            • GetEnvironmentStringsW.KERNEL32 ref: 00DCCDC6
            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00DCCDE9
              • Part of subcall function 00DC3820: RtlAllocateHeap.NTDLL(00000000,?,00E61444,?,00DAFDF5,?,?,00D9A976,00000010,00E61440,00D913FC,?,00D913C6,?,00D91129), ref: 00DC3852
            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00DCCE0F
            • _free.LIBCMT ref: 00DCCE22
            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00DCCE31
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
            • String ID:
            • API String ID: 336800556-0
            • Opcode ID: d66e1acc4205418dd7345ba6af0074c26b3ad6c2766b596e978468c1a6aea196
            • Instruction ID: 91fb4a3449de55288dac9d0060ddc16f3cccf170793b70b5232f09d4ce0e4b04
            • Opcode Fuzzy Hash: d66e1acc4205418dd7345ba6af0074c26b3ad6c2766b596e978468c1a6aea196
            • Instruction Fuzzy Hash: D301D4726126167F233216B7AC88F7F696DDFC7BA1329112DFA09D7201EA618D0281F0
            Function 00DA9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
            Download Yara Rule
            APIs
            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00DA9693
            • SelectObject.GDI32(?,00000000), ref: 00DA96A2
            • BeginPath.GDI32(?), ref: 00DA96B9
            • SelectObject.GDI32(?,00000000), ref: 00DA96E2
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ObjectSelect$BeginCreatePath
            • String ID:
            • API String ID: 3225163088-0
            • Opcode ID: d55bc0c11bbfa1f6e54c11522241e9c86bea8b5520b1fa4169a614875da04346
            • Instruction ID: 69f7a3e6370d4272bca0daff8692c2cf0b507fe4db4f68f0e97e1e354a496a36
            • Opcode Fuzzy Hash: d55bc0c11bbfa1f6e54c11522241e9c86bea8b5520b1fa4169a614875da04346
            • Instruction Fuzzy Hash: FA214130802305EFDB129F66EC25BAA7B74BF91395F1C4255F410B61A0D3B0985ADFA4
            Function 00DA990F Relevance: 7.6, APIs: 5, Instructions: 64COMMON
            Download Yara Rule
            APIs
            • GetSysColor.USER32(00000008), ref: 00DA98CC
            • SetTextColor.GDI32(?,?), ref: 00DA98D6
            • SetBkMode.GDI32(?,00000001), ref: 00DA98E9
            • GetStockObject.GDI32(00000005), ref: 00DA98F1
            • GetWindowLongW.USER32(?,000000EB), ref: 00DA9952
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Color$LongModeObjectStockTextWindow
            • String ID:
            • API String ID: 1860813098-0
            • Opcode ID: 5654217f47fe09ad686d84f538aec4e5b351deafaddc392f38e02b58c06d221d
            • Instruction ID: b75786b61dff7d3420488e63df640a953110c1f05c47d6d774e9ebf7d033ec17
            • Opcode Fuzzy Hash: 5654217f47fe09ad686d84f538aec4e5b351deafaddc392f38e02b58c06d221d
            • Instruction Fuzzy Hash: 7621273114A2809FC7224F36ECB9AAA7B609F13331B2C019DF5929B1A1C7354C45CB61
            Function 00DF5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: _memcmp
            • String ID:
            • API String ID: 2931989736-0
            • Opcode ID: 9ba36f43c9ed76b3fadec6b5a5d1b1d899263923ce5ab3abca8f87994287357a
            • Instruction ID: 47063dc5c278ec0528d29ac5306e77e56e2d6cffbc8ee11c2b88b956f0809a75
            • Opcode Fuzzy Hash: 9ba36f43c9ed76b3fadec6b5a5d1b1d899263923ce5ab3abca8f87994287357a
            • Instruction Fuzzy Hash: BB01F566645B1DFBD6086111BD82FFBB39CDB21394F558030FF06AA245F720ED1082B0
            Function 00DC2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(?,?,?,00DBF2DE,00DC3863,00E61444,?,00DAFDF5,?,?,00D9A976,00000010,00E61440,00D913FC,?,00D913C6), ref: 00DC2DFD
            • _free.LIBCMT ref: 00DC2E32
            • _free.LIBCMT ref: 00DC2E59
            • SetLastError.KERNEL32(00000000,00D91129), ref: 00DC2E66
            • SetLastError.KERNEL32(00000000,00D91129), ref: 00DC2E6F
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ErrorLast$_free
            • String ID:
            • API String ID: 3170660625-0
            • Opcode ID: 25c1232965070bb93b27fa090bd9bdbd5ab85b9d9e4c8307c716e57b6ad16970
            • Instruction ID: 2ec3f47df0c5ededeb2f880f343d2f72b01a926742b257b0d8eb7e555682f956
            • Opcode Fuzzy Hash: 25c1232965070bb93b27fa090bd9bdbd5ab85b9d9e4c8307c716e57b6ad16970
            • Instruction Fuzzy Hash: 2101D136245A036B8A2266B66C46F3B266DEBC17B1B38442CF465B3192EF30CC0A4430
            Function 00DF000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
            Download Yara Rule
            APIs
            • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DEFF41,80070057,?,?,?,00DF035E), ref: 00DF002B
            • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DEFF41,80070057,?,?), ref: 00DF0046
            • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DEFF41,80070057,?,?), ref: 00DF0054
            • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DEFF41,80070057,?), ref: 00DF0064
            • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DEFF41,80070057,?,?), ref: 00DF0070
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: From$Prog$FreeStringTasklstrcmpi
            • String ID:
            • API String ID: 3897988419-0
            • Opcode ID: 8ed19afc5889d448c4034f3e3f05f5ee5780aeefdeaf874262385c87dbd3d224
            • Instruction ID: 2bc98363ac65901dd63f687b5f0a13090438a6bd9d1e1c2221e2a884b88bc6d8
            • Opcode Fuzzy Hash: 8ed19afc5889d448c4034f3e3f05f5ee5780aeefdeaf874262385c87dbd3d224
            • Instruction Fuzzy Hash: 67017C72600208BFDB244F69EC04BAE7EADEB44752F258124FA05E3211DB71DD458BA0
            Function 00DFE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
            Download Yara Rule
            APIs
            • QueryPerformanceCounter.KERNEL32(?), ref: 00DFE997
            • QueryPerformanceFrequency.KERNEL32(?), ref: 00DFE9A5
            • Sleep.KERNEL32(00000000), ref: 00DFE9AD
            • QueryPerformanceCounter.KERNEL32(?), ref: 00DFE9B7
            • Sleep.KERNEL32 ref: 00DFE9F3
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: PerformanceQuery$CounterSleep$Frequency
            • String ID:
            • API String ID: 2833360925-0
            • Opcode ID: 011a8d2aa65f70d277cbb2ef4c13329c836437ce542fa29ff06ca02d60898c84
            • Instruction ID: fbb12dda41e1c68e83f037d3336dc2667740634ad8d167868202a3c270b6f8c5
            • Opcode Fuzzy Hash: 011a8d2aa65f70d277cbb2ef4c13329c836437ce542fa29ff06ca02d60898c84
            • Instruction Fuzzy Hash: 76013931C01A6DDBCF109BE6DC496EDBB78BB09700F128546E602B2260CB70955A8BB1
            Function 00DF10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
            Download Yara Rule
            APIs
            • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00DF1114
            • GetLastError.KERNEL32(?,00000000,00000000,?,?,00DF0B9B,?,?,?), ref: 00DF1120
            • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00DF0B9B,?,?,?), ref: 00DF112F
            • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00DF0B9B,?,?,?), ref: 00DF1136
            • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00DF114D
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
            • String ID:
            • API String ID: 842720411-0
            • Opcode ID: d0e1516ff9a974ae52c982892bdc42ac858406924aa7461404b3be4cba078fd0
            • Instruction ID: 0beb7d077e1a3f83334bbada872f7901553431caba9aa223e0d8fd1c2e2a43ca
            • Opcode Fuzzy Hash: d0e1516ff9a974ae52c982892bdc42ac858406924aa7461404b3be4cba078fd0
            • Instruction Fuzzy Hash: 6E016D79100305BFDB214F65DC49A6A3B6EEF85360B254415FA45D3350DB71DC458A60
            Function 00DF0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
            Download Yara Rule
            APIs
            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00DF0FCA
            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00DF0FD6
            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00DF0FE5
            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00DF0FEC
            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00DF1002
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: HeapInformationToken$AllocErrorLastProcess
            • String ID:
            • API String ID: 44706859-0
            • Opcode ID: 0fa39b972012b000a658ca0086e3f80d0d6ff098d8adb5d4349c0e00803737bd
            • Instruction ID: 87fe5686ced22d8262ef965c2934c73cb685f24cbb686dd786637e2c85248cd0
            • Opcode Fuzzy Hash: 0fa39b972012b000a658ca0086e3f80d0d6ff098d8adb5d4349c0e00803737bd
            • Instruction Fuzzy Hash: C2F0AF3A100305EFD7214FA5DC4AF5A3B6DEF89761F254414FA05D7250CA30DC458A60
            Function 00DF1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
            Download Yara Rule
            APIs
            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00DF102A
            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00DF1036
            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DF1045
            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00DF104C
