Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ.exe

Overview

General Information

Sample name:RFQ.exe
Analysis ID:1564379
MD5:f16382c47d6df2809c980a0e8dc937db
SHA1:2bbf3d4682a253d373f01ead1cb86c8e3c269ae3
SHA256:88fa1f0c7c938dd906f2757b1df097ce40dbaa45740960a0457c41fd93c9285a
Tags:exeRFQuser-cocaman
Infos:

Detection

AgentTesla, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
OS version to string mapping found (often used in BOTs)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • RFQ.exe (PID: 6188 cmdline: "C:\Users\user\Desktop\RFQ.exe" MD5: F16382C47D6DF2809C980A0E8DC937DB)
    • RegSvcs.exe (PID: 6356 cmdline: "C:\Users\user\Desktop\RFQ.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.thelamalab.com", "Username": "billing@thelamalab.com", "Password": "Thel@malab@20!9"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2505232731.0000000002E90000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000007.00000002.2505172504.0000000002DE0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000007.00000002.2505172504.0000000002DE0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000007.00000002.2505172504.0000000002DE0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          00000007.00000002.2505172504.0000000002DE0000.00000004.08000000.00040000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
          • 0x403d9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
          • 0x4044b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
          • 0x404d5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
          • 0x40567:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
          • 0x405d1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
          • 0x40643:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
          • 0x406d9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
          • 0x40769:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
          Click to see the 17 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          7.2.RegSvcs.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
          • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
          • 0x700:$s3: 83 EC 38 53 B0 64 88 44 24 2B 88 44 24 2F B0 6D 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
          • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
          • 0x1e9d0:$s5: delete[]
          • 0x1de88:$s6: constructor or from DllMain.
          7.2.RegSvcs.exe.2de0000.3.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            7.2.RegSvcs.exe.2de0000.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              7.2.RegSvcs.exe.2de0000.3.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                7.2.RegSvcs.exe.2de0000.3.raw.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x403d9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x4044b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x404d5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x40567:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x405d1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x40643:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x406d9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x40769:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                Click to see the 62 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Suspicious Outbound SMTP Connections
                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 162.251.80.30, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 6356, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49701

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-28T09:10:58.298013+010020301711A Network Trojan was detected192.168.2.749701162.251.80.30587TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-28T09:10:58.298013+010028397231Malware Command and Control Activity Detected192.168.2.749701162.251.80.30587TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 7.2.RegSvcs.exe.2b3fed6.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.thelamalab.com", "Username": "billing@thelamalab.com", "Password": "Thel@malab@20!9"}
                Multi AV Scanner detection for submitted file
                Source: RFQ.exeReversingLabs: Detection: 36%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: RFQ.exeJoe Sandbox ML: detected
                Source: RFQ.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: _.pdb source: RegSvcs.exe, 00000007.00000002.2505172504.0000000002DE0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2505011550.0000000002AFE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2506179650.0000000003E41000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RFQ.exe, 00000000.00000003.1288363330.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, RFQ.exe, 00000000.00000003.1288170012.0000000003A00000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RFQ.exe, 00000000.00000003.1288363330.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, RFQ.exe, 00000000.00000003.1288170012.0000000003A00000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00976CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00976CA9
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_009760DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_009760DD
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_009763F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_009763F9
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0097EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0097EB60
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0097F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0097F5FA
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0097F56F FindFirstFileW,FindClose,0_2_0097F56F
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00981B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00981B2F
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00981C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00981C8A
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00981F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00981F94

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.7:49701 -> 162.251.80.30:587
                Source: Network trafficSuricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.7:49701 -> 162.251.80.30:587
                Source: global trafficTCP traffic: 192.168.2.7:49701 -> 162.251.80.30:587
                Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                Source: global trafficTCP traffic: 192.168.2.7:49701 -> 162.251.80.30:587
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00984EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00984EB5
                Source: global trafficDNS traffic detected: DNS query: mail.thelamalab.com
                Source: RegSvcs.exe, 00000007.00000002.2505232731.0000000002E98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.thelamalab.com
                Source: RegSvcs.exe, 00000007.00000002.2505172504.0000000002DE0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2507016718.00000000054F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2505011550.0000000002AFE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2506179650.0000000003E41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to log keystrokes (.Net Source)
                Source: 7.2.RegSvcs.exe.54f0000.8.raw.unpack, abAX9N.cs.Net Code: K8VU1S
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00986B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00986B0C
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00986D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00986D07
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00986B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00986B0C
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00972B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00972B37