            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DF1062
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: HeapInformationToken$AllocErrorLastProcess
            • String ID:
            • API String ID: 44706859-0
            • Opcode ID: 5d0b768bfa8fa36d3f8eeebb0ac35505deecebdd589d4808a425afb12674b012
            • Instruction ID: 036b119301bbc957d057eaac69db8b6960c26790f763df62a96b8b3497e14822
            • Opcode Fuzzy Hash: 5d0b768bfa8fa36d3f8eeebb0ac35505deecebdd589d4808a425afb12674b012
            • Instruction Fuzzy Hash: BEF0CD39200305FFDB215FA6EC4AF6A3BADEF89761F214424FA05E7250CE30D8858A70
            Function 00E0030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
            Download Yara Rule
            APIs
            • CloseHandle.KERNEL32(?,?,?,?,00E0017D,?,00E032FC,?,00000001,00DD2592,?), ref: 00E00324
            • CloseHandle.KERNEL32(?,?,?,?,00E0017D,?,00E032FC,?,00000001,00DD2592,?), ref: 00E00331
            • CloseHandle.KERNEL32(?,?,?,?,00E0017D,?,00E032FC,?,00000001,00DD2592,?), ref: 00E0033E
            • CloseHandle.KERNEL32(?,?,?,?,00E0017D,?,00E032FC,?,00000001,00DD2592,?), ref: 00E0034B
            • CloseHandle.KERNEL32(?,?,?,?,00E0017D,?,00E032FC,?,00000001,00DD2592,?), ref: 00E00358
            • CloseHandle.KERNEL32(?,?,?,?,00E0017D,?,00E032FC,?,00000001,00DD2592,?), ref: 00E00365
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CloseHandle
            • String ID:
            • API String ID: 2962429428-0
            • Opcode ID: 4b970b420a09bdd78d2bbecb6930e7437921efe83d781ee4a45441a8be87d620
            • Instruction ID: 379a4e69ace8860eb6e224bd5fd20475daf7a9864cee10b3ffce85ba9ccd83af
            • Opcode Fuzzy Hash: 4b970b420a09bdd78d2bbecb6930e7437921efe83d781ee4a45441a8be87d620
            • Instruction Fuzzy Hash: 9501EE72800B019FCB31AF66D880902FBF9FF603193149A3FD19262970C3B4A988CF80
            Function 00DCD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 00DCD752
              • Part of subcall function 00DC29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00DCD7D1,00000000,00000000,00000000,00000000,?,00DCD7F8,00000000,00000007,00000000,?,00DCDBF5,00000000), ref: 00DC29DE
              • Part of subcall function 00DC29C8: GetLastError.KERNEL32(00000000,?,00DCD7D1,00000000,00000000,00000000,00000000,?,00DCD7F8,00000000,00000007,00000000,?,00DCDBF5,00000000,00000000), ref: 00DC29F0
            • _free.LIBCMT ref: 00DCD764
            • _free.LIBCMT ref: 00DCD776
            • _free.LIBCMT ref: 00DCD788
            • _free.LIBCMT ref: 00DCD79A
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: 32adc97a125e29de8630c4f67ab4d4e2fedb7bfd4a2c2fcf3bfd28ae1bd02e41
            • Instruction ID: 434be9a0618343265af29d92e6e99ea4b813a4f9f694509ff1f7719764b4660d
            • Opcode Fuzzy Hash: 32adc97a125e29de8630c4f67ab4d4e2fedb7bfd4a2c2fcf3bfd28ae1bd02e41
            • Instruction Fuzzy Hash: F1F0C972584306AF8A29AB65F9C5E2677DAFB447117A90C1DF04AE7541CB30F8808A74
            Function 00DF5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
            Download Yara Rule
            APIs
            • GetDlgItem.USER32(?,000003E9), ref: 00DF5C58
            • GetWindowTextW.USER32(00000000,?,00000100), ref: 00DF5C6F
            • MessageBeep.USER32(00000000), ref: 00DF5C87
            • KillTimer.USER32(?,0000040A), ref: 00DF5CA3
            • EndDialog.USER32(?,00000001), ref: 00DF5CBD
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: BeepDialogItemKillMessageTextTimerWindow
            • String ID:
            • API String ID: 3741023627-0
            • Opcode ID: 6dc08703f287d53292d2bad5b39bb09b58ef626a0483f88e7b18fa413c14d636
            • Instruction ID: 292eb105fd542500edae7ff79f4ff12e3ffa4b559fd0f23045f53316427eb0a2
            • Opcode Fuzzy Hash: 6dc08703f287d53292d2bad5b39bb09b58ef626a0483f88e7b18fa413c14d636
            • Instruction Fuzzy Hash: 33016230500B08AFEB305B11ED4EFAA77B8BF00B05F054559A783B14E1DBF0A9898AA0
            Function 00DC22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 00DC22BE
              • Part of subcall function 00DC29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00DCD7D1,00000000,00000000,00000000,00000000,?,00DCD7F8,00000000,00000007,00000000,?,00DCDBF5,00000000), ref: 00DC29DE
              • Part of subcall function 00DC29C8: GetLastError.KERNEL32(00000000,?,00DCD7D1,00000000,00000000,00000000,00000000,?,00DCD7F8,00000000,00000007,00000000,?,00DCDBF5,00000000,00000000), ref: 00DC29F0
            • _free.LIBCMT ref: 00DC22D0
            • _free.LIBCMT ref: 00DC22E3
            • _free.LIBCMT ref: 00DC22F4
            • _free.LIBCMT ref: 00DC2305
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: 577099b4e833938c62048c8862d065056ade63f136fd3c4906a233b6441b4979
            • Instruction ID: 34090fee9dd010c965e5dd2e88d03486f92e143fee77344cbdd1690050a6bf34
            • Opcode Fuzzy Hash: 577099b4e833938c62048c8862d065056ade63f136fd3c4906a233b6441b4979
            • Instruction Fuzzy Hash: A7F030705802219F8A17AF56BC11D2A7B64F7187D1718054EF420F3371CBB01519EFB4
            Function 00DA95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
            Download Yara Rule
            APIs
            • EndPath.GDI32(?), ref: 00DA95D4
            • StrokeAndFillPath.GDI32(?,?,00DE71F7,00000000,?,?,?), ref: 00DA95F0
            • SelectObject.GDI32(?,00000000), ref: 00DA9603
            • DeleteObject.GDI32 ref: 00DA9616
            • StrokePath.GDI32(?), ref: 00DA9631
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Path$ObjectStroke$DeleteFillSelect
            • String ID:
            • API String ID: 2625713937-0
            • Opcode ID: ab6fb8874efbd5dbe4e6da170a4262f2708a1e3a17c5b2b05781700571aa1d99
            • Instruction ID: 19bab44e2c63a2de0c5800437f1df23534da23beffb321b36393b2f179e2de6a
            • Opcode Fuzzy Hash: ab6fb8874efbd5dbe4e6da170a4262f2708a1e3a17c5b2b05781700571aa1d99
            • Instruction Fuzzy Hash: AFF01D30406204DFEB275F56ED29B693B65AB423A2F1C8254F455750F0C770855ADF61
            Function 00DC0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: __freea$_free
            • String ID: a/p$am/pm
            • API String ID: 3432400110-3206640213
            • Opcode ID: 84c1d466f20490b07ef4ecd146b2612fd70b4291b268349bd9aa16ae0a532fdd
            • Instruction ID: da69c128f1bbfff7c021a051b6513a61ce03d45946b53195127abe9ae4f68938
            • Opcode Fuzzy Hash: 84c1d466f20490b07ef4ecd146b2612fd70b4291b268349bd9aa16ae0a532fdd
            • Instruction Fuzzy Hash: 63D1DF399002A7CADB249F68C855FBAB7B0EF07304F2C425DE941AB652D2359D81CBB1
            Function 00E161D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB0242: EnterCriticalSection.KERNEL32(00E6070C,00E61884,?,?,00DA198B,00E62518,?,?,?,00D912F9,00000000), ref: 00DB024D
              • Part of subcall function 00DB0242: LeaveCriticalSection.KERNEL32(00E6070C,?,00DA198B,00E62518,?,?,?,00D912F9,00000000), ref: 00DB028A
              • Part of subcall function 00DB00A3: __onexit.LIBCMT ref: 00DB00A9
            • __Init_thread_footer.LIBCMT ref: 00E16238
              • Part of subcall function 00DB01F8: EnterCriticalSection.KERNEL32(00E6070C,?,?,00DA8747,00E62514), ref: 00DB0202
              • Part of subcall function 00DB01F8: LeaveCriticalSection.KERNEL32(00E6070C,?,00DA8747,00E62514), ref: 00DB0235
              • Part of subcall function 00E0359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00E035E4
              • Part of subcall function 00E0359C: LoadStringW.USER32(00E62390,?,00000FFF,?), ref: 00E0360A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
            • String ID: x#$x#$x#
            • API String ID: 1072379062-1894725482
            • Opcode ID: 4072af2e9e6c32af1466167c6c9da221831756ecb0b8d1c7a549d186383eac14
            • Instruction ID: 3091c77a932114e31cf7ec086edc8ca82dbcfb192d3965d71d7727a1d0311a2b
            • Opcode Fuzzy Hash: 4072af2e9e6c32af1466167c6c9da221831756ecb0b8d1c7a549d186383eac14
            • Instruction Fuzzy Hash: 04C15C71A00105AFCB14DF98C891EFEB7BAFF48344F148469E955AB291DB70ED85CBA0
            Function 00E17B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB0242: EnterCriticalSection.KERNEL32(00E6070C,00E61884,?,?,00DA198B,00E62518,?,?,?,00D912F9,00000000), ref: 00DB024D
              • Part of subcall function 00DB0242: LeaveCriticalSection.KERNEL32(00E6070C,?,00DA198B,00E62518,?,?,?,00D912F9,00000000), ref: 00DB028A
              • Part of subcall function 00D99CB3: _wcslen.LIBCMT ref: 00D99CBD
              • Part of subcall function 00DB00A3: __onexit.LIBCMT ref: 00DB00A9
            • __Init_thread_footer.LIBCMT ref: 00E17BFB
              • Part of subcall function 00DB01F8: EnterCriticalSection.KERNEL32(00E6070C,?,?,00DA8747,00E62514), ref: 00DB0202
              • Part of subcall function 00DB01F8: LeaveCriticalSection.KERNEL32(00E6070C,?,00DA8747,00E62514), ref: 00DB0235
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
            • String ID: 5$G$Variable must be of type 'Object'.