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 7.2.RegSvcs.exe.2de0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 7.2.RegSvcs.exe.54f0000.8.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 7.2.RegSvcs.exe.2b3fed6.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 7.2.RegSvcs.exe.2b3efee.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 7.2.RegSvcs.exe.2de0ee8.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 7.2.RegSvcs.exe.54f0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 7.2.RegSvcs.exe.2de0ee8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 7.2.RegSvcs.exe.2b3fed6.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 7.2.RegSvcs.exe.3e92f90.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 7.2.RegSvcs.exe.3e46458.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 7.2.RegSvcs.exe.3e45570.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 7.2.RegSvcs.exe.2b3efee.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 0.2.RFQ.exe.3530000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 7.2.RegSvcs.exe.3e92f90.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 7.2.RegSvcs.exe.3e45570.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 7.2.RegSvcs.exe.2de0000.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 7.2.RegSvcs.exe.3e46458.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 00000007.00000002.2505172504.0000000002DE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 00000007.00000002.2503049037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 00000000.00000002.1291396464.0000000003530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 00000007.00000002.2507016718.00000000054F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\RFQ.exeCode function: This is a third-party compiled AutoIt script.0_2_00933D19
                Source: RFQ.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: RFQ.exe, 00000000.00000000.1255582568.00000000009DE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_5595f309-d
                Source: RFQ.exe, 00000000.00000000.1255582568.00000000009DE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_e04dc66d-d
                Source: RFQ.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_2529746c-5
                Source: RFQ.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_144d27ab-7
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: RFQ.exe
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00976685: CreateFileW,DeviceIoControl,CloseHandle,0_2_00976685
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0096ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_0096ACC5
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_009779D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_009779D3
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0095B0430_2_0095B043
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_009432000_2_00943200
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0096410F0_2_0096410F
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_009502A40_2_009502A4
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0096038E0_2_0096038E
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0093E3B00_2_0093E3B0
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_009506D90_2_009506D9
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0096467F0_2_0096467F
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0099AACE0_2_0099AACE
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00964BEF0_2_00964BEF
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0095CCC10_2_0095CCC1
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00936F070_2_00936F07
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0093AF500_2_0093AF50
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_009931BC0_2_009931BC
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0095D1B90_2_0095D1B9
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0094B11F0_2_0094B11F
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0095123A0_2_0095123A
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0096724D0_2_0096724D
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_009713CA0_2_009713CA
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_009393F00_2_009393F0
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0094F5630_2_0094F563
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_009396C00_2_009396C0
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0097B6CC0_2_0097B6CC
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_009377B00_2_009377B0
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_009679C90_2_009679C9
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0094FA570_2_0094FA57
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00943B700_2_00943B70
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00939B600_2_00939B60
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00937D190_2_00937D19
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00959ED00_2_00959ED0
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0094FE6F0_2_0094FE6F
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00937FA30_2_00937FA3
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00FF09780_2_00FF0978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00408C607_2_00408C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040DC117_2_0040DC11
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00407C3F7_2_00407C3F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00418CCC7_2_00418CCC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00406CA07_2_00406CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004028B07_2_004028B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041A4BE7_2_0041A4BE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004182447_2_00418244
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004016507_2_00401650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00402F207_2_00402F20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004193C47_2_004193C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004187887_2_00418788
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00402F897_2_00402F89
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00402B907_2_00402B90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004073A07_2_004073A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_02A0D9207_2_02A0D920
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_02A0CD087_2_02A0CD08
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_02A010307_2_02A01030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_02A0D0507_2_02A0D050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05A9ADC87_2_05A9ADC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05A9E9F07_2_05A9E9F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05A950187_2_05A95018
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05A9E2A07_2_05A9E2A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05A982907_2_05A98290
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05A900067_2_05A90006
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05A900407_2_05A90040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_064095F87_2_064095F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_064043487_2_06404348
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_064006387_2_06400638
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06407B987_2_06407B98
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0040E1D8 appears 44 times
                Source: C:\Users\user\Desktop\RFQ.exeCode function: String function: 0094EC2F appears 68 times
                Source: C:\Users\user\Desktop\RFQ.exeCode function: String function: 00956AC0 appears 42 times
                Source: C:\Users\user\Desktop\RFQ.exeCode function: String function: 0095F8A0 appears 35 times
                Source: RFQ.exe, 00000000.00000003.1279145273.0000000003AD3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RFQ.exe
                Source: RFQ.exe, 00000000.00000003.1275231218.0000000003C7D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RFQ.exe
                Source: RFQ.exe, 00000000.00000002.1291396464.0000000003530000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename9d02a015-5a5b-4340-adbb-c530e02a0bc4.exe4 vs RFQ.exe
                Source: RFQ.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 7.2.RegSvcs.exe.2de0000.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 7.2.RegSvcs.exe.54f0000.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 7.2.RegSvcs.exe.2b3fed6.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 7.2.RegSvcs.exe.2b3efee.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 7.2.RegSvcs.exe.2de0ee8.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 7.2.RegSvcs.exe.54f0000.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 7.2.RegSvcs.exe.2de0ee8.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 7.2.RegSvcs.exe.2b3fed6.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 7.2.RegSvcs.exe.3e92f90.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 7.2.RegSvcs.exe.3e46458.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 7.2.RegSvcs.exe.3e45570.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 7.2.RegSvcs.exe.2b3efee.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 0.2.RFQ.exe.3530000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 7.2.RegSvcs.exe.3e92f90.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 7.2.RegSvcs.exe.3e45570.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 7.2.RegSvcs.exe.2de0000.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 7.2.RegSvcs.exe.3e46458.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 00000007.00000002.2505172504.0000000002DE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 00000007.00000002.2503049037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 00000000.00000002.1291396464.0000000003530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 00000007.00000002.2507016718.00000000054F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 7.2.RegSvcs.exe.2b3fed6.2.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                Source: 7.2.RegSvcs.exe.2b3fed6.2.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                Source: 7.2.RegSvcs.exe.2de0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                Source: 7.2.RegSvcs.exe.2de0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                Source: 7.2.RegSvcs.exe.54f0000.8.raw.unpack, RsYAkkzVoy.csCryptographic APIs: 'TransformFinalBlock'
                Source: 7.2.RegSvcs.exe.54f0000.8.raw.unpack, Kqqzixk.csCryptographic APIs: 'TransformFinalBlock'
                Source: 7.2.RegSvcs.exe.54f0000.8.raw.unpack, xROdzGigX.csCryptographic APIs: 'TransformFinalBlock'
                Source: 7.2.RegSvcs.exe.54f0000.8.raw.unpack, ywes.csCryptographic APIs: 'TransformFinalBlock'
                Source: 7.2.RegSvcs.exe.54f0000.8.raw.unpack, iPVW0zV.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                Source: 7.2.RegSvcs.exe.54f0000.8.raw.unpack, 1Pi9sgbHwoV.csCryptographic APIs: 'CreateDecryptor'
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@1/1
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0097CE7A GetLastError,FormatMessageW,0_2_0097CE7A
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0096AB84 AdjustTokenPrivileges,CloseHandle,0_2_0096AB84
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0096B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_0096B134
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0097E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0097E1FD
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00976532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_00976532
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0098C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_0098C18C
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0093406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_0093406B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                Source: C:\Users\user\Desktop\RFQ.exeFile created: C:\Users\user~1\AppData\Local\Temp\aut20E5.tmpJump to behavior
                Source: RFQ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: RFQ.exeReversingLabs: Detection: 36%
                Source: unknownProcess created: C:\Users\user\Desktop\RFQ.exe "C:\Users\user\Desktop\RFQ.exe"
                Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\RFQ.exe"
                Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\RFQ.exe"Jump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                Source: RFQ.exeStatic file information: File size 1208320 > 1048576
                Source: RFQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: RFQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: RFQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: RFQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: RFQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: RFQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: RFQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: _.pdb source: RegSvcs.exe, 00000007.00000002.2505172504.0000000002DE0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2505011550.0000000002AFE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2506179650.0000000003E41000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RFQ.exe, 00000000.00000003.1288363330.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, RFQ.exe, 00000000.00000003.1288170012.0000000003A00000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RFQ.exe, 00000000.00000003.1288363330.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, RFQ.exe, 00000000.00000003.1288170012.0000000003A00000.00000004.00001000.00020000.00000000.sdmp
                Source: RFQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: RFQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: RFQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: RFQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: RFQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 7.2.RegSvcs.exe.2b3fed6.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 7.2.RegSvcs.exe.2de0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 7.2.RegSvcs.exe.54f0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 7.2.RegSvcs.exe.3e92f90.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 7.2.RegSvcs.exe.3e46458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0094E01E LoadLibraryA,GetProcAddress,0_2_0094E01E
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00956B05 push ecx; ret 0_2_00956B18
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041C40C push cs; iretd 7_2_0041C4E2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00423149 push eax; ret 7_2_00423179
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041C50E push cs; iretd 7_2_0041C4E2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004231C8 push eax; ret 7_2_00423179
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040E21D push ecx; ret 7_2_0040E230
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041C6BE push ebx; ret 7_2_0041C6BF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004227E5 push edi; ret 7_2_00422909
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0640FE10 push es; ret 7_2_0640FE00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0640FDF0 push es; ret 7_2_0640FE00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0640F980 push es; ret 7_2_0640FE00
                Source: 7.2.RegSvcs.exe.2b3fed6.2.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'DabkV06npXB7e', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                Source: 7.2.RegSvcs.exe.2de0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'DabkV06npXB7e', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                Source: 7.2.RegSvcs.exe.54f0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'DabkV06npXB7e', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                Source: 7.2.RegSvcs.exe.3e92f90.6.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'DabkV06npXB7e', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                Source: 7.2.RegSvcs.exe.3e46458.5.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'DabkV06npXB7e', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00998111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00998111
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0094EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0094EB42
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0095123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0095123A
                Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\RFQ.exeAPI/Special instruction interceptor: Address: FF059C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,7_2_004019F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2209Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7259Jump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeEvaded block: after key decisiongraph_0-96059
                Source: C:\Users\user\Desktop\RFQ.exeEvaded block: after key decisiongraph_0-95169
                Source: C:\Users\user\Desktop\RFQ.exeAPI coverage: 4.6 %
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00976CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00976CA9
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_009760DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_009760DD
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_009763F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_009763F9
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0097EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0097EB60
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0097F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0097F5FA
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0097F56F FindFirstFileW,FindClose,0_2_0097F56F
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00981B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00981B2F
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00981C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00981C8A
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00981F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00981F94
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0094DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0094DDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99890Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99781Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99671Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99562Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99449Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99328Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99218Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99106Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98984Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98858Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98718Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98606Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98487Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98348Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98080Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97962Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97823Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97690Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97574Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97466Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97343Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97234Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97125Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97015Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96905Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96796Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96686Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96578Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96468Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96359Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96248Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96125Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96015Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95906Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95796Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95687Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95578Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95468Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95359Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95249Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95139Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95030Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94921Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94812Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94703Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94593Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94484Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94374Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: RegSvcs.exe, 00000007.00000002.2506887628.0000000005453000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI call chain: ExitProcess graph end node
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00986AAF BlockInput,0_2_00986AAF
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00933D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00933D19
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00963920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_00963920
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,7_2_004019F0
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0094E01E LoadLibraryA,GetProcAddress,0_2_0094E01E
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00FEF1C8 mov eax, dword ptr fs:[00000030h]0_2_00FEF1C8
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00FF0868 mov eax, dword ptr fs:[00000030h]0_2_00FF0868
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00FF0808 mov eax, dword ptr fs:[00000030h]0_2_00FF0808
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0096A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0096A66C
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00958189 SetUnhandledExceptionFilter,0_2_00958189
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_009581AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009581AC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_0040CE09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_0040E61C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00416F6A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004123F1 SetUnhandledExceptionFilter,7_2_004123F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\RFQ.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\RFQ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B02008Jump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0096B106 LogonUserW,0_2_0096B106
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00933D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00933D19
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0097411C SendInput,keybd_event,0_2_0097411C
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_009774BB mouse_event,0_2_009774BB
                Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\RFQ.exe"Jump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0096A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0096A66C
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_009771FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_009771FA
                Source: RFQ.exeBinary or memory string: Shell_TrayWnd
                Source: RFQ.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_009565C4 cpuid 0_2_009565C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoA,7_2_00417A20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0098091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_0098091D
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_009AB340 GetUserNameW,0_2_009AB340
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00961E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00961E8E
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0094DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0094DDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2de0000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.54f0000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2b3fed6.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2b3efee.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2de0ee8.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.54f0000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2de0ee8.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2b3fed6.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.3e92f90.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.3e46458.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.3e45570.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2b3efee.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.3e92f90.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.3e45570.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2de0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.3e46458.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.2505232731.0000000002E90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2505172504.0000000002DE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2507016718.00000000054F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2505011550.0000000002AFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2505232731.0000000002E98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2506179650.0000000003E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2505232731.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6356, type: MEMORYSTR
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2de0000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.54f0000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2b3fed6.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2b3efee.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2de0ee8.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.54f0000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2de0ee8.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2b3fed6.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.3e92f90.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.3e46458.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.3e45570.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2b3efee.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.3e92f90.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.3e45570.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2de0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.3e46458.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.2505172504.0000000002DE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2507016718.00000000054F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2505011550.0000000002AFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2506179650.0000000003E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: RFQ.exeBinary or memory string: WIN_81
                Source: RFQ.exeBinary or memory string: WIN_XP
                Source: RFQ.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
                Source: RFQ.exeBinary or memory string: WIN_XPe
                Source: RFQ.exeBinary or memory string: WIN_VISTA
                Source: RFQ.exeBinary or memory string: WIN_7
                Source: RFQ.exeBinary or memory string: WIN_8
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2de0000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.54f0000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2b3fed6.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2b3efee.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2de0ee8.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.54f0000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2de0ee8.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2b3fed6.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.3e92f90.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.3e46458.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.3e45570.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2b3efee.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.3e92f90.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.3e45570.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2de0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.3e46458.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.2505172504.0000000002DE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2507016718.00000000054F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2505011550.0000000002AFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2506179650.0000000003E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2505232731.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6356, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2de0000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.54f0000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2b3fed6.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2b3efee.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2de0ee8.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.54f0000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2de0ee8.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2b3fed6.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.3e92f90.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.3e46458.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.3e45570.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2b3efee.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.3e92f90.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.3e45570.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2de0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.3e46458.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.2505232731.0000000002E90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2505172504.0000000002DE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2507016718.00000000054F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2505011550.0000000002AFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2505232731.0000000002E98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2506179650.0000000003E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2505232731.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6356, type: MEMORYSTR
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2de0000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.54f0000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2b3fed6.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2b3efee.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2de0ee8.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.54f0000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2de0ee8.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2b3fed6.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.3e92f90.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.3e46458.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.3e45570.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2b3efee.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.3e92f90.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.3e45570.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.2de0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.3e46458.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.2505172504.0000000002DE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2507016718.00000000054F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2505011550.0000000002AFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2506179650.0000000003E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00988C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00988C4F
                Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0098923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_0098923B

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		121
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		11
                Disable or Modify Tools                		2
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts2
                Native API                		2
                Valid Accounts                		1
                DLL Side-Loading                		11
                Deobfuscate/Decode Files or Information                		111
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol2
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                Valid Accounts                		2
                Obfuscated Files or Information                		1
                Credentials in Registry                		2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                Access Token Manipulation                		1
                Software Packing                		NTDS148
                System Information Discovery                		Distributed Component Object Model111
                Input Capture                		1
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                Process Injection                		1
                DLL Side-Loading                		LSA Secrets251
                Security Software Discovery                		SSH3
                Clipboard Data                		11
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                Valid Accounts                		Cached Domain Credentials121
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items121
                Virtualization/Sandbox Evasion                		DCSync2
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                RFQ.exe37%ReversingLabsWin32.Trojan.AutoitInject
                RFQ.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://mail.thelamalab.com0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                mail.thelamalab.com
                		162.251.80.30
                		truetrue
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://mail.thelamalab.comRegSvcs.exe, 00000007.00000002.2505232731.0000000002E98000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://account.dyn.com/RegSvcs.exe, 00000007.00000002.2505172504.0000000002DE0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2507016718.00000000054F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2505011550.0000000002AFE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2506179650.0000000003E41000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    162.251.80.30
                    		mail.thelamalab.comUnited States
                    		394695PUBLIC-DOMAIN-REGISTRYUStrue

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1564379
                    Start date and time:2024-11-28 09:10:07 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 6m 43s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:13
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:RFQ.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@3/2@1/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 97%
                    • Number of executed functions: 49
                    • Number of non-executed functions: 297
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: RFQ.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    03:11:05API Interceptor49x Sleep call for process: RegSvcs.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    162.251.80.30shipping doc -GY298035826.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                      w6dnPra4mx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                        shipping doc.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          shipping advice.exeGet hashmaliciousAgentTeslaBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            mail.thelamalab.comshipping doc -GY298035826.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 162.251.80.30
                            w6dnPra4mx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 162.251.80.30
                            shipping doc.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 162.251.80.30
                            shipping advice.exeGet hashmaliciousAgentTeslaBrowse
                            • 162.251.80.30
                            new p o.exeGet hashmaliciousAgentTeslaBrowse
                            • 162.222.226.100
                            SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeGet hashmaliciousAgentTeslaBrowse
                            • 162.222.226.100
                            DOCUMENTS.exeGet hashmaliciousAgentTeslaBrowse
                            • 162.222.226.100
                            SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeGet hashmaliciousAgentTeslaBrowse
                            • 162.222.226.100
                            SHIPPING ORDER.exeGet hashmaliciousAgentTeslaBrowse
                            • 162.222.226.100
                            receipt-73633T36X90N.exeGet hashmaliciousAgentTeslaBrowse
                            • 162.222.226.100

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            PUBLIC-DOMAIN-REGISTRYUSQuote5000AFC.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                            • 199.79.62.115
                            Quote1000AFC.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                            • 199.79.62.115
                            shipping doc -GY298035826.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 162.251.80.30
                            New Purchase Order Document for PO1136908 000 SE.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.91.199.225
                            Pigroots.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                            • 199.79.63.24
                            Shave.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                            • 199.79.63.24
                            https://www.google.com.bn/url?snf=vpsBrmjsMjZT0YKBELze&nuu=B4grUxP5T5pV5xJiiFp0&sa=t&ndg=e2p4qPDSQqlwr77oflqr&pdbr=npO0StsDFHvGF7jwYfWY&np=slEjuRPdabbflvaXgHau&cb=IhzFYfcuqq5m2vva4DTH&url=amp%2Fbeutopiantech.com%2Fchd%2FroghgehdjtiE-SURECHDDam9lbC5kZW5vZnJpb0BoYW5lc2NvbXBhbmllcy5jb20=Get hashmaliciousUnknownBrowse
                            • 103.211.216.144
                            Quote 40240333-REV2.exeGet hashmaliciousAgentTeslaBrowse
                            • 199.79.62.115
                            DOCS.exeGet hashmaliciousAgentTeslaBrowse
                            • 207.174.215.249
                            Ksciarillo_Reord_Adjustment.docxGet hashmaliciousUnknownBrowse
                            • 208.91.198.81