            • API String ID: 535116098-3733170431
            • Opcode ID: d7821545065a225583857ee807b7aaa136a4095101cb114600a44bb9f56a7cff
            • Instruction ID: 474be9dae47b7c8b717f084e445f79b46c9f7b222dabbddbedc32f7a84f0cc0e
            • Opcode Fuzzy Hash: d7821545065a225583857ee807b7aaa136a4095101cb114600a44bb9f56a7cff
            • Instruction Fuzzy Hash: 2C91AF74A04209EFCB04EF94D8819FDB7B1FF49704F109059F886AB292DB709E85CB61
            Function 00DF2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DFB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00DF21D0,?,?,00000034,00000800,?,00000034), ref: 00DFB42D
            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00DF2760
              • Part of subcall function 00DFB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00DF21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00DFB3F8
              • Part of subcall function 00DFB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00DFB355
              • Part of subcall function 00DFB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00DF2194,00000034,?,?,00001004,00000000,00000000), ref: 00DFB365
              • Part of subcall function 00DFB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00DF2194,00000034,?,?,00001004,00000000,00000000), ref: 00DFB37B
            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00DF27CD
            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00DF281A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
            • String ID: @
            • API String ID: 4150878124-2766056989
            • Opcode ID: a536e7c3c1814dfd577c0c208160cd319d4c6cadd8c454b5448659dc96c87730
            • Instruction ID: 26ae4436d1e73cb2754805948301ca501f27daa8f68c4c8c8e0b062b992cad18
            • Opcode Fuzzy Hash: a536e7c3c1814dfd577c0c208160cd319d4c6cadd8c454b5448659dc96c87730
            • Instruction Fuzzy Hash: 21413B7690021CAFDB10DBA4CD82AEEBBB8EF09710F158095FA55B7181DB706E45CBB1
            Function 00DC172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
            Download Yara Rule
            APIs
            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\BOQ Inquiry.exe,00000104), ref: 00DC1769
            • _free.LIBCMT ref: 00DC1834
            • _free.LIBCMT ref: 00DC183E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: _free$FileModuleName
            • String ID: C:\Users\user\Desktop\BOQ Inquiry.exe
            • API String ID: 2506810119-3594113182
            • Opcode ID: 521d7e71719e5f60f72fcd2d205e0c248a7aa11bd68d206056755109b3ed9dfd
            • Instruction ID: 45ac30bffd4e0750ef36919e9dda4d10bdbc9402f47ed7e23ca6c9b522b5e44c
            • Opcode Fuzzy Hash: 521d7e71719e5f60f72fcd2d205e0c248a7aa11bd68d206056755109b3ed9dfd
            • Instruction Fuzzy Hash: 43319579A44229FFDB21DF959881E9EBBBCEF86350B1441AAF404D7212D6708E40DBB0
            Function 00DFC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
            Download Yara Rule
            APIs
            • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00DFC306
            • DeleteMenu.USER32(?,00000007,00000000), ref: 00DFC34C
            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00E61990,01425550), ref: 00DFC395
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Menu$Delete$InfoItem
            • String ID: 0
            • API String ID: 135850232-4108050209
            • Opcode ID: 7f6483c3aedae6c4a526123d4cb7858f1843095e2ab213cdd0e5ba7d27e094dc
            • Instruction ID: bb997ca6be5b837e9c5ae46246ea5d1f79e6b20bf293ea13d0e4d4477786d012
            • Opcode Fuzzy Hash: 7f6483c3aedae6c4a526123d4cb7858f1843095e2ab213cdd0e5ba7d27e094dc
            • Instruction Fuzzy Hash: 4641BB312043099FD720DF29D980B2ABBE4EF84360F15CA1DEAA1972D1D730E914CB72
            Function 00E24416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
            Download Yara Rule
            APIs
            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00E2CC08,00000000,?,?,?,?), ref: 00E244AA
            • GetWindowLongW.USER32 ref: 00E244C7
            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00E244D7
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Window$Long
            • String ID: SysTreeView32
            • API String ID: 847901565-1698111956
            • Opcode ID: ad78aeddc9017cd0f88188c25e91b75c246b2fea95b3767e037377a9f11deb8f
            • Instruction ID: 7712a5c0a60314fa05bc52869463e0125ae84ac18e854188e53e7f0e228d2854
            • Opcode Fuzzy Hash: ad78aeddc9017cd0f88188c25e91b75c246b2fea95b3767e037377a9f11deb8f
            • Instruction Fuzzy Hash: 1631ADB2200215AFDF219E38EC45BEA7BA9EF08338F205715F975A21D0D770EC519B60
            Function 00E1304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00E1335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00E13077,?,?), ref: 00E13378
            • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00E1307A
            • _wcslen.LIBCMT ref: 00E1309B
            • htons.WSOCK32(00000000,?,?,00000000), ref: 00E13106
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
            • String ID: 255.255.255.255
            • API String ID: 946324512-2422070025
            • Opcode ID: d4bfee866e0b8844f25408ca1757ac437f185264c34f55e26b53a726c6d765e4
            • Instruction ID: 533ad6d2dbb38bec5913bdc159ea5840f06cb6bc3e2477dbf8d4c0912d6d8ad6
            • Opcode Fuzzy Hash: d4bfee866e0b8844f25408ca1757ac437f185264c34f55e26b53a726c6d765e4
            • Instruction Fuzzy Hash: 5A31D5396002019FCB24CF39C485EEA77E0EF58318F249099E915AB392D771EE85C770
            Function 00E24653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00E24705
            • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00E24713
            • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00E2471A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: MessageSend$DestroyWindow
            • String ID: msctls_updown32
            • API String ID: 4014797782-2298589950
            • Opcode ID: 542a9078d7d4b4ef2de40cddde6a971fa835e15c50c44a0bb37de93ac554df44
            • Instruction ID: 3a95a43e7f83a9521ca9793a56c126d3bc60f2a9bffba3bc6a6828097df9d9b6
            • Opcode Fuzzy Hash: 542a9078d7d4b4ef2de40cddde6a971fa835e15c50c44a0bb37de93ac554df44
            • Instruction Fuzzy Hash: 55214FF5600214AFDB11DF64EC81DBB37ADEB5A398B141059FA14AB291CB70EC11CB70
            Function 00DF95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: _wcslen
            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
            • API String ID: 176396367-2734436370
            • Opcode ID: 2f06de0a6c614a45bc7a73082ab17cf6b6ed5c706241cc87aa42af7e13e41b80
            • Instruction ID: 301f0fb3da70d540cad6df3cd150984fbd1178f0cb63a7c3fda44421fc9ff9e5
            • Opcode Fuzzy Hash: 2f06de0a6c614a45bc7a73082ab17cf6b6ed5c706241cc87aa42af7e13e41b80
            • Instruction Fuzzy Hash: 76213872504265A6C731AB249C22FBBF3D8DF51310F19802AFA4AE7181EB51DD41C2B5
            Function 00E237B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00E23840
            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00E23850
            • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00E23876
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: MessageSend$MoveWindow
            • String ID: Listbox
            • API String ID: 3315199576-2633736733
            • Opcode ID: 32f8185a78ac1dec2d7f1429129996707803da123a593ab6a930ce6b779a18cb
            • Instruction ID: 24573aab4e95c32fa95c61090743faa12f64de98bc465d4fe21f4a5246cdd1bc
            • Opcode Fuzzy Hash: 32f8185a78ac1dec2d7f1429129996707803da123a593ab6a930ce6b779a18cb
            • Instruction Fuzzy Hash: 4421D472600228BFEF258F65EC81FBB376EEF89754F109115F904AB190C675DC528BA0
            Function 00E049F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 00E04A08
            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00E04A5C
            • SetErrorMode.KERNEL32(00000000,?,?,00E2CC08), ref: 00E04AD0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ErrorMode$InformationVolume
            • String ID: %lu
            • API String ID: 2507767853-685833217
            • Opcode ID: d723e0f5936307acfc0305234d7657d0dcb3f0fb123ff0f6c51d8c972f91520d
            • Instruction ID: e7c8cb67d9932079af7b3e0d5eff4721b8cb69f67ec786017b0a3eeeee0317fb
            • Opcode Fuzzy Hash: d723e0f5936307acfc0305234d7657d0dcb3f0fb123ff0f6c51d8c972f91520d
            • Instruction Fuzzy Hash: 33310F75A00109AFDB10DF54C985EAAB7F8EF05308F148099E905EB292D771EE45CB71
            Function 00E241EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00E2424F
            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00E24264
            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00E24271
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: msctls_trackbar32
            • API String ID: 3850602802-1010561917
            • Opcode ID: e8467210c1cf0f4c7a0d65b730aaef19c16a1dbb96ec2456492a84d905110c6d
            • Instruction ID: fcffcac0a6a8a3be53bb4393c4792a82ba854207a3c503ed30f463ca7824e4e7
            • Opcode Fuzzy Hash: e8467210c1cf0f4c7a0d65b730aaef19c16a1dbb96ec2456492a84d905110c6d
            • Instruction Fuzzy Hash: 1E110672240218BEEF215F69DC06FAB3BACEF85B58F111514FA55F20E0D6B1DC219B20
            Function 00DF2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00D96B57: _wcslen.LIBCMT ref: 00D96B6A
              • Part of subcall function 00DF2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00DF2DC5
              • Part of subcall function 00DF2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DF2DD6
              • Part of subcall function 00DF2DA7: GetCurrentThreadId.KERNEL32 ref: 00DF2DDD
              • Part of subcall function 00DF2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00DF2DE4
            • GetFocus.USER32 ref: 00DF2F78
              • Part of subcall function 00DF2DEE: GetParent.USER32(00000000), ref: 00DF2DF9
            • GetClassNameW.USER32(?,?,00000100), ref: 00DF2FC3
            • EnumChildWindows.USER32(?,00DF303B), ref: 00DF2FEB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
            • String ID: %s%d
            • API String ID: 1272988791-1110647743
            • Opcode ID: 3ef8f14eca4209b0bebb3b219ea44272c2d36db12602f3fb2229f312ae05ad52
            • Instruction ID: bf802266046f5db74fa3bac11eb21c107185ea27a312b3292c5afefd645db6d7
            • Opcode Fuzzy Hash: 3ef8f14eca4209b0bebb3b219ea44272c2d36db12602f3fb2229f312ae05ad52
            • Instruction Fuzzy Hash: D811A2716002096BCF147FA4CC85EFD776AEF94304F158075BE09AB152EE7099498B70
            Function 00E25882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
            Download Yara Rule
            APIs
            • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00E258C1
            • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00E258EE
            • DrawMenuBar.USER32(?), ref: 00E258FD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Menu$InfoItem$Draw
            • String ID: 0
            • API String ID: 3227129158-4108050209
            • Opcode ID: 10c7d65dbd8dc4586d2a79e92239530ec21436fa0dc71ac25888d12d1a25e1ed
            • Instruction ID: b145eb77874a575bb6ed70bf057b5c9e3c70dfced69858539bb282e328d1a10a
            • Opcode Fuzzy Hash: 10c7d65dbd8dc4586d2a79e92239530ec21436fa0dc71ac25888d12d1a25e1ed
            • Instruction Fuzzy Hash: 58016D32500228EFDB219F51EC44BAEBBB4FF85364F108099F859E6151DB708A88DF31
            Function 00DF007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5a07ec26d66fb94d708a69d28a7d3d5d26db19fb1f0bbd9e6d70d3a361d2dd42
            • Instruction ID: 62cd308484bb2c96664ece48b326278e78be0b37b9cefad80915c908216a6338
            • Opcode Fuzzy Hash: 5a07ec26d66fb94d708a69d28a7d3d5d26db19fb1f0bbd9e6d70d3a361d2dd42
            • Instruction Fuzzy Hash: F5C14C75A0021AEFDB14CF94C894ABEBBB5FF48704F258598E605EB252D731ED41CBA0
            Function 00E1342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Variant$ClearInitInitializeUninitialize
            • String ID:
            • API String ID: 1998397398-0
            • Opcode ID: 14e8bfb1f1121cde6c0e1e0229427861b1065ba9d8aa6dbfbd4c56113669426e
            • Instruction ID: 9997dead89f851babcb44bc0a6dbee248a2a9b4881e7fe53d06fd3233be703bb
            • Opcode Fuzzy Hash: 14e8bfb1f1121cde6c0e1e0229427861b1065ba9d8aa6dbfbd4c56113669426e
            • Instruction Fuzzy Hash: 3DA15E756083009FCB50DF28C485A6AB7E5FF88714F15885DF98AAB362DB30ED45CB61
            Function 00DF0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
            Download Yara Rule
            APIs
            • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00E2FC08,?), ref: 00DF05F0
            • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00E2FC08,?), ref: 00DF0608
            • CLSIDFromProgID.OLE32(?,?,00000000,00E2CC40,000000FF,?,00000000,00000800,00000000,?,00E2FC08,?), ref: 00DF062D
            • _memcmp.LIBVCRUNTIME ref: 00DF064E
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: FromProg$FreeTask_memcmp
            • String ID:
            • API String ID: 314563124-0
            • Opcode ID: 38a7f746855c3abc838ebe0f905fb7e2ddbe90cbe206fcbe84a884bd371e68e2
            • Instruction ID: 08bac6e4cb08e131ea4baac5c5517a5e2421c401a9f9ebd6abe3290454cfb609
            • Opcode Fuzzy Hash: 38a7f746855c3abc838ebe0f905fb7e2ddbe90cbe206fcbe84a884bd371e68e2
            • Instruction Fuzzy Hash: 35813D71A00109EFCB04DF94C984DEEBBB9FF89315F258158E606EB251DB71AE06CB60
            Function 00DD1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: _free
            • String ID:
            • API String ID: 269201875-0
            • Opcode ID: 8b7b08c86fff1e4392eca5595d712429ed9eb4d2b51b0cd108f07dd7c9bc2673
            • Instruction ID: 44d8063c1a2ce4774a760f7c4ef740b4810e3e4a9c7c224feff884701bc39322
            • Opcode Fuzzy Hash: 8b7b08c86fff1e4392eca5595d712429ed9eb4d2b51b0cd108f07dd7c9bc2673
            • Instruction Fuzzy Hash: C541393DA00611BBDB256FFD9C46BBE3AA5EF41330F28422BF419D7392E67488419671
            Function 00E26278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(0142EB68,?), ref: 00E262E2
            • ScreenToClient.USER32(?,?), ref: 00E26315
            • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00E26382
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Window$ClientMoveRectScreen
            • String ID:
            • API String ID: 3880355969-0
            • Opcode ID: f0baee2e74677efd552e9d631bd784fb02fe207ac037b68971e8ff65e6858037
            • Instruction ID: cbc5684744a50223526a59f6c78b7f540f3a94bef9d1a2ccea8eb43ae84d426f
            • Opcode Fuzzy Hash: f0baee2e74677efd552e9d631bd784fb02fe207ac037b68971e8ff65e6858037
            • Instruction Fuzzy Hash: 3C515075900215EFCF11DF68E8809AE7BB5FF95364F109259F815AB2A0D770ED41CB50
            Function 00E11AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
            Download Yara Rule
            APIs
            • socket.WSOCK32(00000002,00000002,00000011), ref: 00E11AFD
            • WSAGetLastError.WSOCK32 ref: 00E11B0B
            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00E11B8A
            • WSAGetLastError.WSOCK32 ref: 00E11B94
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ErrorLast$socket
            • String ID:
            • API String ID: 1881357543-0
            • Opcode ID: 0911e8d5e2e48d68d96ab77d6ac222b706bab5310e7b59b6173b07e60a1a955f
            • Instruction ID: d63a537e79498ada75e5aec2dd134b2d35668c1feaaa33b2960c339e4c24a00c
            • Opcode Fuzzy Hash: 0911e8d5e2e48d68d96ab77d6ac222b706bab5310e7b59b6173b07e60a1a955f
            • Instruction Fuzzy Hash: 6C418575600200AFDB20AF24C886F697BE5EF49718F548498F6199F3D2D772ED818BA1
            Function 00DCB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 72baeb6219ece38551b303d27ca80e108d9d758ffff009d6a177e8aec71e3027
            • Instruction ID: 6eafbbdb952061f71b920a1029732ccc59c07269e872c317413c15185d3a68f3
            • Opcode Fuzzy Hash: 72baeb6219ece38551b303d27ca80e108d9d758ffff009d6a177e8aec71e3027
            • Instruction Fuzzy Hash: 2D41B275A04705AFD7289F78CC42FAABBA9EB88724F10452FF551DB282D771D90187B0
            Function 00E056D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
            Download Yara Rule
            APIs
            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00E05783
            • GetLastError.KERNEL32(?,00000000), ref: 00E057A9
            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00E057CE
            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00E057FA
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CreateHardLink$DeleteErrorFileLast
            • String ID:
            • API String ID: 3321077145-0
            • Opcode ID: 1fe0f354ffa25152ac3dd78cdef00dbf502125a3a9e7ce88d2c396a9477530d4
            • Instruction ID: 704417deb9ef22477ee37b40c39a75f1ae57017424797e9421659f40befe2dfa
            • Opcode Fuzzy Hash: 1fe0f354ffa25152ac3dd78cdef00dbf502125a3a9e7ce88d2c396a9477530d4
            • Instruction Fuzzy Hash: 9D411936614A10DFCB51DF15C544A5EBBE2EF89324B198498E84AAB362CB30FD41CBA1
            Function 00DCD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00DB6D71,00000000,00000000,00DB82D9,?,00DB82D9,?,00000001,00DB6D71,8BE85006,00000001,00DB82D9,00DB82D9), ref: 00DCD910
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00DCD999
            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00DCD9AB
            • __freea.LIBCMT ref: 00DCD9B4
              • Part of subcall function 00DC3820: RtlAllocateHeap.NTDLL(00000000,?,00E61444,?,00DAFDF5,?,?,00D9A976,00000010,00E61440,00D913FC,?,00D913C6,?,00D91129), ref: 00DC3852
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
            • String ID:
            • API String ID: 2652629310-0
            • Opcode ID: f8d793a1941e28321fee604826f3fc5384e592b0bc5b3746e40c151f0923a749
            • Instruction ID: cbb1353df79ada01722ba74cc95610d9110b8c58ffa12d665cd271e85e8ee5ee
            • Opcode Fuzzy Hash: f8d793a1941e28321fee604826f3fc5384e592b0bc5b3746e40c151f0923a749
            • Instruction Fuzzy Hash: F331BD72A0020AABDF24CF65DC41EAE7BA6EB41310B19426CFC0597290EB35CD54CBB0
            Function 00E252C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00001024,00000000,?), ref: 00E25352
            • GetWindowLongW.USER32(?,000000F0), ref: 00E25375
            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00E25382
            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E253A8
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: LongWindow$InvalidateMessageRectSend
            • String ID:
            • API String ID: 3340791633-0
            • Opcode ID: 2d3554e089093af3047561966f55d39b25cad32612080a4a0d7965389190117b
            • Instruction ID: 7f2ef9894f0dc061019d240520f27e8b52efb6cfb4f66fa9bb77d333bada3a0e
            • Opcode Fuzzy Hash: 2d3554e089093af3047561966f55d39b25cad32612080a4a0d7965389190117b
            • Instruction Fuzzy Hash: 2331E332A55A2CEFEB30DF14EE06BE937A1AB05394F587101FA10B62E4C7B09D409B52
            Function 00DFAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00DFABF1
            • SetKeyboardState.USER32(00000080,?,00008000), ref: 00DFAC0D
            • PostMessageW.USER32(00000000,00000101,00000000), ref: 00DFAC74
            • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00DFACC6
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: KeyboardState$InputMessagePostSend
            • String ID:
            • API String ID: 432972143-0
            • Opcode ID: aa3ea090ba3f826a3bbb0326cb1b1974d62173f9fa36c222698d9f86dbe2a5b5
            • Instruction ID: 23e71ff5fb60973d8cccad2f88dddbe15f941f0dec9590d84581be1a385f2a61
            • Opcode Fuzzy Hash: aa3ea090ba3f826a3bbb0326cb1b1974d62173f9fa36c222698d9f86dbe2a5b5
            • Instruction Fuzzy Hash: DC3128B4A0071CAFEF34CB69CC147FE7BA5AB89310F19C21AE689521D0C37589858772
            Function 00E27674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
            Download Yara Rule
            APIs
            • ClientToScreen.USER32(?,?), ref: 00E2769A
            • GetWindowRect.USER32(?,?), ref: 00E27710
            • PtInRect.USER32(?,?,00E28B89), ref: 00E27720
            • MessageBeep.USER32(00000000), ref: 00E2778C
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Rect$BeepClientMessageScreenWindow
            • String ID:
            • API String ID: 1352109105-0
            • Opcode ID: d9d39e32cb27c0ce65c1a71cecc16e24bd967abcaa74fdf0bf5dad8f28684040
            • Instruction ID: bf4b80876dabd92a6e9517c86aba5a9b76da210358452bc0a50c5b9ae65353c1
            • Opcode Fuzzy Hash: d9d39e32cb27c0ce65c1a71cecc16e24bd967abcaa74fdf0bf5dad8f28684040
            • Instruction Fuzzy Hash: 4241A034605229DFCB12CF59E894EA977F4FF48345F1850AAE894BB261C370E946CF90
            Function 00E216DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32 ref: 00E216EB
              • Part of subcall function 00DF3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DF3A57
              • Part of subcall function 00DF3A3D: GetCurrentThreadId.KERNEL32 ref: 00DF3A5E
              • Part of subcall function 00DF3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00DF25B3), ref: 00DF3A65
            • GetCaretPos.USER32(?), ref: 00E216FF
            • ClientToScreen.USER32(00000000,?), ref: 00E2174C
            • GetForegroundWindow.USER32 ref: 00E21752
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
            • String ID:
            • API String ID: 2759813231-0
            • Opcode ID: 8814d060a72ae609944fc48db84550ccca3dc44bc1db01cdad7b800466765298
            • Instruction ID: 1dae6e040e9ba3685294d9c098ee4ce06ac7bdbc0e55ee1f16e2e6df50854c10
            • Opcode Fuzzy Hash: 8814d060a72ae609944fc48db84550ccca3dc44bc1db01cdad7b800466765298
            • Instruction Fuzzy Hash: CB315271D00149AFCB14EFAAC881CAEB7F9EF89304B5480AAE415E7211E731DE45CBB0