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Temp\Halitherses

                            Download File
                            Process:C:\Users\user\Desktop\RFQ.exe
                            File Type:data
                            Category:modified
                            Size (bytes):267776
                            Entropy (8bit):7.90234993589621
                            Encrypted:false
                            SSDEEP:6144:16odXvj48AU+qaYA6jREe33NBRkRX/trcHptfALMCynfH:cQXM8wqakSCn0trc/cM9P
                            MD5:F6E25F3D40F027A4CD0CE6C8433F7F7C
                            SHA1:BEF34FF87D133331F4FBE3D25ABB5A78A0900762
                            SHA-256:D811A556D16778322A3FF818DEEC831CC09C85ECD9BFA7AEC33065F45830F17C
                            SHA-512:1C2454F4DACAF486B530BC516F2C840662AAF1E4034CB8317149F02ABC3DC5F264A92716B856C37F38889282EA72C0BD7E898363B474B7E7049ED2D8C7948317
                            Malicious:false
                            Reputation:low
                            Preview:...9Y3CO6279..QA.TGK6FSRyZ3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYT.K6F]M.T3.F...8..p.1=4kF4<5K;^c,S\YV3.3$y&2%./=r}.`c"]VR.J8[eYTGK6FS:)..o>.L.H.K}0.*uhI8l#.$8..L.F.9. .'.6.Htp<GFB.1..^G.D.?kw<5.7.,k3P+cC.I9G5QAYTGK6FSR9Z3=.*T79G5..YT.J2F'.9.3CO2279G.QbX_FB6F.S9ZIAO2279h.QAYDGK6.RR9ZsCO"279E5QDYTGK6FSW9Z3CO227YC5QEYT.p4FQR9.3C_22'9G5QQYTWK6FSR9J3CO2279G5QA.AEKfFSR9:1C..379G5QAYTGK6FSR9Z3CO2279G5..XT[K6FSR9Z3CO2279G5QAYTGK6FSR9.>AOr279G5QAYTGK6.RR.[3CO2279G5QAYTGK6FSR9Z3CO22.M"M%AYT_.7FSB9Z3.N2239G5QAYTGK6FSR9z3C/.@SX3TQA.9GK6.RR943CO.379G5QAYTGK6FS.9Zsm+SFV9G5.qYTGk4FSD9Z3IM2279G5QAYTGK6.SR.tA0=Q279..PAY4EK6.RR9z1CO2279G5QAYTG.6F.R9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G

                            C:\Users\user\AppData\Local\Temp\aut20E5.tmp

                            Download File
                            Process:C:\Users\user\Desktop\RFQ.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):267776
                            Entropy (8bit):7.90234993589621
                            Encrypted:false
                            SSDEEP:6144:16odXvj48AU+qaYA6jREe33NBRkRX/trcHptfALMCynfH:cQXM8wqakSCn0trc/cM9P
                            MD5:F6E25F3D40F027A4CD0CE6C8433F7F7C
                            SHA1:BEF34FF87D133331F4FBE3D25ABB5A78A0900762
                            SHA-256:D811A556D16778322A3FF818DEEC831CC09C85ECD9BFA7AEC33065F45830F17C
                            SHA-512:1C2454F4DACAF486B530BC516F2C840662AAF1E4034CB8317149F02ABC3DC5F264A92716B856C37F38889282EA72C0BD7E898363B474B7E7049ED2D8C7948317
                            Malicious:false
                            Reputation:low
                            Preview:...9Y3CO6279..QA.TGK6FSRyZ3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYT.K6F]M.T3.F...8..p.1=4kF4<5K;^c,S\YV3.3$y&2%./=r}.`c"]VR.J8[eYTGK6FS:)..o>.L.H.K}0.*uhI8l#.$8..L.F.9. .'.6.Htp<GFB.1..^G.D.?kw<5.7.,k3P+cC.I9G5QAYTGK6FSR9Z3=.*T79G5..YT.J2F'.9.3CO2279G.QbX_FB6F.S9ZIAO2279h.QAYDGK6.RR9ZsCO"279E5QDYTGK6FSW9Z3CO227YC5QEYT.p4FQR9.3C_22'9G5QQYTWK6FSR9J3CO2279G5QA.AEKfFSR9:1C..379G5QAYTGK6FSR9Z3CO2279G5..XT[K6FSR9Z3CO2279G5QAYTGK6FSR9.>AOr279G5QAYTGK6.RR.[3CO2279G5QAYTGK6FSR9Z3CO22.M"M%AYT_.7FSB9Z3.N2239G5QAYTGK6FSR9z3C/.@SX3TQA.9GK6.RR943CO.379G5QAYTGK6FS.9Zsm+SFV9G5.qYTGk4FSD9Z3IM2279G5QAYTGK6.SR.tA0=Q279..PAY4EK6.RR9z1CO2279G5QAYTG.6F.R9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G5QAYTGK6FSR9Z3CO2279G

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.140623093564008
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:RFQ.exe
                            File size:1'208'320 bytes
                            MD5:f16382c47d6df2809c980a0e8dc937db
                            SHA1:2bbf3d4682a253d373f01ead1cb86c8e3c269ae3
                            SHA256:88fa1f0c7c938dd906f2757b1df097ce40dbaa45740960a0457c41fd93c9285a
                            SHA512:7a5cb4b2ca4724ca3f5474baa97e58c991f9bd56b8a0c323dcc5027a43ee876fae85bfdbd3dcbf910b8a47ff50d777ef6619d52fca3758150e9561c986934736
                            SSDEEP:24576:8tb20pkaCqT5TBWgNQ7aGI6jcC7uFrUQLb6A:lVg5tQ7aGI6IlfP5
                            TLSH:6A45CF1373DE8361C3B26273BA15B741BEBF782506B5F56B2FD8093DA820161521EA73
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                            File Icon

                            Icon Hash:aaf3e3e3938382a0

                            Static PE Info

                            General

                            Entrypoint:0x425f74
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x6747B275 [Wed Nov 27 23:59:49 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:3d95adbf13bbe79dc24dccb401c12091

                            Entrypoint Preview

                            Instruction
                            call 00007F40BC6DB08Fh
                            jmp 00007F40BC6CE0A4h
                            int3
                            int3
                            push edi
                            push esi
                            mov esi, dword ptr [esp+10h]
                            mov ecx, dword ptr [esp+14h]
                            mov edi, dword ptr [esp+0Ch]
                            mov eax, ecx
                            mov edx, ecx
                            add eax, esi
                            cmp edi, esi
                            jbe 00007F40BC6CE22Ah
                            cmp edi, eax
                            jc 00007F40BC6CE58Eh
                            bt dword ptr [004C0158h], 01h
                            jnc 00007F40BC6CE229h
                            rep movsb
                            jmp 00007F40BC6CE53Ch
                            cmp ecx, 00000080h
                            jc 00007F40BC6CE3F4h
                            mov eax, edi
                            xor eax, esi
                            test eax, 0000000Fh
                            jne 00007F40BC6CE230h
                            bt dword ptr [004BA370h], 01h
                            jc 00007F40BC6CE700h
                            bt dword ptr [004C0158h], 00000000h
                            jnc 00007F40BC6CE3CDh
                            test edi, 00000003h
                            jne 00007F40BC6CE3DEh
                            test esi, 00000003h
                            jne 00007F40BC6CE3BDh
                            bt edi, 02h
                            jnc 00007F40BC6CE22Fh
                            mov eax, dword ptr [esi]
                            sub ecx, 04h
                            lea esi, dword ptr [esi+04h]
                            mov dword ptr [edi], eax
                            lea edi, dword ptr [edi+04h]
                            bt edi, 03h
                            jnc 00007F40BC6CE233h
                            movq xmm1, qword ptr [esi]
                            sub ecx, 08h
                            lea esi, dword ptr [esi+08h]
                            movq qword ptr [edi], xmm1
                            lea edi, dword ptr [edi+08h]
                            test esi, 00000007h
                            je 00007F40BC6CE285h
                            bt esi, 03h
                            jnc 00007F40BC6CE2D8h
                            movdqa xmm1, dqword ptr [esi+00h]

                            Rich Headers

                            Programming Language:
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729
                            • [ASM] VS2012 UPD4 build 61030
                            • [RES] VS2012 UPD4 build 61030
                            • [LNK] VS2012 UPD4 build 61030

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x5de50.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1220000x6c4c.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0xc40000x5de500x5e00060a42eb5020cbd5ce00a5cb18f2ed6ceFalse0.9297134724069149data7.899529254763618IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x1220000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                            RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                            RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                            RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                            RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                            RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                            RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                            RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                            RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                            RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                            RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                            RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
                            RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
                            RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
                            RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
                            RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                            RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                            RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
                            RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                            RT_RCDATA0xcc7b80x55157data1.0003328522279578
                            RT_GROUP_ICON0x1219100x76dataEnglishGreat Britain0.6610169491525424
                            RT_GROUP_ICON0x1219880x14dataEnglishGreat Britain1.25
                            RT_GROUP_ICON0x12199c0x14dataEnglishGreat Britain1.15
                            RT_GROUP_ICON0x1219b00x14dataEnglishGreat Britain1.25
                            RT_VERSION0x1219c40xdcdataEnglishGreat Britain0.6181818181818182
                            RT_MANIFEST0x121aa00x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                            Imports

                            DLLImport
                            WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                            VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                            COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                            MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                            WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                            PSAPI.DLLGetProcessMemoryInfo
                            IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                            USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                            UxTheme.dllIsThemeActive
                            KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                            USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                            GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                            COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                            ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                            SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                            OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishGreat Britain

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-11-28T09:10:58.298013+01002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.749701162.251.80.30587TCP
                            2024-11-28T09:10:58.298013+01002839723ETPRO MALWARE Win32/Agent Tesla SMTP Activity1192.168.2.749701162.251.80.30587TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Nov 28, 2024 09:11:07.391434908 CET49701587192.168.2.7162.251.80.30
                            Nov 28, 2024 09:11:07.604573965 CET58749701162.251.80.30192.168.2.7
                            Nov 28, 2024 09:11:07.606982946 CET49701587192.168.2.7162.251.80.30
                            Nov 28, 2024 09:11:08.911250114 CET58749701162.251.80.30192.168.2.7
                            Nov 28, 2024 09:11:08.912019014 CET49701587192.168.2.7162.251.80.30
                            Nov 28, 2024 09:11:09.032078028 CET58749701162.251.80.30192.168.2.7
                            Nov 28, 2024 09:11:09.304749966 CET58749701162.251.80.30192.168.2.7
                            Nov 28, 2024 09:11:09.311629057 CET49701587192.168.2.7162.251.80.30
                            Nov 28, 2024 09:11:09.431921005 CET58749701162.251.80.30192.168.2.7
                            Nov 28, 2024 09:11:09.740322113 CET58749701162.251.80.30192.168.2.7
                            Nov 28, 2024 09:11:09.741187096 CET49701587192.168.2.7162.251.80.30
                            Nov 28, 2024 09:11:09.863409996 CET58749701162.251.80.30192.168.2.7
                            Nov 28, 2024 09:11:10.311747074 CET58749701162.251.80.30192.168.2.7
                            Nov 28, 2024 09:11:10.312066078 CET49701587192.168.2.7162.251.80.30
                            Nov 28, 2024 09:11:10.432096004 CET58749701162.251.80.30192.168.2.7
                            Nov 28, 2024 09:11:10.709414005 CET58749701162.251.80.30192.168.2.7
                            Nov 28, 2024 09:11:10.709605932 CET49701587192.168.2.7162.251.80.30
                            Nov 28, 2024 09:11:10.829767942 CET58749701162.251.80.30192.168.2.7
                            Nov 28, 2024 09:11:11.384737015 CET58749701162.251.80.30192.168.2.7
                            Nov 28, 2024 09:11:11.386784077 CET49701587192.168.2.7162.251.80.30
                            Nov 28, 2024 09:11:11.562510967 CET58749701162.251.80.30192.168.2.7
                            Nov 28, 2024 09:11:11.821419001 CET58749701162.251.80.30192.168.2.7
                            Nov 28, 2024 09:11:11.822072983 CET49701587192.168.2.7162.251.80.30
                            Nov 28, 2024 09:11:11.822118044 CET49701587192.168.2.7162.251.80.30
                            Nov 28, 2024 09:11:11.822158098 CET49701587192.168.2.7162.251.80.30
                            Nov 28, 2024 09:11:11.822220087 CET49701587192.168.2.7162.251.80.30
                            Nov 28, 2024 09:11:11.958014965 CET58749701162.251.80.30192.168.2.7
                            Nov 28, 2024 09:11:11.958031893 CET58749701162.251.80.30192.168.2.7
                            Nov 28, 2024 09:11:11.958041906 CET58749701162.251.80.30192.168.2.7
                            Nov 28, 2024 09:11:11.958053112 CET58749701162.251.80.30192.168.2.7
                            Nov 28, 2024 09:11:12.335197926 CET58749701162.251.80.30192.168.2.7
                            Nov 28, 2024 09:11:12.376225948 CET49701587192.168.2.7162.251.80.30
                            Nov 28, 2024 09:12:46.737615108 CET49701587192.168.2.7162.251.80.30
                            Nov 28, 2024 09:12:46.857531071 CET58749701162.251.80.30192.168.2.7
                            Nov 28, 2024 09:12:47.335577011 CET58749701162.251.80.30192.168.2.7
                            Nov 28, 2024 09:12:47.335634947 CET58749701162.251.80.30192.168.2.7
                            Nov 28, 2024 09:12:47.335684061 CET49701587192.168.2.7162.251.80.30
                            Nov 28, 2024 09:12:47.335762978 CET49701587192.168.2.7162.251.80.30
                            Nov 28, 2024 09:12:47.455651045 CET58749701162.251.80.30192.168.2.7

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Nov 28, 2024 09:11:06.681221008 CET5618753192.168.2.71.1.1.1
                            Nov 28, 2024 09:11:07.383708000 CET53561871.1.1.1192.168.2.7

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Nov 28, 2024 09:11:06.681221008 CET192.168.2.71.1.1.10xc00dStandard query (0)mail.thelamalab.comA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Nov 28, 2024 09:11:07.383708000 CET1.1.1.1192.168.2.70xc00dNo error (0)mail.thelamalab.com162.251.80.30A (IP address)IN (0x0001)false

                            SMTP Packets

                            TimestampSource PortDest PortSource IPDest IPCommands
                            Nov 28, 2024 09:11:08.911250114 CET58749701162.251.80.30192.168.2.7220-md-114.webhostbox.net ESMTP Exim 4.96.2 #2 Thu, 28 Nov 2024 13:41:08 +0530
                            220-We do not authorize the use of this system to transport unsolicited,
                            220 and/or bulk e-mail.
                            Nov 28, 2024 09:11:08.912019014 CET49701587192.168.2.7162.251.80.30EHLO 571345
                            Nov 28, 2024 09:11:09.304749966 CET58749701162.251.80.30192.168.2.7250-md-114.webhostbox.net Hello 571345 [8.46.123.228]
                            250-SIZE 52428800
                            250-8BITMIME
                            250-PIPELINING
                            250-PIPECONNECT
                            250-AUTH PLAIN LOGIN
                            250-STARTTLS
                            250 HELP
                            Nov 28, 2024 09:11:09.311629057 CET49701587192.168.2.7162.251.80.30AUTH login YmlsbGluZ0B0aGVsYW1hbGFiLmNvbQ==
                            Nov 28, 2024 09:11:09.740322113 CET58749701162.251.80.30192.168.2.7334 UGFzc3dvcmQ6
                            Nov 28, 2024 09:11:10.311747074 CET58749701162.251.80.30192.168.2.7235 Authentication succeeded
                            Nov 28, 2024 09:11:10.312066078 CET49701587192.168.2.7162.251.80.30MAIL FROM:<billing@thelamalab.com>
                            Nov 28, 2024 09:11:10.709414005 CET58749701162.251.80.30192.168.2.7250 OK
                            Nov 28, 2024 09:11:10.709605932 CET49701587192.168.2.7162.251.80.30RCPT TO:<jinhux31@gmail.com>
                            Nov 28, 2024 09:11:11.384737015 CET58749701162.251.80.30192.168.2.7250 Accepted
                            Nov 28, 2024 09:11:11.386784077 CET49701587192.168.2.7162.251.80.30DATA
                            Nov 28, 2024 09:11:11.821419001 CET58749701162.251.80.30192.168.2.7354 Enter message, ending with "." on a line by itself
                            Nov 28, 2024 09:11:11.822220087 CET49701587192.168.2.7162.251.80.30.
                            Nov 28, 2024 09:11:12.335197926 CET58749701162.251.80.30192.168.2.7250 OK id=1tGZcF-004MqR-1u
                            Nov 28, 2024 09:12:46.737615108 CET49701587192.168.2.7162.251.80.30QUIT
                            Nov 28, 2024 09:12:47.335577011 CET58749701162.251.80.30192.168.2.7221 md-114.webhostbox.net closing connection

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:03:11:00
                            Start date:28/11/2024
                            Path:C:\Users\user\Desktop\RFQ.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\RFQ.exe"
                            Imagebase:0x930000
                            File size:1'208'320 bytes
                            MD5 hash:F16382C47D6DF2809C980A0E8DC937DB
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.1291396464.0000000003530000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:7
                            Start time:03:11:02
                            Start date:28/11/2024
                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\RFQ.exe"
                            Imagebase:0x8e0000
                            File size:45'984 bytes
                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2505232731.0000000002E90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2505172504.0000000002DE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2505172504.0000000002DE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.2505172504.0000000002DE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000007.00000002.2505172504.0000000002DE0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                            • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000007.00000002.2503049037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2507016718.00000000054F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2507016718.00000000054F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.2507016718.00000000054F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000007.00000002.2507016718.00000000054F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2505011550.0000000002AFE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2505011550.0000000002AFE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.2505011550.0000000002AFE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2505232731.0000000002E98000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2506179650.0000000003E41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2506179650.0000000003E41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.2506179650.0000000003E41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2505232731.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2505232731.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:high
                            Has exited:false