            Function 00DFD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
            Download Yara Rule
            APIs
            • CreateToolhelp32Snapshot.KERNEL32 ref: 00DFD501
            • Process32FirstW.KERNEL32(00000000,?), ref: 00DFD50F
            • Process32NextW.KERNEL32(00000000,?), ref: 00DFD52F
            • CloseHandle.KERNEL32(00000000), ref: 00DFD5DC
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
            • String ID:
            • API String ID: 420147892-0
            • Opcode ID: 9b765d2bb83af5dcfe81ae2c765cbc7500baa45b832e9e4177abb7093e81baad
            • Instruction ID: f0eecdc355e172f800707dc2cedd7454b29d7af33f4f8d5ae624c5b65c62864a
            • Opcode Fuzzy Hash: 9b765d2bb83af5dcfe81ae2c765cbc7500baa45b832e9e4177abb7093e81baad
            • Instruction Fuzzy Hash: 6C31C2710083049FD700EF64C881ABFBBF9EF9A354F14092DF585922A1EB719949CBB2
            Function 00E28FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00DA9BB2
            • GetCursorPos.USER32(?), ref: 00E29001
            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00DE7711,?,?,?,?,?), ref: 00E29016
            • GetCursorPos.USER32(?), ref: 00E2905E
            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00DE7711,?,?,?), ref: 00E29094
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Cursor$LongMenuPopupProcTrackWindow
            • String ID:
            • API String ID: 2864067406-0
            • Opcode ID: f6cafbffa8c4d210e876a341eaaa81b88ac4cc8613df310ae5ed26c780fc37fe
            • Instruction ID: d175cf04f9233be06c42eb6c895288f49761895cd66fd03a52a2c86b580ae13f
            • Opcode Fuzzy Hash: f6cafbffa8c4d210e876a341eaaa81b88ac4cc8613df310ae5ed26c780fc37fe
            • Instruction Fuzzy Hash: 3C21D13160002CEFCB268F95EC58EFA7BB9FF89350F145155F905A72A2C3759990DB60
            Function 00DFD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
            Download Yara Rule
            APIs
            • GetFileAttributesW.KERNEL32(?,00E2CB68), ref: 00DFD2FB
            • GetLastError.KERNEL32 ref: 00DFD30A
            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00DFD319
            • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00E2CB68), ref: 00DFD376
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CreateDirectory$AttributesErrorFileLast
            • String ID:
            • API String ID: 2267087916-0
            • Opcode ID: 378361ff0f38e8d8048546bcb0295d79ebae908ab91f044928a3e80f350e731e
            • Instruction ID: 874feac97d263e9cd1292fad5e169d319d185025d0290e4b89144fbacfa51528
            • Opcode Fuzzy Hash: 378361ff0f38e8d8048546bcb0295d79ebae908ab91f044928a3e80f350e731e
            • Instruction Fuzzy Hash: 2421B1715043059F8710DF68D88187EB7E6EF55324F248A1DF699D32A1DB30D90ACBA3
            Function 00DF1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DF1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00DF102A
              • Part of subcall function 00DF1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00DF1036
              • Part of subcall function 00DF1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DF1045
              • Part of subcall function 00DF1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00DF104C
              • Part of subcall function 00DF1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DF1062
            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00DF15BE
            • _memcmp.LIBVCRUNTIME ref: 00DF15E1
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DF1617
            • HeapFree.KERNEL32(00000000), ref: 00DF161E
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
            • String ID:
            • API String ID: 1592001646-0
            • Opcode ID: 3fb11c5cf9ffa26a6fc7a5a1218d90d02b5c33f901739fdf6dc215cee18b04fb
            • Instruction ID: bfab43aec14e03fdf005c02c26985000114b2bca3938df6a16f5e45718986e78
            • Opcode Fuzzy Hash: 3fb11c5cf9ffa26a6fc7a5a1218d90d02b5c33f901739fdf6dc215cee18b04fb
            • Instruction Fuzzy Hash: AB217835E00108EFDF10DFA4C945BFEB7B8EF44344F1A8459E541AB241E731AA49CBA0
            Function 00E22782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
            Download Yara Rule
            APIs
            • GetWindowLongW.USER32(?,000000EC), ref: 00E2280A
            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00E22824
            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00E22832
            • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00E22840
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Window$Long$AttributesLayered
            • String ID:
            • API String ID: 2169480361-0
            • Opcode ID: ca5a4143f45162a9ba3fdb7a070abfeb347582a545e2524a499c81759653c061
            • Instruction ID: 303685b79b05aca38cc5eb365b9456e8731fef4ca0d145cd636b7dc09b1b5f93
            • Opcode Fuzzy Hash: ca5a4143f45162a9ba3fdb7a070abfeb347582a545e2524a499c81759653c061
            • Instruction Fuzzy Hash: D4210331208120BFD7189B24DC44FAA7B95EF85324F24825DF5269B6E2CB71FC42CBA0
            Function 00DF78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DF8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00DF790A,?,000000FF,?,00DF8754,00000000,?,0000001C,?,?), ref: 00DF8D8C
              • Part of subcall function 00DF8D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00DF8DB2
              • Part of subcall function 00DF8D7D: lstrcmpiW.KERNEL32(00000000,?,00DF790A,?,000000FF,?,00DF8754,00000000,?,0000001C,?,?), ref: 00DF8DE3
            • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00DF8754,00000000,?,0000001C,?,?,00000000), ref: 00DF7923
            • lstrcpyW.KERNEL32(00000000,?), ref: 00DF7949
            • lstrcmpiW.KERNEL32(00000002,cdecl,?,00DF8754,00000000,?,0000001C,?,?,00000000), ref: 00DF7984
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: lstrcmpilstrcpylstrlen
            • String ID: cdecl
            • API String ID: 4031866154-3896280584
            • Opcode ID: 8fc1a7313f2d3507ca58f0b6f5669aef54bd1e397b23abeebc6ef051975e8e06
            • Instruction ID: ad1f908da076f584cd47cd96cb877db89cded707baa1f5d0be20c61608e11a2a
            • Opcode Fuzzy Hash: 8fc1a7313f2d3507ca58f0b6f5669aef54bd1e397b23abeebc6ef051975e8e06
            • Instruction Fuzzy Hash: 1511293A200305AFDB259F35DC45DBA77A5FF45350B50802AFA42CB2A4EB71D812CBB1
            Function 00E27CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
            Download Yara Rule
            APIs
            • GetWindowLongW.USER32(?,000000F0), ref: 00E27D0B
            • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00E27D2A
            • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00E27D42
            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00E0B7AD,00000000), ref: 00E27D6B
              • Part of subcall function 00DA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00DA9BB2
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Window$Long
            • String ID:
            • API String ID: 847901565-0
            • Opcode ID: 9eedd07a414ba66fa7d762364115405fa0d241e1b2956617a409657f6630fdce
            • Instruction ID: 159b798f2261403e14ce90f66289557158ac8f3dd2cef72f45ac6d55f1ef8c08
            • Opcode Fuzzy Hash: 9eedd07a414ba66fa7d762364115405fa0d241e1b2956617a409657f6630fdce
            • Instruction Fuzzy Hash: 8311E431204625AFCB108F29EC04ABA3BA5EF463A4B255724F875E72F0D730DD51CB50
            Function 00E25660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00001060,?,00000004), ref: 00E256BB
            • _wcslen.LIBCMT ref: 00E256CD
            • _wcslen.LIBCMT ref: 00E256D8
            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00E25816
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: MessageSend_wcslen
            • String ID:
            • API String ID: 455545452-0
            • Opcode ID: 8f3e1adeb1bd34121ed113e2cc3fd0168f10d4346aab6a1ddf871514e4534404
            • Instruction ID: 852049f5598b6da84b0abf5b9ec04a1e63a4472665013604b19ee5ffd09621f2
            • Opcode Fuzzy Hash: 8f3e1adeb1bd34121ed113e2cc3fd0168f10d4346aab6a1ddf871514e4534404
            • Instruction Fuzzy Hash: 9B11A272600624D6DB209B65ED85AEE77ACFB50764B50502AF926B6081EB70C984CB60
            Function 00DC1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 794d1211eed63cadc5cbbfacd4c2c45c24b2f89dc9f3ed17c07f75f3cb5c8e96
            • Instruction ID: 9a8b9d877602a80ab995f4a2858029d3d31ac863cac4d6d453de955a5372a127
            • Opcode Fuzzy Hash: 794d1211eed63cadc5cbbfacd4c2c45c24b2f89dc9f3ed17c07f75f3cb5c8e96
            • Instruction Fuzzy Hash: 1A018FB6205A273EFA2116787CC1F27661DDF423B8B39032DF522621D6DB708C0145B0
            Function 00DF1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,000000B0,?,?), ref: 00DF1A47
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DF1A59
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DF1A6F
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DF1A8A
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: 02c96fb566ac56b79244eca1715aaa5b648bf1a4377695fe1a83f13f2de7d260
            • Instruction ID: 923f1115aab15612bd6cfa36a4f5989c7b2146a11f6446e3f78ae78a4e010f8a
            • Opcode Fuzzy Hash: 02c96fb566ac56b79244eca1715aaa5b648bf1a4377695fe1a83f13f2de7d260
            • Instruction Fuzzy Hash: 7D11393AD01219FFEB10DBA5CD85FADBB78FB08754F214091EA00B7290D671AE51DBA4
            Function 00DFE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThreadId.KERNEL32 ref: 00DFE1FD
            • MessageBoxW.USER32(?,?,?,?), ref: 00DFE230
            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00DFE246
            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00DFE24D
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
            • String ID:
            • API String ID: 2880819207-0
            • Opcode ID: 1de02826ee575036d61fef757df1c3a4803d01b75d89ae12a7649d7a2cf8e758
            • Instruction ID: 3b517bc495bfc0833394ba39294d2725c4aadc5dba97cfa98bac0938cf54a089
            • Opcode Fuzzy Hash: 1de02826ee575036d61fef757df1c3a4803d01b75d89ae12a7649d7a2cf8e758
            • Instruction Fuzzy Hash: 78114872904208BFC7119BA9EC05AAF3FACAB41320F198655F915F3390E2B0C90887B0
            Function 00DBD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
            Download Yara Rule
            APIs
            • CreateThread.KERNEL32(00000000,?,00DBCFF9,00000000,00000004,00000000), ref: 00DBD218
            • GetLastError.KERNEL32 ref: 00DBD224
            • __dosmaperr.LIBCMT ref: 00DBD22B
            • ResumeThread.KERNEL32(00000000), ref: 00DBD249
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Thread$CreateErrorLastResume__dosmaperr
            • String ID:
            • API String ID: 173952441-0
            • Opcode ID: bdf3be8f8ba2a36b31d124b0081fdc83abd5201fc88eefc2688e23f229d94faf
            • Instruction ID: 689915ed41bf80f0b001423c638552b98503bee07791f4f8d3f19b716c8eb946
            • Opcode Fuzzy Hash: bdf3be8f8ba2a36b31d124b0081fdc83abd5201fc88eefc2688e23f229d94faf