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:3.9%
                              Dynamic/Decrypted Code Coverage:0.5%
                              Signature Coverage:8.1%
                              Total number of Nodes:1994
                              Total number of Limit Nodes:160
                              execution_graph 93896 9a19ba 93901 94c75a 93896->93901 93900 9a19c9 93909 93d7f7 93901->93909 93905 94c865 93906 94c881 93905->93906 93917 94d1fa 48 API calls _memcpy_s 93905->93917 93908 950f0a 52 API calls __cinit 93906->93908 93908->93900 93918 94f4ea 93909->93918 93911 93d818 93912 94f4ea 48 API calls 93911->93912 93913 93d826 93912->93913 93914 94d26c 93913->93914 93949 94d298 93914->93949 93917->93905 93920 94f4f2 __calloc_impl 93918->93920 93921 94f50c 93920->93921 93922 94f50e std::exception::exception 93920->93922 93927 95395c 93920->93927 93921->93911 93941 956805 RaiseException 93922->93941 93924 94f538 93942 95673b 47 API calls _free 93924->93942 93926 94f54a 93926->93911 93928 9539d7 __calloc_impl 93927->93928 93929 953968 __calloc_impl 93927->93929 93948 957c0e 47 API calls __getptd_noexit 93928->93948 93930 953973 93929->93930 93933 95399b RtlAllocateHeap 93929->93933 93936 9539c3 93929->93936 93939 9539c1 93929->93939 93930->93929 93943 9581c2 47 API calls 2 library calls 93930->93943 93944 95821f 47 API calls 8 library calls 93930->93944 93945 951145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93930->93945 93933->93929 93934 9539cf 93933->93934 93934->93920 93946 957c0e 47 API calls __getptd_noexit 93936->93946 93947 957c0e 47 API calls __getptd_noexit 93939->93947 93941->93924 93942->93926 93943->93930 93944->93930 93946->93939 93947->93934 93948->93934 93950 94d2a5 93949->93950 93951 94d28b 93949->93951 93950->93951 93952 94d2ac RegOpenKeyExW 93950->93952 93951->93905 93952->93951 93953 94d2c6 RegQueryValueExW 93952->93953 93954 94d2e7 93953->93954 93955 94d2fc RegCloseKey 93953->93955 93954->93955 93955->93951 93956 9a19cb 93961 932322 93956->93961 93958 9a19d1 93994 950f0a 52 API calls __cinit 93958->93994 93960 9a19db 93962 932344 93961->93962 93995 9326df 93962->93995 93967 93d7f7 48 API calls 93968 932384 93967->93968 93969 93d7f7 48 API calls 93968->93969 93970 93238e 93969->93970 93971 93d7f7 48 API calls 93970->93971 93972 932398 93971->93972 93973 93d7f7 48 API calls 93972->93973 93974 9323de 93973->93974 93975 93d7f7 48 API calls 93974->93975 93976 9324c1 93975->93976 94003 93263f 93976->94003 93980 9324f1 93981 93d7f7 48 API calls 93980->93981 93982 9324fb 93981->93982 94032 932745 93982->94032 93984 932546 93985 932556 GetStdHandle 93984->93985 93986 9325b1 93985->93986 93987 9a501d 93985->93987 93988 9325b7 CoInitialize 93986->93988 93987->93986 93989 9a5026 93987->93989 93988->93958 94039 9792d4 53 API calls 93989->94039 93991 9a502d 94040 9799f9 CreateThread 93991->94040 93993 9a5039 CloseHandle 93993->93988 93994->93960 94041 932854 93995->94041 93999 93234a 94000 93272e 93999->94000 94091 9327ec 6 API calls 94000->94091 94002 93237a 94002->93967 94004 93d7f7 48 API calls 94003->94004 94005 93264f 94004->94005 94006 93d7f7 48 API calls 94005->94006 94007 932657 94006->94007 94092 9326a7 94007->94092 94010 9326a7 48 API calls 94011 932667 94010->94011 94012 93d7f7 48 API calls 94011->94012 94013 932672 94012->94013 94014 94f4ea 48 API calls 94013->94014 94015 9324cb 94014->94015 94016 9322a4 94015->94016 94017 9322b2 94016->94017 94018 93d7f7 48 API calls 94017->94018 94019 9322bd 94018->94019 94020 93d7f7 48 API calls 94019->94020 94021 9322c8 94020->94021 94022 93d7f7 48 API calls 94021->94022 94023 9322d3 94022->94023 94024 93d7f7 48 API calls 94023->94024 94025 9322de 94024->94025 94026 9326a7 48 API calls 94025->94026 94027 9322e9 94026->94027 94028 94f4ea 48 API calls 94027->94028 94029 9322f0 94028->94029 94030 9322f9 RegisterWindowMessageW 94029->94030 94031 9a1fe7 94029->94031 94030->93980 94033 932755 94032->94033 94034 9a5f4d 94032->94034 94035 94f4ea 48 API calls 94033->94035 94097 97c942 50 API calls 94034->94097 94037 93275d 94035->94037 94037->93984 94038 9a5f58 94039->93991 94040->93993 94098 9799df 54 API calls 94040->94098 94059 932870 94041->94059 94044 932870 48 API calls 94045 932864 94044->94045 94046 93d7f7 48 API calls 94045->94046 94047 932716 94046->94047 94048 936a63 94047->94048 94049 936adf 94048->94049 94051 936a6f __wsetenvp 94048->94051 94079 93b18b 94049->94079 94052 936ad7 94051->94052 94053 936a8b 94051->94053 94078 93c369 48 API calls 94052->94078 94066 936b4a 94053->94066 94056 936a95 94069 94ee75 94056->94069 94058 936ab6 _memcpy_s 94058->93999 94060 93d7f7 48 API calls 94059->94060 94061 93287b 94060->94061 94062 93d7f7 48 API calls 94061->94062 94063 932883 94062->94063 94064 93d7f7 48 API calls 94063->94064 94065 93285c 94064->94065 94065->94044 94067 94f4ea 48 API calls 94066->94067 94068 936b54 94067->94068 94068->94056 94071 94f4ea __calloc_impl 94069->94071 94070 95395c __crtLCMapStringA_stat 47 API calls 94070->94071 94071->94070 94072 94f50c 94071->94072 94073 94f50e std::exception::exception 94071->94073 94072->94058 94083 956805 RaiseException 94073->94083 94075 94f538 94084 95673b 47 API calls _free 94075->94084 94077 94f54a 94077->94058 94078->94058 94080 93b1a2 _memcpy_s 94079->94080 94081 93b199 94079->94081 94080->94058 94081->94080 94085 93bdfa 94081->94085 94083->94075 94084->94077 94086 93be0d 94085->94086 94090 93be0a _memcpy_s 94085->94090 94087 94f4ea 48 API calls 94086->94087 94088 93be17 94087->94088 94089 94ee75 48 API calls 94088->94089 94089->94090 94090->94080 94091->94002 94093 93d7f7 48 API calls 94092->94093 94094 9326b0 94093->94094 94095 93d7f7 48 API calls 94094->94095 94096 93265f 94095->94096 94096->94010 94097->94038 94099 933742 94100 93374b 94099->94100 94101 933769 94100->94101 94102 9337c8 94100->94102 94138 9337c6 94100->94138 94103 933776 94101->94103 94104 93382c PostQuitMessage 94101->94104 94106 9a1e00 94102->94106 94107 9337ce 94102->94107 94109 9a1e88 94103->94109 94110 933781 94103->94110 94129 9337b9 94104->94129 94105 9337ab DefWindowProcW 94105->94129 94154 932ff6 16 API calls 94106->94154 94111 9337d3 94107->94111 94112 9337f6 SetTimer RegisterWindowMessageW 94107->94112 94169 974ddd 60 API calls _memset 94109->94169 94114 933836 94110->94114 94115 933789 94110->94115 94118 9a1da3 94111->94118 94119 9337da KillTimer 94111->94119 94116 93381f CreatePopupMenu 94112->94116 94112->94129 94113 9a1e27 94155 94e312 335 API calls Mailbox 94113->94155 94144 94eb83 94114->94144 94121 9a1e6d 94115->94121 94122 933794 94115->94122 94116->94129 94125 9a1da8 94118->94125 94126 9a1ddc MoveWindow 94118->94126 94151 933847 Shell_NotifyIconW _memset 94119->94151 94121->94105 94168 96a5f3 48 API calls 94121->94168 94128 9a1e58 94122->94128 94135 93379f 94122->94135 94123 9a1e9a 94123->94105 94123->94129 94130 9a1dcb SetFocus 94125->94130 94131 9a1dac 94125->94131 94126->94129 94167 9755bd 70 API calls _memset 94128->94167 94130->94129 94131->94135 94136 9a1db5 94131->94136 94132 9337ed 94152 93390f DeleteObject DestroyWindow Mailbox 94132->94152 94135->94105 94156 933847 Shell_NotifyIconW _memset 94135->94156 94153 932ff6 16 API calls 94136->94153 94138->94105 94140 9a1e68 94140->94129 94142 9a1e4c 94157 934ffc 94142->94157 94145 94ec1c 94144->94145 94146 94eb9a _memset 94144->94146 94145->94129 94170 9351af 94146->94170 94148 94ec05 KillTimer SetTimer 94148->94145 94149 94ebc1 94149->94148 94150 9a3c7a Shell_NotifyIconW 94149->94150 94150->94148 94151->94132 94152->94129 94153->94129 94154->94113 94155->94135 94156->94142 94158 935027 _memset 94157->94158 94246 934c30 94158->94246 94161 9350ac 94163 9a3d28 Shell_NotifyIconW 94161->94163 94164 9350ca Shell_NotifyIconW 94161->94164 94165 9351af 50 API calls 94164->94165 94166 9350df 94165->94166 94166->94138 94167->94140 94168->94138 94169->94123 94171 9352a2 Mailbox 94170->94171 94172 9351cb 94170->94172 94171->94149 94192 936b0f 94172->94192 94175 9351e6 94177 936a63 48 API calls 94175->94177 94176 9a3ca1 LoadStringW 94179 9a3cbb 94176->94179 94178 9351fb 94177->94178 94178->94179 94180 93520c 94178->94180 94181 93510d 48 API calls 94179->94181 94182 9352a7 94180->94182 94183 935216 94180->94183 94186 9a3cc5 94181->94186 94206 936eed 94182->94206 94197 93510d 94183->94197 94189 935220 _memset _wcscpy 94186->94189 94210 93518c 94186->94210 94188 9a3ce7 94191 93518c 48 API calls 94188->94191 94190 935288 Shell_NotifyIconW 94189->94190 94190->94171 94191->94189 94193 94f4ea 48 API calls 94192->94193 94194 936b34 94193->94194 94195 936b4a 48 API calls 94194->94195 94196 9351d9 94195->94196 94196->94175 94196->94176 94198 93511f 94197->94198 94199 9a1be7 94197->94199 94220 93b384 94198->94220 94229 96a58f 48 API calls _memcpy_s 94199->94229 94202 93512b 94202->94189 94203 9a1bf1 94204 936eed 48 API calls 94203->94204 94205 9a1bf9 Mailbox 94204->94205 94207 936f00 94206->94207 94208 936ef8 94206->94208 94207->94189 94235 93dd47 48 API calls _memcpy_s 94208->94235 94211 935197 94210->94211 94212 9a1ace 94211->94212 94213 93519f 94211->94213 94214 936b4a 48 API calls 94212->94214 94236 935130 94213->94236 94217 9a1adb __wsetenvp 94214->94217 94216 9351aa 94216->94188 94218 94ee75 48 API calls 94217->94218 94219 9a1b07 _memcpy_s 94218->94219 94221 93b392 94220->94221 94226 93b3c5 _memcpy_s 94220->94226 94222 93b3b8 94221->94222 94223 93b3fd 94221->94223 94221->94226 94230 93bb85 94222->94230 94224 94f4ea 48 API calls 94223->94224 94227 93b407 94224->94227 94226->94202 94228 94f4ea 48 API calls 94227->94228 94228->94226 94229->94203 94231 93bb9b 94230->94231 94234 93bb96 _memcpy_s 94230->94234 94232 9a1b77 94231->94232 94233 94ee75 48 API calls 94231->94233 94233->94234 94234->94226 94235->94207 94237 93513f __wsetenvp 94236->94237 94238 935151 94237->94238 94239 9a1b27 94237->94239 94240 93bb85 48 API calls 94238->94240 94241 936b4a 48 API calls 94239->94241 94242 93515e _memcpy_s 94240->94242 94243 9a1b34 94241->94243 94242->94216 94244 94ee75 48 API calls 94243->94244 94245 9a1b57 _memcpy_s 94244->94245 94247 934c44 94246->94247 94248 9a3c33 94246->94248 94247->94161 94250 975819 61 API calls _W_store_winword 94247->94250 94248->94247 94249 9a3c3c DestroyIcon 94248->94249 94249->94247 94250->94161 94251 9a197b 94256 94dd94 94251->94256 94255 9a198a 94257 94f4ea 48 API calls 94256->94257 94258 94dd9c 94257->94258 94259 94ddb0 94258->94259 94264 94df3d 94258->94264 94263 950f0a 52 API calls __cinit 94259->94263 94263->94255 94265 94df46 94264->94265 94266 94dda8 94264->94266 94296 950f0a 52 API calls __cinit 94265->94296 94268 94ddc0 94266->94268 94269 93d7f7 48 API calls 94268->94269 94270 94ddd7 GetVersionExW 94269->94270 94271 936a63 48 API calls 94270->94271 94272 94de1a 94271->94272 94297 94dfb4 94272->94297 94279 9a24c8 94280 94dea4 GetCurrentProcess 94314 94df5f LoadLibraryA GetProcAddress 94280->94314 94282 94df31 GetSystemInfo 94284 94df0e 94282->94284 94283 94dee3 94308 94e00c 94283->94308 94286 94df21 94284->94286 94287 94df1c FreeLibrary 94284->94287 94286->94259 94287->94286 94289 94df29 GetSystemInfo 94293 94df03 94289->94293 94290 94def9 94311 94dff4 94290->94311 94291 94debb 94291->94282 94291->94283 94293->94284 94295 94df09 FreeLibrary 94293->94295 94295->94284 94296->94266 94298 94dfbd 94297->94298 94299 93b18b 48 API calls 94298->94299 94300 94de22 94299->94300 94301 936571 94300->94301 94302 93657f 94301->94302 94303 93b18b 48 API calls 94302->94303 94304 93658f 94303->94304 94304->94279 94305 94df77 94304->94305 94315 94df89 94305->94315 94319 94e01e 94308->94319 94312 94e00c 2 API calls 94311->94312 94313 94df01 GetNativeSystemInfo 94312->94313 94313->94293 94314->94291 94316 94dea0 94315->94316 94317 94df92 LoadLibraryA 94315->94317 94316->94280 94316->94291 94317->94316 94318 94dfa3 GetProcAddress 94317->94318 94318->94316 94320 94def1 94319->94320 94321 94e027 LoadLibraryA 94319->94321 94320->94289 94320->94290 94321->94320 94322 94e038 GetProcAddress 94321->94322 94322->94320 94323 9a8eb8 94327 97a635 94323->94327 94325 9a8ec3 94326 97a635 84 API calls 94325->94326 94326->94325 94333 97a642 94327->94333 94334 97a66f 94327->94334 94328 97a671 94359 94ec4e 81 API calls 94328->94359 94330 97a676 94338 93936c 94330->94338 94332 97a67d 94335 93510d 48 API calls 94332->94335 94333->94328 94333->94330 94333->94334 94336 97a669 94333->94336 94334->94325 94335->94334 94358 944525 61 API calls _memcpy_s 94336->94358 94339 939384 94338->94339 94356 939380 94338->94356 94340 9a4cbd __i64tow 94339->94340 94341 9a4bbf 94339->94341 94342 939398 94339->94342 94348 9393b0 __itow Mailbox _wcscpy 94339->94348 94343 9a4bc8 94341->94343 94344 9a4ca5 94341->94344 94360 95172b 80 API calls 3 library calls 94342->94360 94343->94348 94349 9a4be7 94343->94349 94367 95172b 80 API calls 3 library calls 94344->94367 94347 94f4ea 48 API calls 94350 9393ba 94347->94350 94348->94347 94351 94f4ea 48 API calls 94349->94351 94350->94356 94361 93ce19 94350->94361 94353 9a4c04 94351->94353 94354 94f4ea 48 API calls 94353->94354 94355 9a4c2a 94354->94355 94355->94356 94357 93ce19 48 API calls 94355->94357 94356->94332 94357->94356 94358->94334 94359->94330 94360->94348 94362 93ce28 __wsetenvp 94361->94362 94363 94ee75 48 API calls 94362->94363 94364 93ce50 _memcpy_s 94363->94364 94365 94f4ea 48 API calls 94364->94365 94366 93ce66 94365->94366 94366->94356 94367->94348 94368 97bb64 94369 97bb71 94368->94369 94370 97bb77 94368->94370 94376 951c9d 94369->94376 94371 97bb88 94370->94371 94373 951c9d _free 47 API calls 94370->94373 94374 951c9d _free 47 API calls 94371->94374 94375 97bb9a 94371->94375 94373->94371 94374->94375 94377 951ca6 RtlFreeHeap 94376->94377 94378 951ccf __dosmaperr 94376->94378 94377->94378 94379 951cbb 94377->94379 94378->94370 94382 957c0e 47 API calls __getptd_noexit 94379->94382 94381 951cc1 GetLastError 94381->94378 94382->94381 94383 9a9bec 94419 940ae0 _memcpy_s Mailbox 94383->94419 94385 941526 Mailbox 94491 97cc5c 86 API calls 4 library calls 94385->94491 94388 94146e 94398 936eed 48 API calls 94388->94398 94389 940509 94494 97cc5c 86 API calls 4 library calls 94389->94494 94393 94f4ea 48 API calls 94413 93fec8 94393->94413 94394 941473 94493 97cc5c 86 API calls 4 library calls 94394->94493 94395 9aa246 94399 936eed 48 API calls 94395->94399 94396 9aa922 94414 93ffe1 Mailbox 94398->94414 94399->94414 94402 936eed 48 API calls 94402->94413 94403 93d7f7 48 API calls 94403->94413 94404 9aa873 94405 9aa30e 94405->94414 94489 9697ed InterlockedDecrement 94405->94489 94406 9697ed InterlockedDecrement 94406->94413 94407 93ce19 48 API calls 94407->94419 94409 9aa973 94495 97cc5c 86 API calls 4 library calls 94409->94495 94410 950f0a 52 API calls __cinit 94410->94413 94412 9aa982 94413->94388 94413->94389 94413->94393 94413->94394 94413->94395 94413->94402 94413->94403 94413->94405 94413->94406 94413->94409 94413->94410 94413->94414 94415 9415b5 94413->94415 94426 941d10 94413->94426 94455 941820 335 API calls 2 library calls 94413->94455 94492 97cc5c 86 API calls 4 library calls 94415->94492 94417 94f4ea 48 API calls 94417->94419 94419->94385 94419->94407 94419->94413 94419->94414 94419->94417 94420 9aa706 94419->94420 94422 9697ed InterlockedDecrement 94419->94422 94440 990d1d 94419->94440 94443 990d09 94419->94443 94446 986ff0 94419->94446 94456 93fe30 94419->94456 94485 98ef61 82 API calls 2 library calls 94419->94485 94486 98f0ac 90 API calls Mailbox 94419->94486 94487 97a6ef 48 API calls 94419->94487 94488 98e822 335 API calls Mailbox 94419->94488 94490 97cc5c 86 API calls 4 library calls 94420->94490 94422->94419 94427 941d2a 94426->94427 94430 941ed6 94426->94430 94428 942357 94427->94428 94427->94430 94432 941e0b 94427->94432 94433 941eba 94427->94433 94428->94433 94499 979f44 58 API calls wcstoxq 94428->94499 94430->94428 94431 941f55 94430->94431 94430->94433 94438 941e9a Mailbox 94430->94438 94431->94433 94431->94438 94497 9697ed InterlockedDecrement 94431->94497 94432->94431 94432->94433 94435 941e47 94432->94435 94433->94413 94435->94433 94436 9abfc4 94435->94436 94435->94438 94496 95203b 58 API calls __wtof_l 94436->94496 94438->94433 94498 95203b 58 API calls __wtof_l 94438->94498 94500 98f8ae 94440->94500 94442 990d2d 94442->94419 94444 98f8ae 129 API calls 94443->94444 94445 990d19 94444->94445 94445->94419 94447 93936c 81 API calls 94446->94447 94448 98702a 94447->94448 94617 93b470 94448->94617 94450 98703a 94451 98705f 94450->94451 94452 93fe30 335 API calls 94450->94452 94454 987063 94451->94454 94645 93cdb9 48 API calls 94451->94645 94452->94451 94454->94419 94455->94413 94457 93fe50 94456->94457 94478 93fe7e 94456->94478 94458 94f4ea 48 API calls 94457->94458 94458->94478 94459 94146e 94460 936eed 48 API calls 94459->94460 94466 93ffe1 94460->94466 94461 940509 94665 97cc5c 86 API calls 4 library calls 94461->94665 94462 941d10 59 API calls 94462->94478 94465 94f4ea 48 API calls 94465->94478 94466->94419 94467 9aa246 94470 936eed 48 API calls 94467->94470 94468 9aa922 94468->94419 94469 941473 94664 97cc5c 86 API calls 4 library calls 94469->94664 94470->94466 94472 936eed 48 API calls 94472->94478 94474 93d7f7 48 API calls 94474->94478 94475 9697ed InterlockedDecrement 94475->94478 94476 9aa873 94476->94419 94477 9aa30e 94477->94466 94662 9697ed InterlockedDecrement 94477->94662 94478->94459 94478->94461 94478->94462 94478->94465 94478->94466 94478->94467 94478->94469 94478->94472 94478->94474 94478->94475 94478->94477 94479 950f0a 52 API calls __cinit 94478->94479 94481 9aa973 94478->94481 94484 9415b5 94478->94484 94661 941820 335 API calls 2 library calls 94478->94661 94479->94478 94666 97cc5c 86 API calls 4 library calls 94481->94666 94483 9aa982 94663 97cc5c 86 API calls 4 library calls 94484->94663 94485->94419 94486->94419 94487->94419 94488->94419 94489->94414 94490->94385 94491->94414 94492->94414 94493->94404 94494->94396 94495->94412 94496->94433 94497->94438 94498->94433 94499->94433 94501 93936c 81 API calls 94500->94501 94502 98f8ea 94501->94502 94518 98f92c Mailbox 94502->94518 94536 990567 94502->94536 94504 98fb8b 94505 98fcfa 94504->94505 94509 98fb95 94504->94509 94599 990688 89 API calls Mailbox 94505->94599 94508 98fd07 94508->94509 94511 98fd13 94508->94511 94549 98f70a 94509->94549 94510 93936c 81 API calls 94517 98f984 Mailbox 94510->94517 94511->94518 94516 98fbc9 94563 94ed18 94516->94563 94517->94504 94517->94510 94517->94518 94567 9929e8 48 API calls _memcpy_s 94517->94567 94568 98fda5 60 API calls 2 library calls 94517->94568 94518->94442 94521 98fbfd 94570 94c050 94521->94570 94522 98fbe3 94569 97cc5c 86 API calls 4 library calls 94522->94569 94525 98fbee GetCurrentProcess TerminateProcess 94525->94521 94526 98fc14 94535 98fc3e 94526->94535 94581 941b90 94526->94581 94527 98fd65 94527->94518 94532 98fd7e FreeLibrary 94527->94532 94529 98fc2d 94597 99040f 105 API calls _free 94529->94597 94531 941b90 48 API calls 94531->94535 94532->94518 94535->94527 94535->94531 94598 93dcae 50 API calls Mailbox 94535->94598 94600 99040f 105 API calls _free 94535->94600 94537 93bdfa 48 API calls 94536->94537 94538 990582 CharLowerBuffW 94537->94538 94601 971f11 94538->94601 94542 93d7f7 48 API calls 94543 9905bb 94542->94543 94608 9369e9 48 API calls _memcpy_s 94543->94608 94545 9905d2 94546 93b18b 48 API calls 94545->94546 94547 9905de Mailbox 94546->94547 94548 99061a Mailbox 94547->94548 94609 98fda5 60 API calls 2 library calls 94547->94609 94548->94517 94550 98f77a 94549->94550 94551 98f725 94549->94551 94555 990828 94550->94555 94552 94f4ea 48 API calls 94551->94552 94554 98f747 94552->94554 94553 94f4ea 48 API calls 94553->94554 94554->94550 94554->94553 94556 990a53 Mailbox 94555->94556 94561 99084b _strcat _wcscpy __wsetenvp 94555->94561 94556->94516 94557 93cf93 58 API calls 94557->94561 94558 93d286 48 API calls 94558->94561 94559 93936c 81 API calls 94559->94561 94560 95395c 47 API calls __crtLCMapStringA_stat 94560->94561 94561->94556 94561->94557 94561->94558 94561->94559 94561->94560 94612 978035 50 API calls __wsetenvp 94561->94612 94565 94ed2d 94563->94565 94564 94edc5 VirtualProtect 94566 94ed93 94564->94566 94565->94564 94565->94566 