            • Instruction Fuzzy Hash: 7701F936805204FFCB215BA6DC05BEE7B6ADF81730F240259F926961D0EB71C905C7B0
            Function 00E29EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00DA9BB2
            • GetClientRect.USER32(?,?), ref: 00E29F31
            • GetCursorPos.USER32(?), ref: 00E29F3B
            • ScreenToClient.USER32(?,?), ref: 00E29F46
            • DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00E29F7A
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Client$CursorLongProcRectScreenWindow
            • String ID:
            • API String ID: 4127811313-0
            • Opcode ID: e637ce891681c099c1433095c6d9d90e75a333a6f8d31a4d3ff61822b53a91eb
            • Instruction ID: ba8884345553c8a8b9034ce48af39a18e2c20f41d9abf6b5012ae03e950d48b5
            • Opcode Fuzzy Hash: e637ce891681c099c1433095c6d9d90e75a333a6f8d31a4d3ff61822b53a91eb
            • Instruction Fuzzy Hash: E1115532A0012AABEB109F69E9899FE77B8FB45301F102451F811F3041C330AA86CBA1
            Function 00D9600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
            Download Yara Rule
            APIs
            • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00D9604C
            • GetStockObject.GDI32(00000011), ref: 00D96060
            • SendMessageW.USER32(00000000,00000030,00000000), ref: 00D9606A
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CreateMessageObjectSendStockWindow
            • String ID:
            • API String ID: 3970641297-0
            • Opcode ID: 4818c7e6bd5f9a3705f68375f624a406ed65e6594b199c09c9fc535f06876307
            • Instruction ID: c26c0f1d1cbba53438dccd4e72a1671fb116200fe249627bb3bd0bab544f3cc6
            • Opcode Fuzzy Hash: 4818c7e6bd5f9a3705f68375f624a406ed65e6594b199c09c9fc535f06876307
            • Instruction Fuzzy Hash: AD118072501508BFEF224FA5DC94EEABB69FF183A4F140216FA1862110D772DC61DFA1
            Function 00DB3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • ___BuildCatchObject.LIBVCRUNTIME ref: 00DB3B56
              • Part of subcall function 00DB3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00DB3AD2
              • Part of subcall function 00DB3AA3: ___AdjustPointer.LIBCMT ref: 00DB3AED
            • _UnwindNestedFrames.LIBCMT ref: 00DB3B6B
            • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00DB3B7C
            • CallCatchBlock.LIBVCRUNTIME ref: 00DB3BA4
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
            • String ID:
            • API String ID: 737400349-0
            • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
            • Instruction ID: 293490f3c6238b6c2f966848779e0e40cdbbb0f753ca52e37c6f8aa91a219eef
            • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
            • Instruction Fuzzy Hash: 09012932100148FBDF12AE95CC42EEB7B69EF58754F044014FE4956121C732E961EBB0
            Function 00DC3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00D913C6,00000000,00000000,?,00DC301A,00D913C6,00000000,00000000,00000000,?,00DC328B,00000006,FlsSetValue), ref: 00DC30A5
            • GetLastError.KERNEL32(?,00DC301A,00D913C6,00000000,00000000,00000000,?,00DC328B,00000006,FlsSetValue,00E32290,FlsSetValue,00000000,00000364,?,00DC2E46), ref: 00DC30B1
            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00DC301A,00D913C6,00000000,00000000,00000000,?,00DC328B,00000006,FlsSetValue,00E32290,FlsSetValue,00000000), ref: 00DC30BF
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: LibraryLoad$ErrorLast
            • String ID:
            • API String ID: 3177248105-0
            • Opcode ID: c2babae28ab256170ab30891408c870dd080566b9054ef6a98dfe188e768d02c
            • Instruction ID: ac33da82d79de98e5ad73a8a800fbbbf3ca63ac76cc9509ab9cbe3bfe5a61d1b
            • Opcode Fuzzy Hash: c2babae28ab256170ab30891408c870dd080566b9054ef6a98dfe188e768d02c
            • Instruction Fuzzy Hash: 2E01D833301623AFCB314E79EC44F677B98AF05BA1B248628F946E3190C721D906D6F0
            Function 00DF7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
            Download Yara Rule
            APIs
            • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00DF747F
            • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00DF7497
            • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00DF74AC
            • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00DF74CA
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Type$Register$FileLoadModuleNameUser
            • String ID:
            • API String ID: 1352324309-0
            • Opcode ID: 46c7679f0f89f3ab03e5be1d516476b8eea80cdf43a116499fe86698dc5e8f0f
            • Instruction ID: 5a70a45c0b6f9322a57f3b7c2f18d8561565d4f6664c23dcea01bdae9ec2645a
            • Opcode Fuzzy Hash: 46c7679f0f89f3ab03e5be1d516476b8eea80cdf43a116499fe86698dc5e8f0f
            • Instruction Fuzzy Hash: C2118EB12053199FE7309F14EC09BE67BFCEB00B00F21C569A666D7191D770E908DBA0
            Function 00DFB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
            Download Yara Rule
            APIs
            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00DFACD3,?,00008000), ref: 00DFB0C4
            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00DFACD3,?,00008000), ref: 00DFB0E9
            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00DFACD3,?,00008000), ref: 00DFB0F3
            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00DFACD3,?,00008000), ref: 00DFB126
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CounterPerformanceQuerySleep
            • String ID:
            • API String ID: 2875609808-0
            • Opcode ID: 8f5861c87915411e4efd0a534b1cd1d2f26502000af402979d20968ee576de54
            • Instruction ID: 1b20c94bacf874e68d305c08d4f826469274757fcde49d5bb1029a6cda57ba45
            • Opcode Fuzzy Hash: 8f5861c87915411e4efd0a534b1cd1d2f26502000af402979d20968ee576de54
            • Instruction Fuzzy Hash: 8F116131C01A2CDBCF109FE5D9596FEBB78FF0A721F128086DA41B2141CB309555CB61
            Function 00DF2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
            Download Yara Rule
            APIs
            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00DF2DC5
            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00DF2DD6
            • GetCurrentThreadId.KERNEL32 ref: 00DF2DDD
            • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00DF2DE4
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
            • String ID:
            • API String ID: 2710830443-0
            • Opcode ID: ebe2f12630ed13011b5686c8c7d683478adcb9ad08a5e64bc23645788636cd22
            • Instruction ID: 255be81b17dbbd16db4120ed78fa1ecc0b5d8acd3f6ac00ba04157ff787f8fb1
            • Opcode Fuzzy Hash: ebe2f12630ed13011b5686c8c7d683478adcb9ad08a5e64bc23645788636cd22
            • Instruction Fuzzy Hash: 85E06D711016287BE7301B63DC0EEFB7E6CEB42FA1F654115B206E10809AA4C88AC6F0
            Function 00E28863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DA9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00DA9693
              • Part of subcall function 00DA9639: SelectObject.GDI32(?,00000000), ref: 00DA96A2
              • Part of subcall function 00DA9639: BeginPath.GDI32(?), ref: 00DA96B9
              • Part of subcall function 00DA9639: SelectObject.GDI32(?,00000000), ref: 00DA96E2
            • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00E28887
            • LineTo.GDI32(?,?,?), ref: 00E28894
            • EndPath.GDI32(?), ref: 00E288A4
            • StrokePath.GDI32(?), ref: 00E288B2
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
            • String ID:
            • API String ID: 1539411459-0
            • Opcode ID: 662815d5d367f59076d25f55d6fd9c794c1cee7088d3b980443a71f2952d2dba
            • Instruction ID: 0c9c15c8f92c6f70275e0b2c842a930705b4d9f3cdcb8d776c53f7e02daa6f32
            • Opcode Fuzzy Hash: 662815d5d367f59076d25f55d6fd9c794c1cee7088d3b980443a71f2952d2dba
            • Instruction Fuzzy Hash: 44F03A36042668BAEB225F95AC0AFCE3A69AF06350F548040FA12750E1C7B55526CBE5
            Function 00DA98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
            Download Yara Rule
            APIs
            • GetSysColor.USER32(00000008), ref: 00DA98CC
            • SetTextColor.GDI32(?,?), ref: 00DA98D6
            • SetBkMode.GDI32(?,00000001), ref: 00DA98E9
            • GetStockObject.GDI32(00000005), ref: 00DA98F1
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Color$ModeObjectStockText
            • String ID:
            • API String ID: 4037423528-0
            • Opcode ID: 077da0509f1b9cc795a2a578faf042156d6134d07271bdce68293fa37e5ee98c
            • Instruction ID: e31984b9c8aa085bd43b3a94ffa21b288265c05126c8550774d09ab18e8fa4fa
            • Opcode Fuzzy Hash: 077da0509f1b9cc795a2a578faf042156d6134d07271bdce68293fa37e5ee98c
            • Instruction Fuzzy Hash: BAE09B31244680AEDB315B76FC09BDD3F21EB12336F188219F6F9640E1C37146559F21
            Function 00DF162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThread.KERNEL32 ref: 00DF1634
            • OpenThreadToken.ADVAPI32(00000000,?,?,?,00DF11D9), ref: 00DF163B
            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00DF11D9), ref: 00DF1648
            • OpenProcessToken.ADVAPI32(00000000,?,?,?,00DF11D9), ref: 00DF164F
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CurrentOpenProcessThreadToken
            • String ID:
            • API String ID: 3974789173-0
            • Opcode ID: e1d6225a4cec8db6ea98a503c64cf924cacbff386d85e4a9aba989377ceb07c5
            • Instruction ID: 69fb93720eeb5217283bfdd9d9eaac811fffb672da23f372a34454b91bcb11ce
            • Opcode Fuzzy Hash: e1d6225a4cec8db6ea98a503c64cf924cacbff386d85e4a9aba989377ceb07c5
            • Instruction Fuzzy Hash: 2AE08636601211DFD7301FA2DD0DF5A3B7CAF44791F298808F345EA090E634444AC764
            Function 00DED858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
            Download Yara Rule
            APIs
            • GetDesktopWindow.USER32 ref: 00DED858
            • GetDC.USER32(00000000), ref: 00DED862
            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00DED882
            • ReleaseDC.USER32(?), ref: 00DED8A3
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CapsDesktopDeviceReleaseWindow
            • String ID:
            • API String ID: 2889604237-0
            • Opcode ID: eb020fe516878c53298f2dca4349b9e0ffa559de2988da25145d2915cb1518f1
            • Instruction ID: 24ff9524341ec1f7f5389bc8744d7edc7761873dc0e46d56c45d299b12259588
            • Opcode Fuzzy Hash: eb020fe516878c53298f2dca4349b9e0ffa559de2988da25145d2915cb1518f1
            • Instruction Fuzzy Hash: 37E01271800204DFCF519FA1D80866DBBB2FF08710F208005F846F7250C7348506AFA0
            Function 00DED86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
            Download Yara Rule
            APIs
            • GetDesktopWindow.USER32 ref: 00DED86C
            • GetDC.USER32(00000000), ref: 00DED876