94566->94521 94566->94522 94567->94517 94568->94517 94569->94525 94571 94c064 94570->94571 94573 94c069 Mailbox 94570->94573 94613 94c1af 48 API calls 94571->94613 94576 94c077 94573->94576 94614 94c15c 48 API calls 94573->94614 94575 94f4ea 48 API calls 94578 94c108 94575->94578 94576->94575 94577 94c152 94576->94577 94577->94526 94579 94f4ea 48 API calls 94578->94579 94580 94c113 94579->94580 94580->94526 94580->94580 94582 941cf6 94581->94582 94585 941ba2 94581->94585 94582->94529 94583 941bae 94590 941bb9 94583->94590 94616 94c15c 48 API calls 94583->94616 94585->94583 94586 94f4ea 48 API calls 94585->94586 94587 9a49c4 94586->94587 94588 94f4ea 48 API calls 94587->94588 94596 9a49cf 94588->94596 94589 941c5d 94589->94529 94590->94589 94591 94f4ea 48 API calls 94590->94591 94592 941c9f 94591->94592 94593 941cb2 94592->94593 94615 932925 48 API calls 94592->94615 94593->94529 94595 94f4ea 48 API calls 94595->94596 94596->94583 94596->94595 94597->94535 94598->94535 94599->94508 94600->94535 94602 971f3b __wsetenvp 94601->94602 94603 971f79 94602->94603 94605 971f6f 94602->94605 94607 971ffa 94602->94607 94603->94542 94603->94547 94605->94603 94610 94d37a 60 API calls 94605->94610 94607->94603 94611 94d37a 60 API calls 94607->94611 94608->94545 94609->94548 94610->94605 94611->94607 94612->94561 94613->94573 94614->94576 94615->94593 94616->94590 94618 936b0f 48 API calls 94617->94618 94630 93b495 94618->94630 94619 93b69b 94648 93ba85 94619->94648 94621 93b6b5 Mailbox 94621->94450 94624 9a397b 94659 9726bc 88 API calls 4 library calls 94624->94659 94625 9a3939 _memcpy_s 94658 9726bc 88 API calls 4 library calls 94625->94658 94626 93bcce 48 API calls 94626->94630 94627 93ba85 48 API calls 94627->94630 94630->94619 94630->94624 94630->94625 94630->94626 94630->94627 94636 93b9e4 94630->94636 94637 9a3909 94630->94637 94639 93bb85 48 API calls 94630->94639 94642 93bdfa 48 API calls 94630->94642 94646 93c413 59 API calls 94630->94646 94647 93bc74 48 API calls 94630->94647 94656 93c6a5 49 API calls 94630->94656 94657 93c799 48 API calls _memcpy_s 94630->94657 94633 9a3989 94634 93ba85 48 API calls 94633->94634 94635 9a3973 94634->94635 94635->94621 94660 9726bc 88 API calls 4 library calls 94636->94660 94638 936b4a 48 API calls 94637->94638 94640 9a3914 94638->94640 94639->94630 94644 94f4ea 48 API calls 94640->94644 94643 93b66c CharUpperBuffW 94642->94643 94643->94630 94644->94625 94645->94454 94646->94630 94647->94630 94649 93bb25 94648->94649 94653 93ba98 _memcpy_s 94648->94653 94651 94f4ea 48 API calls 94649->94651 94650 94f4ea 48 API calls 94652 93ba9f 94650->94652 94651->94653 94654 94f4ea 48 API calls 94652->94654 94655 93bac8 94652->94655 94653->94650 94654->94655 94655->94621 94656->94630 94657->94630 94658->94635 94659->94633 94660->94635 94661->94478 94662->94466 94663->94466 94664->94476 94665->94468 94666->94483 94667 fef708 94681 fed358 94667->94681 94669 fef7e3 94684 fef5f8 94669->94684 94687 ff0808 GetPEB 94681->94687 94683 fed9e3 94683->94669 94685 fef601 Sleep 94684->94685 94686 fef60f 94685->94686 94688 ff0832 94687->94688 94688->94683 94689 9a19dd 94694 934a30 94689->94694 94691 9a19f1 94714 950f0a 52 API calls __cinit 94691->94714 94693 9a19fb 94695 934a40 __ftell_nolock 94694->94695 94696 93d7f7 48 API calls 94695->94696 94697 934af6 94696->94697 94715 935374 94697->94715 94699 934aff 94722 93363c 94699->94722 94702 93518c 48 API calls 94703 934b18 94702->94703 94728 9364cf 94703->94728 94706 93d7f7 48 API calls 94707 934b32 94706->94707 94734 9349fb 94707->94734 94709 934b43 Mailbox 94709->94691 94710 9361a6 48 API calls 94711 934b3d _wcscat Mailbox __wsetenvp 94710->94711 94711->94709 94711->94710 94712 93ce19 48 API calls 94711->94712 94713 9364cf 48 API calls 94711->94713 94712->94711 94713->94711 94714->94693 94748 95f8a0 94715->94748 94718 93ce19 48 API calls 94719 9353a7 94718->94719 94750 93660f 94719->94750 94721 9353b1 Mailbox 94721->94699 94723 933649 __ftell_nolock 94722->94723 94757 93366c GetFullPathNameW 94723->94757 94725 93365a 94726 936a63 48 API calls 94725->94726 94727 933669 94726->94727 94727->94702 94729 93651b 94728->94729 94733 9364dd _memcpy_s 94728->94733 94732 94f4ea 48 API calls 94729->94732 94730 94f4ea 48 API calls 94731 934b29 94730->94731 94731->94706 94732->94733 94733->94730 94759 93bcce 94734->94759 94737 9a41cc RegQueryValueExW 94739 9a4246 RegCloseKey 94737->94739 94740 9a41e5 94737->94740 94738 934a2b 94738->94711 94741 94f4ea 48 API calls 94740->94741 94742 9a41fe 94741->94742 94765 9347b7 94742->94765 94745 9a423b 94745->94739 94746 9a4224 94747 936a63 48 API calls 94746->94747 94747->94745 94749 935381 GetModuleFileNameW 94748->94749 94749->94718 94751 95f8a0 __ftell_nolock 94750->94751 94752 93661c GetFullPathNameW 94751->94752 94753 936a63 48 API calls 94752->94753 94754 936643 94753->94754 94755 936571 48 API calls 94754->94755 94756 93664f 94755->94756 94756->94721 94758 93368a 94757->94758 94758->94725 94760 93bce8 94759->94760 94764 934a0a RegOpenKeyExW 94759->94764 94761 94f4ea 48 API calls 94760->94761 94762 93bcf2 94761->94762 94763 94ee75 48 API calls 94762->94763 94763->94764 94764->94737 94764->94738 94766 94f4ea 48 API calls 94765->94766 94767 9347c9 RegQueryValueExW 94766->94767 94767->94745 94767->94746 94768 955dfd 94769 955e09 type_info::_Type_info_dtor 94768->94769 94805 957eeb GetStartupInfoW 94769->94805 94771 955e0e 94807 959ca7 GetProcessHeap 94771->94807 94773 955e71 94808 957b47 94773->94808 94774 955e66 94774->94773 94892 955f4d 47 API calls 3 library calls 94774->94892 94777 955e77 94778 955e82 __RTC_Initialize 94777->94778 94893 955f4d 47 API calls 3 library calls 94777->94893 94829 95acb3 94778->94829 94781 955e91 94782 955e9d GetCommandLineW 94781->94782 94894 955f4d 47 API calls 3 library calls 94781->94894 94848 962e7d GetEnvironmentStringsW 94782->94848 94785 955e9c 94785->94782 94789 955ec2 94861 962cb4 94789->94861 94792 955ec8 94793 955ed3 94792->94793 94896 95115b 47 API calls 3 library calls 94792->94896 94875 951195 94793->94875 94796 955edb 94797 955ee6 __wwincmdln 94796->94797 94897 95115b 47 API calls 3 library calls 94796->94897 94879 933a0f 94797->94879 94800 955efa 94801 955f09 94800->94801 94898 9513f1 47 API calls _doexit 94800->94898 94899 951186 47 API calls _doexit 94801->94899 94804 955f0e type_info::_Type_info_dtor 94806 957f01 94805->94806 94806->94771 94807->94774 94900 95123a 30 API calls 2 library calls 94808->94900 94810 957b4c 94901 957e23 InitializeCriticalSectionAndSpinCount 94810->94901 94812 957b51 94813 957b55 94812->94813 94903 957e6d TlsAlloc 94812->94903 94902 957bbd 50 API calls 2 library calls 94813->94902 94816 957b67 94816->94813 94818 957b72 94816->94818 94817 957b5a 94817->94777 94904 956986 94818->94904 94821 957bb4 94912 957bbd 50 API calls 2 library calls 94821->94912 94824 957b93 94824->94821 94826 957b99 94824->94826 94825 957bb9 94825->94777 94911 957a94 47 API calls 4 library calls 94826->94911 94828 957ba1 GetCurrentThreadId 94828->94777 94830 95acbf type_info::_Type_info_dtor 94829->94830 94921 957cf4 94830->94921 94832 95acc6 94833 956986 __calloc_crt 47 API calls 94832->94833 94835 95acd7 94833->94835 94834 95ace2 type_info::_Type_info_dtor @_EH4_CallFilterFunc@8 94834->94781 94835->94834 94836 95ad42 GetStartupInfoW 94835->94836 94842 95ad57 94836->94842 94844 95ae80 94836->94844 94837 95af44 94928 95af58 LeaveCriticalSection _doexit 94837->94928 94839 95aec9 GetStdHandle 94839->94844 94840 956986 __calloc_crt 47 API calls 94840->94842 94841 95aedb GetFileType 94841->94844 94842->94840 94843 95ada5 94842->94843 94842->94844 94843->94844 94846 95ade5 InitializeCriticalSectionAndSpinCount 94843->94846 94847 95add7 GetFileType 94843->94847 94844->94837 94844->94839 94844->94841 94845 95af08 InitializeCriticalSectionAndSpinCount 94844->94845 94845->94844 94846->94843 94847->94843 94847->94846 94849 955ead 94848->94849 94850 962e8e 94848->94850 94855 962a7b GetModuleFileNameW 94849->94855 94960 9569d0 47 API calls __crtLCMapStringA_stat 94850->94960 94853 962eca FreeEnvironmentStringsW 94853->94849 94854 962eb4 _memcpy_s 94854->94853 94856 962aaf _wparse_cmdline 94855->94856 94857 955eb7 94856->94857 94858 962ae9 94856->94858 94857->94789 94895 95115b 47 API calls 3 library calls 94857->94895 94961 9569d0 47 API calls __crtLCMapStringA_stat 94858->94961 94860 962aef _wparse_cmdline 94860->94857 94862 962ccd __wsetenvp 94861->94862 94866 962cc5 94861->94866 94863 956986 __calloc_crt 47 API calls 94862->94863 94871 962cf6 __wsetenvp 94863->94871 94864 962d4d 94865 951c9d _free 47 API calls 94864->94865 94865->94866 94866->94792 94867 956986 __calloc_crt 47 API calls 94867->94871 94868 962d72 94870 951c9d _free 47 API calls 94868->94870 94870->94866 94871->94864 94871->94866 94871->94867 94871->94868 94872 962d89 94871->94872 94962 962567 47 API calls __mbsnbicoll_l 94871->94962 94963 956e20 IsProcessorFeaturePresent 94872->94963 94874 962d95 94874->94792 94876 9511a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 94875->94876 94878 9511e0 __IsNonwritableInCurrentImage 94876->94878 94986 950f0a 52 API calls __cinit 94876->94986 94878->94796 94880 9a1ebf 94879->94880 94881 933a29 94879->94881 94882 933a63 IsThemeActive 94881->94882 94987 951405 94882->94987 94886 933a8f 94999 933adb SystemParametersInfoW SystemParametersInfoW 94886->94999 94888 933a9b 95000 933d19 94888->95000 94890 933aa3 SystemParametersInfoW 94891 933ac8 94890->94891 94891->94800 94892->94773 94893->94778 94894->94785 94898->94801 94899->94804 94900->94810 94901->94812 94902->94817 94903->94816 94906 95698d 94904->94906 94907 9569ca 94906->94907 94908 9569ab Sleep 94906->94908 94913 9630aa 94906->94913 94907->94821 94910 957ec9 TlsSetValue 94907->94910 94909 9569c2 94908->94909 94909->94906 94909->94907 94910->94824 94911->94828 94912->94825 94914 9630b5 94913->94914 94919 9630d0 __calloc_impl 94913->94919 94915 9630c1 94914->94915 94914->94919 94920 957c0e 47 API calls __getptd_noexit 94915->94920 94917 9630e0 HeapAlloc 94918 9630c6 94917->94918 94917->94919 94918->94906 94919->94917 