            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00DED882
            • ReleaseDC.USER32(?), ref: 00DED8A3
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CapsDesktopDeviceReleaseWindow
            • String ID:
            • API String ID: 2889604237-0
            • Opcode ID: 0795abd5ef7506e9bd4ad8233d2a267217539b1eda58954edee27ba67780d432
            • Instruction ID: 40fb2a18fc3803c0195cbc73093e72d70c4ba1d8ccfb541593b787bd791c21e7
            • Opcode Fuzzy Hash: 0795abd5ef7506e9bd4ad8233d2a267217539b1eda58954edee27ba67780d432
            • Instruction Fuzzy Hash: 42E09A75C00204DFCF619FA1D80866DBBB5FF48B11B249449F94AF7250D73859069F94
            Function 00E04D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00D97620: _wcslen.LIBCMT ref: 00D97625
            • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00E04ED4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Connection_wcslen
            • String ID: *$LPT
            • API String ID: 1725874428-3443410124
            • Opcode ID: e23da90cbb147673b06d39e298b909b1adc573f8993c33b9eb535a85757638c9
            • Instruction ID: f1646aa67f95b0a262340fddf56f985a16d6b1d3268e4cd7a10325f1217128fa
            • Opcode Fuzzy Hash: e23da90cbb147673b06d39e298b909b1adc573f8993c33b9eb535a85757638c9
            • Instruction Fuzzy Hash: 2B915FB5A042059FCB14DF54C584EAABBF1EF44308F199099E50AAF3E2D731ED85CBA1
            Function 00DBE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
            Download Yara Rule
            APIs
            • __startOneArgErrorHandling.LIBCMT ref: 00DBE30D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ErrorHandling__start
            • String ID: pow
            • API String ID: 3213639722-2276729525
            • Opcode ID: c7ab2e9c0533b1e663b7e718d78fe465b310a4a06b3517f97c893e6ac075e4ca
            • Instruction ID: 458ef420e3fc10fd7e3c13c6e8a015c3f4f1f9bef2090495017d1eee4d27f7e6
            • Opcode Fuzzy Hash: c7ab2e9c0533b1e663b7e718d78fe465b310a4a06b3517f97c893e6ac075e4ca
            • Instruction Fuzzy Hash: 5E512761A0C207DACB117714C901BFA2BE8EB40741F28899CF0D7933A9DB348C959EB6
            Function 00E17771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(00DE569E,00000000,?,00E2CC08,?,00000000,00000000), ref: 00E178DD
              • Part of subcall function 00D96B57: _wcslen.LIBCMT ref: 00D96B6A
            • CharUpperBuffW.USER32(00DE569E,00000000,?,00E2CC08,00000000,?,00000000,00000000), ref: 00E1783B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: BuffCharUpper$_wcslen
            • String ID: <s
            • API String ID: 3544283678-2940880691
            • Opcode ID: 205c96a260f4fddf5b6242084b21397f638f6380952dbbac89f545968fee3753
            • Instruction ID: 146639336e5280ead982b3ca4cc256530bc4a09ebd905d16ad13a4b7f576b019
            • Opcode Fuzzy Hash: 205c96a260f4fddf5b6242084b21397f638f6380952dbbac89f545968fee3753
            • Instruction Fuzzy Hash: 10611C76914129AACF04EBA4CC91DFDB378FF54B04B545529E582B7091EF30AA89CBB0
            Function 00DAE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID:
            • String ID: #
            • API String ID: 0-1885708031
            • Opcode ID: e9ac957d3ef360c31ddcb632b9d86ba5a8f012db25c430faa15f979de6999d5f
            • Instruction ID: 9ff2d90ab353ac251406ae60db25863b6c6d994cd25061a2ded69ee939de89eb
            • Opcode Fuzzy Hash: e9ac957d3ef360c31ddcb632b9d86ba5a8f012db25c430faa15f979de6999d5f
            • Instruction Fuzzy Hash: 68512235504286DFDF25FF29C481ABA7BA9EF66310F284059EC919B2D0D630DD42CBB0
            Function 00DAF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNEL32(00000000), ref: 00DAF2A2
            • GlobalMemoryStatusEx.KERNEL32(?), ref: 00DAF2BB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: GlobalMemorySleepStatus
            • String ID: @
            • API String ID: 2783356886-2766056989
            • Opcode ID: c6ec87dbbffbb23d51a1c1e0d9adc4a4fb1bc2ca812d24c109d7531c3c3b52fa
            • Instruction ID: 3a2dd591571e867bc0c4ec09becf00c32226dc8f2cf0a168177cf2383120aa81
            • Opcode Fuzzy Hash: c6ec87dbbffbb23d51a1c1e0d9adc4a4fb1bc2ca812d24c109d7531c3c3b52fa
            • Instruction Fuzzy Hash: 655153724187849BD720AF11D886BAFBBF8FF85300F81884CF299511A5EB708569CB76
            Function 00E15745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00E157E0
            • _wcslen.LIBCMT ref: 00E157EC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: BuffCharUpper_wcslen
            • String ID: CALLARGARRAY
            • API String ID: 157775604-1150593374
            • Opcode ID: 3f8bb71e13fd258a47524704f2bac27ce5d6755d9a96bdae47ba99b25919542f
            • Instruction ID: f08fdd20458904a3be77a41f2499eb9c965cd1324b151ea3d2738800082643f0
            • Opcode Fuzzy Hash: 3f8bb71e13fd258a47524704f2bac27ce5d6755d9a96bdae47ba99b25919542f
            • Instruction Fuzzy Hash: AA417F72A00109DFCB18DFA9C8829FEBBB5EF99314F10506DE505B7291D7709D81CBA0
            Function 00E0D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
            Download Yara Rule
            APIs
            • _wcslen.LIBCMT ref: 00E0D130
            • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00E0D13A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CrackInternet_wcslen
            • String ID: |
            • API String ID: 596671847-2343686810
            • Opcode ID: f61109d7b9ede3ef7664bac9aedf404b6b104f478fae4e7cc99da12afce48c74
            • Instruction ID: 0d21da9138c73f78e587e09c0c4c8b7bcbd287f1cb74094b6d75c08de0419570
            • Opcode Fuzzy Hash: f61109d7b9ede3ef7664bac9aedf404b6b104f478fae4e7cc99da12afce48c74
            • Instruction Fuzzy Hash: 57312A71D01219ABCF15EFA5CC85AEEBFB9FF04344F104019F815B6266EB31AA46CB60
            Function 00E2356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(?,?,?,?), ref: 00E23621
            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00E2365C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Window$DestroyMove
            • String ID: static
            • API String ID: 2139405536-2160076837
            • Opcode ID: 895f0c80d6076b318e7b12ca1500dcff58ae11cb5982ab1c1184cbc61c9c98c0
            • Instruction ID: 9607a27886bdc4185e9ad7f4091ac32435e068c1c7c4af7f234247d72feca913
            • Opcode Fuzzy Hash: 895f0c80d6076b318e7b12ca1500dcff58ae11cb5982ab1c1184cbc61c9c98c0
            • Instruction Fuzzy Hash: C531A171110614AEDB20DF34EC40EFB73A9FF48714F109619F855A7180DA34AD81CB60
            Function 00E24537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00E2461F
            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E24634
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: '
            • API String ID: 3850602802-1997036262
            • Opcode ID: 38854790c8b2f6a249f5f3e8e4357ea7b8547c75f88cc398e3d2020f9daf671a
            • Instruction ID: 86aef01caf09b088b1d8737a7a1d8a0183068c7f94017bbdd98288d90b5d1902
            • Opcode Fuzzy Hash: 38854790c8b2f6a249f5f3e8e4357ea7b8547c75f88cc398e3d2020f9daf671a
            • Instruction Fuzzy Hash: 773137B5A0032A9FDF14CFA9D980BDABBB5FF49304F14506AE944AB381D770A941CF90
            Function 00E231EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00E2327C
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E23287
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: Combobox
            • API String ID: 3850602802-2096851135
            • Opcode ID: dd2b4ef39b13fee98c69c9e9ce4a02a27602f8885051eef65c277ecbfccdb6e6
            • Instruction ID: 9290415264b0811e2ec15369c2d8df635a8cd6099ab6a8b8c5def6e1979c8c7b
            • Opcode Fuzzy Hash: dd2b4ef39b13fee98c69c9e9ce4a02a27602f8885051eef65c277ecbfccdb6e6
            • Instruction Fuzzy Hash: 7411E672300218BFEF259E64EC80EBB376BEB54368F201524F918B72A0D6759D518B60
            Function 00E23710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00D9600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00D9604C
              • Part of subcall function 00D9600E: GetStockObject.GDI32(00000011), ref: 00D96060
              • Part of subcall function 00D9600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D9606A
            • GetWindowRect.USER32(00000000,?), ref: 00E2377A
            • GetSysColor.USER32(00000012), ref: 00E23794
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Window$ColorCreateMessageObjectRectSendStock
            • String ID: static
            • API String ID: 1983116058-2160076837
            • Opcode ID: 9b5585ec02b982a9d97b4ee4e10ea985c3ef0f33f26d75667b3217ff876e2050
            • Instruction ID: 9740eadd2b9d6ca4d1a5b1c49fc5a15aadb9fd57ed121050ac1cda9f4b702462
            • Opcode Fuzzy Hash: 9b5585ec02b982a9d97b4ee4e10ea985c3ef0f33f26d75667b3217ff876e2050
            • Instruction Fuzzy Hash: 231159B2610219AFDF00DFB8DC45AEE7BB9FB08304F105915F955E2250D774E8119B60
            Function 00E0CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
            Download Yara Rule
            APIs
            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00E0CD7D
            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00E0CDA6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Internet$OpenOption
            • String ID: <local>
            • API String ID: 942729171-4266983199
            • Opcode ID: aa391faa978e9e0a70598264c202e05659d102e880d288d4df02378fa7f957cb
            • Instruction ID: ba400da5abb966513a960686131ac902473e9de846c9bb2bc832ca7d2d519054
            • Opcode Fuzzy Hash: aa391faa978e9e0a70598264c202e05659d102e880d288d4df02378fa7f957cb
            • Instruction Fuzzy Hash: 0311C6712156317AD7344B668C45EE7BE6CEF127A8F205336B109A30C0D77099C5D6F0
            Function 00E23429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
            Download Yara Rule
            APIs
            • GetWindowTextLengthW.USER32(00000000), ref: 00E234AB
            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00E234BA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: LengthMessageSendTextWindow
            • String ID: edit
            • API String ID: 2978978980-2167791130
            • Opcode ID: 727080cdbc4ebc183d836f477f07a0280918866d7e15ce1428cf29fadd52ec8b
            • Instruction ID: 96da371fdd10bb5c5f3baf027ef163bcc1f65fbc6645afbe2bfc4bf716237de7
            • Opcode Fuzzy Hash: 727080cdbc4ebc183d836f477f07a0280918866d7e15ce1428cf29fadd52ec8b
            • Instruction Fuzzy Hash: B811BF71100228AFEB226F74EC40AEB376AEB04778F606364FA70A31D0C779DC519B60
            Function 00DF6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00D99CB3: _wcslen.LIBCMT ref: 00D99CBD
            • CharUpperBuffW.USER32(?,?,?), ref: 00DF6CB6
            • _wcslen.LIBCMT ref: 00DF6CC2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: _wcslen$BuffCharUpper
            • String ID: STOP
            • API String ID: 1256254125-2411985666
            • Opcode ID: 07ae0f30cdb593f13c5f2f171a9b4119186b6286da0caad9aea681897ffd8edd
            • Instruction ID: 370f5834840c300c69477dc047883bd0fe8e7986e045265059b70dbcfc7747d9
            • Opcode Fuzzy Hash: 07ae0f30cdb593f13c5f2f171a9b4119186b6286da0caad9aea681897ffd8edd
            • Instruction Fuzzy Hash: 7F01263260052E9BCB20AFBDDC908BF77B4EB6171071A4528E9A293195EB31D840C670
            Function 00DF1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00D99CB3: _wcslen.LIBCMT ref: 00D99CBD
              • Part of subcall function 00DF3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00DF3CCA
            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00DF1D4C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ClassMessageNameSend_wcslen
            • String ID: ComboBox$ListBox
            • API String ID: 624084870-1403004172
            • Opcode ID: 12700c528d1431d887cb6ec9f8d02385910c8045d9b992e41cb22c5dff402ef5
            • Instruction ID: b5ed7b82dd189f8437d731f8a56b59837e4378eefc9488f01f0eb0e82fe1f874
            • Opcode Fuzzy Hash: 12700c528d1431d887cb6ec9f8d02385910c8045d9b992e41cb22c5dff402ef5
            • Instruction Fuzzy Hash: D001B175601218AB8F18EBA4CC658FEB3B8EB46350B144A1EA972672D1EA3199088670
            Function 00DF1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00D99CB3: _wcslen.LIBCMT ref: 00D99CBD
              • Part of subcall function 00DF3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00DF3CCA
            • SendMessageW.USER32(?,00000180,00000000,?), ref: 00DF1C46
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ClassMessageNameSend_wcslen
            • String ID: ComboBox$ListBox
            • API String ID: 624084870-1403004172
            • Opcode ID: 6aeac2cceb8bd1598b640aae64fd7d65969aa16c992a66ddee0ed4339a24561e
            • Instruction ID: 2f0793625d9f649a736e2136ec41b83fc0e49996f02c22191847810b154b62f2
            • Opcode Fuzzy Hash: 6aeac2cceb8bd1598b640aae64fd7d65969aa16c992a66ddee0ed4339a24561e
            • Instruction Fuzzy Hash: A201A77568120CAACF14EB94CD659FFB7A8DB11340F15441DAA5677281EA209E1CC6B1
            Function 00DF1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00D99CB3: _wcslen.LIBCMT ref: 00D99CBD
              • Part of subcall function 00DF3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00DF3CCA
            • SendMessageW.USER32(?,00000182,?,00000000), ref: 00DF1CC8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ClassMessageNameSend_wcslen
            • String ID: ComboBox$ListBox
            • API String ID: 624084870-1403004172
            • Opcode ID: bcc4864d51a54ecf4150213fd57a4558ab036ed1fe68de7eb92f52d0851c5d33
            • Instruction ID: dfabed44c1ccd3b4f276f0804ce7c7884d8ef35710305250068d4efbf709f520
            • Opcode Fuzzy Hash: bcc4864d51a54ecf4150213fd57a4558ab036ed1fe68de7eb92f52d0851c5d33
            • Instruction Fuzzy Hash: 5E01D6B5A8021CA7CF14EBA6CE21AFEF7A8DB11340F154419B95277281EA219F18C672
            Function 00DF1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00D99CB3: _wcslen.LIBCMT ref: 00D99CBD
              • Part of subcall function 00DF3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00DF3CCA
            • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00DF1DD3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ClassMessageNameSend_wcslen
            • String ID: ComboBox$ListBox
            • API String ID: 624084870-1403004172
            • Opcode ID: f89f6af846656cc7b4719ad053a7b66a6e2607de93a87fd151689f7ac42c4aa0
            • Instruction ID: a117f9e863ce1efcec6082466c574d8e680e9228f53dc39f601579fe1f54e160
            • Opcode Fuzzy Hash: f89f6af846656cc7b4719ad053a7b66a6e2607de93a87fd151689f7ac42c4aa0
            • Instruction Fuzzy Hash: BEF0A475A41218A6DF14EBA9CC66AFEB7B8EB01350F050919B962772C1DA70990C8271
            Function 00E28172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00E63018,00E6305C), ref: 00E281BF
            • CloseHandle.KERNEL32 ref: 00E281D1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CloseCreateHandleProcess
            • String ID: \0
            • API String ID: 3712363035-3218720685
            • Opcode ID: d3510c6d82eca5bf925995474780ad3ff918373044c6c4e552b136736e84ebcf
            • Instruction ID: cf353cea32edcc32fcb05980645446b3d732773358d708f9fbb2480f3d8d7355
            • Opcode Fuzzy Hash: d3510c6d82eca5bf925995474780ad3ff918373044c6c4e552b136736e84ebcf
            • Instruction Fuzzy Hash: 53F030B1640300BEE2606772BC45FB73A5CDB04B90F100464FA08F51A2D6A58E1882B8
            Function 00E1747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: _wcslen
            • String ID: 3, 3, 16, 1
            • API String ID: 176396367-3042988571
            • Opcode ID: 4c0adeb829171c20c36e23cb9aa8d94c4f162a1772114873b5a481b3a06e65c9
            • Instruction ID: 049c5865bb5c59da373e97919d45d54483077530b327252099a9b11e5964e742
            • Opcode Fuzzy Hash: 4c0adeb829171c20c36e23cb9aa8d94c4f162a1772114873b5a481b3a06e65c9
            • Instruction Fuzzy Hash: B2E02B222043205093311279ACC19FF5A99DFC9BA0714282FF9D2E2267EA948DD193B0
            Function 00DF0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
            Download Yara Rule
            APIs
            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00DF0B23
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Message
            • String ID: AutoIt$Error allocating memory.
            • API String ID: 2030045667-4017498283
            • Opcode ID: 97db8c2240e6414b41c08f62989d72c113807276da4af3d3a34689173a9d5d2d
            • Instruction ID: 8124d7ca67b2488937daee20c735af6f802036579eb6112fc735a40932253813
            • Opcode Fuzzy Hash: 97db8c2240e6414b41c08f62989d72c113807276da4af3d3a34689173a9d5d2d
            • Instruction Fuzzy Hash: 43E0D8322443186AD2213794BC03F8D7A84CF06B51F200466FB58654C38AE1649046F9
            Function 00DB0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DAF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00DB0D71,?,?,?,00D9100A), ref: 00DAF7CE
            • IsDebuggerPresent.KERNEL32(?,?,?,00D9100A), ref: 00DB0D75
            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00D9100A), ref: 00DB0D84
            Strings
            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00DB0D7F
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
            • API String ID: 55579361-631824599
            • Opcode ID: 46e635edb68f43f119caf87b218dbb91c46709c960613f3baaf30657f0c45823
            • Instruction ID: 95aafac79589a8e9c5ed6bb17b0e69be7c70519937e215b899c40e2e052bf654
            • Opcode Fuzzy Hash: 46e635edb68f43f119caf87b218dbb91c46709c960613f3baaf30657f0c45823
            • Instruction Fuzzy Hash: 5DE03970200711CFD3319FA9E4083867BE0AB00740F05896DE486D6AA1DBB0E4498BB1
            Function 00DAE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
            Download Yara Rule
            APIs
            • __Init_thread_footer.LIBCMT ref: 00DAE3D5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: Init_thread_footer
            • String ID: 0%$8%
            • API String ID: 1385522511-2949748613
            • Opcode ID: cbe207bf96e875b7a1fd6b73c4f51e417b24a0175c85cf14b46301c463cf9cfc
            • Instruction ID: e0cb20f1df82eb0719fc6fa04815e75b98c48a0f29c32b5fba968958899cbef6
            • Opcode Fuzzy Hash: cbe207bf96e875b7a1fd6b73c4f51e417b24a0175c85cf14b46301c463cf9cfc
            • Instruction Fuzzy Hash: 57E02632440E10CFCE24A71DB895A8A3351EB5A3A1B10957EE303E71D1BB712845C67B
            Function 00DED21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: LocalTime
            • String ID: %.3d$X64
            • API String ID: 481472006-1077770165
            • Opcode ID: 08ad3d4a397af1c29dacf069c490a824d74660e5c5e6569b3c4e21f58ccab63e
            • Instruction ID: a197b8192c25e407f2c79b507e28ee32a8d2bad2271dd5389aceabd4fcc4f701
            • Opcode Fuzzy Hash: 08ad3d4a397af1c29dacf069c490a824d74660e5c5e6569b3c4e21f58ccab63e
            • Instruction Fuzzy Hash: 25D01261808148E9CB50ABE1DC458B9B37DEB09341F608452FA96A1050EA34C5086775
            Function 00E22356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
            Download Yara Rule
            APIs
            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E2236C
            • PostMessageW.USER32(00000000), ref: 00E22373
              • Part of subcall function 00DFE97B: Sleep.KERNEL32 ref: 00DFE9F3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: FindMessagePostSleepWindow
            • String ID: Shell_TrayWnd
            • API String ID: 529655941-2988720461
            • Opcode ID: c6366c7e86d1317f88172645c77f7eb852d0b096b06d47a7312095c884c4f667
            • Instruction ID: 8831bf5c5a66de517a2dd9c07f4066155cd8a3cf54f1c04767082dd32a30bfe3
            • Opcode Fuzzy Hash: c6366c7e86d1317f88172645c77f7eb852d0b096b06d47a7312095c884c4f667
            • Instruction Fuzzy Hash: 35D0C9323C1710BBE674A771EC0FFCA6615AB04B11F514A167745BA1E0C9F0A80A8A65
            Function 00E22322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
            Download Yara Rule
            APIs
            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E2232C
            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00E2233F
              • Part of subcall function 00DFE97B: Sleep.KERNEL32 ref: 00DFE9F3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: FindMessagePostSleepWindow
            • String ID: Shell_TrayWnd
            • API String ID: 529655941-2988720461
            • Opcode ID: d504a4e2579e6467fec2313802ac51175e978051fc18b38f6c334b88fac1562d
            • Instruction ID: 346d8ab01c72f01805975426c0cacbf5f01c36b1a27a94d8805f60863283c0a2
            • Opcode Fuzzy Hash: d504a4e2579e6467fec2313802ac51175e978051fc18b38f6c334b88fac1562d
            • Instruction Fuzzy Hash: 40D012363D4710BBE674B771EC0FFDE7A15AB04B11F114A167745BA1E0C9F0A80ACA64
            Function 00DCBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00DCBE93
            • GetLastError.KERNEL32 ref: 00DCBEA1
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00DCBEFC
            Memory Dump Source
            • Source File: 00000000.00000002.1682567196.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
            • Associated: 00000000.00000002.1682550376.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682618951.0000000000E52000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682670879.0000000000E5C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1682694129.0000000000E64000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_d90000_BOQ Inquiry.jbxd
            Similarity
            • API ID: ByteCharMultiWide$ErrorLast
            • String ID:
            • API String ID: 1717984340-0
            • Opcode ID: 017c21e0844b3015b6b4c24df733cdffedd8e0e1b3e82b36c65550ccad59b6aa
            • Instruction ID: 36fc4b729b3da783169e6bfcfa0a33d69af0099a4509713ccb654e245012bb4b
            • Opcode Fuzzy Hash: 017c21e0844b3015b6b4c24df733cdffedd8e0e1b3e82b36c65550ccad59b6aa
            • Instruction Fuzzy Hash: C241A034605217AFDB218FA5CC46FAA7BA8AF41720F28416EF959972A1DB31CC05CB70