94919->94918 94920->94918 94922 957d05 94921->94922 94923 957d18 EnterCriticalSection 94921->94923 94929 957d7c 94922->94929 94923->94832 94925 957d0b 94925->94923 94953 95115b 47 API calls 3 library calls 94925->94953 94928->94834 94930 957d88 type_info::_Type_info_dtor 94929->94930 94931 957d91 94930->94931 94932 957da9 94930->94932 94954 9581c2 47 API calls 2 library calls 94931->94954 94934 957da7 94932->94934 94939 957e11 type_info::_Type_info_dtor 94932->94939 94934->94932 94957 9569d0 47 API calls __crtLCMapStringA_stat 94934->94957 94936 957d96 94955 95821f 47 API calls 8 library calls 94936->94955 94937 957dbd 94940 957dc4 94937->94940 94941 957dd3 94937->94941 94939->94925 94958 957c0e 47 API calls __getptd_noexit 94940->94958 94944 957cf4 __lock 46 API calls 94941->94944 94942 957d9d 94956 951145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 94942->94956 94947 957dda 94944->94947 94946 957dc9 94946->94939 94948 957dfe 94947->94948 94949 957de9 InitializeCriticalSectionAndSpinCount 94947->94949 94950 951c9d _free 46 API calls 94948->94950 94951 957e04 94949->94951 94950->94951 94959 957e1a LeaveCriticalSection _doexit 94951->94959 94954->94936 94955->94942 94957->94937 94958->94946 94959->94939 94960->94854 94961->94860 94962->94871 94964 956e2b 94963->94964 94969 956cb5 94964->94969 94968 956e46 94968->94874 94970 956ccf _memset __call_reportfault 94969->94970 94971 956cef IsDebuggerPresent 94970->94971 94977 9581ac SetUnhandledExceptionFilter UnhandledExceptionFilter 94971->94977 94974 956dd6 94976 958197 GetCurrentProcess TerminateProcess 94974->94976 94975 956db3 __call_reportfault 94978 95a70c 94975->94978 94976->94968 94977->94975 94979 95a714 94978->94979 94980 95a716 IsProcessorFeaturePresent 94978->94980 94979->94974 94982 9637b0 94980->94982 94985 96375f 5 API calls 2 library calls 94982->94985 94984 963893 94984->94974 94985->94984 94986->94878 94988 957cf4 __lock 47 API calls 94987->94988 94989 951410 94988->94989 95052 957e58 LeaveCriticalSection 94989->95052 94991 933a88 94992 95146d 94991->94992 94993 951477 94992->94993 94994 951491 94992->94994 94993->94994 95053 957c0e 47 API calls __getptd_noexit 94993->95053 94994->94886 94996 951481 95054 956e10 8 API calls __mbsnbicoll_l 94996->95054 94998 95148c 94998->94886 94999->94888 95001 933d26 __ftell_nolock 95000->95001 95002 93d7f7 48 API calls 95001->95002 95003 933d31 GetCurrentDirectoryW 95002->95003 95055 9361ca 95003->95055 95005 933d57 IsDebuggerPresent 95006 933d65 95005->95006 95007 9a1cc1 MessageBoxA 95005->95007 95008 933e3a 95006->95008 95010 9a1cd9 95006->95010 95011 933d82 95006->95011 95007->95010 95009 933e41 SetCurrentDirectoryW 95008->95009 95016 933e4e Mailbox 95009->95016 95231 94c682 48 API calls 95010->95231 95129 9340e5 95011->95129 95015 933da0 GetFullPathNameW 95018 936a63 48 API calls 95015->95018 95016->94890 95017 9a1ce9 95020 9a1cff SetCurrentDirectoryW 95017->95020 95019 933ddb 95018->95019 95145 936430 95019->95145 95020->95016 95023 933df6 95024 933e00 95023->95024 95232 9771fa AllocateAndInitializeSid CheckTokenMembership FreeSid 95023->95232 95161 933e6e GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 95024->95161 95027 9a1d1c 95027->95024 95031 9a1d2d 95027->95031 95030 933e0a 95032 933e1f 95030->95032 95035 934ffc 67 API calls 95030->95035 95033 935374 50 API calls 95031->95033 95169 93e8d0 95032->95169 95034 9a1d35 95033->95034 95037 93ce19 48 API calls 95034->95037 95035->95032 95039 9a1d42 95037->95039 95040 9a1d49 95039->95040 95041 9a1d6e 95039->95041 95043 93518c 48 API calls 95040->95043 95044 93518c 48 API calls 95041->95044 95045 9a1d54 95043->95045 95046 9a1d6a GetForegroundWindow ShellExecuteW 95044->95046 95047 93510d 48 API calls 95045->95047 95050 9a1d9e Mailbox 95046->95050 95049 9a1d61 95047->95049 95051 93518c 48 API calls 95049->95051 95050->95008 95051->95046 95052->94991 95053->94996 95054->94998 95233 94e99b 95055->95233 95059 9361eb 95060 935374 50 API calls 95059->95060 95061 9361ff 95060->95061 95062 93ce19 48 API calls 95061->95062 95063 93620c 95062->95063 95250 9339db 95063->95250 95065 936216 Mailbox 95066 936eed 48 API calls 95065->95066 95067 93622b 95066->95067 95262 939048 95067->95262 95070 93ce19 48 API calls 95071 936244 95070->95071 95265 93d6e9 95071->95265 95073 936254 Mailbox 95074 93ce19 48 API calls 95073->95074 95075 93627c 95074->95075 95076 93d6e9 55 API calls 95075->95076 95077 93628f Mailbox 95076->95077 95078 93ce19 48 API calls 95077->95078 95079 9362a0 95078->95079 95269 93d645 95079->95269 95081 9362b2 Mailbox 95082 93d7f7 48 API calls 95081->95082 95083 9362c5 95082->95083 95279 9363fc 95083->95279 95087 9362df 95088 9a1c08 95087->95088 95089 9362e9 95087->95089 95090 9363fc 48 API calls 95088->95090 95091 950fa7 _W_store_winword 59 API calls 95089->95091 95092 9a1c1c 95090->95092 95093 9362f4 95091->95093 95095 9363fc 48 API calls 95092->95095 95093->95092 95094 9362fe 95093->95094 95096 950fa7 _W_store_winword 59 API calls 95094->95096 95097 9a1c38 95095->95097 95098 936309 95096->95098 95101 935374 50 API calls 95097->95101 95098->95097 95099 936313 95098->95099 95100 950fa7 _W_store_winword 59 API calls 95099->95100 95102 93631e 95100->95102 95103 9a1c5d 95101->95103 95104 93635f 95102->95104 95106 9a1c86 95102->95106 95109 9363fc 48 API calls 95102->95109 95105 9363fc 48 API calls 95103->95105 95104->95106 95107 93636c 95104->95107 95108 9a1c69 95105->95108 95110 936eed 48 API calls 95106->95110 95114 94c050 48 API calls 95107->95114 95111 936eed 48 API calls 95108->95111 95112 936342 95109->95112 95113 9a1ca8 95110->95113 95115 9a1c77 95111->95115 95117 936eed 48 API calls 95112->95117 95118 9363fc 48 API calls 95113->95118 95119 936384 95114->95119 95116 9363fc 48 API calls 95115->95116 95116->95106 95120 936350 95117->95120 95121 9a1cb5 95118->95121 95122 941b90 48 API calls 95119->95122 95123 9363fc 48 API calls 95120->95123 95121->95121 95126 936394 95122->95126 95123->95104 95124 941b90 48 API calls 95124->95126 95126->95124 95127 9363fc 48 API calls 95126->95127 95128 9363d6 Mailbox 95126->95128 95295 936b68 48 API calls 95126->95295 95127->95126 95128->95005 95130 9340f2 __ftell_nolock 95129->95130 95131 93410b 95130->95131 95132 9a370e _memset 95130->95132 95133 93660f 49 API calls 95131->95133 95134 9a372a GetOpenFileNameW 95132->95134 95135 934114 95133->95135 95136 9a3779 95134->95136 95819 9340a7 95135->95819 95139 936a63 48 API calls 95136->95139 95141 9a378e 95139->95141 95141->95141 95142 934129 95837 934139 95142->95837 95146 93643d __ftell_nolock 95145->95146 96039 934c75 95146->96039 95148 936442 95149 933dee 95148->95149 96050 935928 86 API calls 95148->96050 95149->95017 95149->95023 95151 93644f 95151->95149 96051 935798 88 API calls Mailbox 95151->96051 95153 936458 95153->95149 95154 93645c GetFullPathNameW 95153->95154 95155 936a63 48 API calls 95154->95155 95156 936488 95155->95156 95157 936a63 48 API calls 95156->95157 95158 936495 95157->95158 95159 9a5dcf _wcscat 95158->95159 95160 936a63 48 API calls 95158->95160 95160->95149 95162 9a1cba 95161->95162 95163 933ed8 95161->95163 96053 934024 95163->96053 95167 933e05 95168 9336b8 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 95167->95168 95168->95030 95170 93e8f6 95169->95170 95219 93e906 Mailbox 95169->95219 95172 93ed52 95170->95172 95170->95219 95171 97cc5c 86 API calls 95171->95219 96177 94e3cd 335 API calls 95172->96177 95174 933e2a 95174->95008 95230 933847 Shell_NotifyIconW _memset 95174->95230 95176 93ed63 95176->95174 95178 93ed70 95176->95178 95177 93e94c PeekMessageW 95177->95219 96179 94e312 335 API calls Mailbox 95178->96179 95180 9a526e Sleep 95180->95219 95181 93ed77 LockWindowUpdate DestroyWindow GetMessageW 95181->95174 95184 93eda9 95181->95184 95183 93ebc7 95183->95174 96178 932ff6 16 API calls 95183->96178 95186 9a59ef TranslateMessage DispatchMessageW GetMessageW 95184->95186 95186->95186 95187 9a5a1f 95186->95187 95187->95174 95188 93ed21 PeekMessageW 95188->95219 95189 931caa 49 API calls 95189->95219 95190 94f4ea 48 API calls 95190->95219 95191 93ebf7 timeGetTime 95191->95219 95193 936eed 48 API calls 95193->95219 95194 9a5557 WaitForSingleObject 95196 9a5574 GetExitCodeProcess CloseHandle 95194->95196 95194->95219 95195 93ed3a TranslateMessage DispatchMessageW 95195->95188 95196->95219 95197 9a588f Sleep 95220 9a5429 Mailbox 95197->95220 95198 93d7f7 48 API calls 95198->95220 95199 93edae timeGetTime 96180 931caa 49 API calls 95199->96180 95201 9a5733 Sleep 95201->95220 95204 9a5926 GetExitCodeProcess 95209 9a593c WaitForSingleObject 95204->95209 95210 9a5952 CloseHandle 95204->95210 95205 932aae 311 API calls 95205->95219 95207 94dc38 timeGetTime 95207->95220 95208 9a5445 Sleep 95208->95219 95209->95210 95209->95219 95210->95220 95211 9a5432 Sleep 95211->95208 95212 998c4b 108 API calls 95212->95220 95213 932c79 107 API calls 95213->95220 95215 9a59ae Sleep 95215->95219 95218 93ce19 48 API calls 95218->95220 95219->95171 95219->95177 95219->95180 95219->95183 95219->95188 95219->95189 95219->95190 95219->95191 95219->95193 95219->95194 95219->95195 95219->95197 95219->95199 95219->95201 95219->95205 95219->95208 95219->95220 95222 93fe30 311 API calls 95219->95222 95228 93ce19 48 API calls 95219->95228 95229 93d6e9 55 API calls 95219->95229 96058 93f110 95219->96058 96123 9445e0 95219->96123 96139 943200 95219->96139 96165 94e244 95219->96165 96170 94dc5f 95219->96170 96175 93eed0 335 API calls Mailbox 95219->96175 96176 93ef00 335 API calls 95219->96176 96181 998d23 48 API calls 95219->96181 95220->95198 95220->95204 95220->95207 95220->95208 95220->95211 95220->95212 95220->95213 95220->95215 95220->95218 95220->95219 95223 93d6e9 55 API calls 95220->95223 96182 974cbe 49 API calls Mailbox 95220->96182 96183 931caa 49 API calls 95220->96183 96184 932aae 335 API calls 95220->96184 96185 98ccb2 50 API calls 95220->96185 96186 977a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 95220->96186 96187 976532 63 API calls 3 library calls 95220->96187 95222->95219 95223->95220 95228->95219 95229->95219 95230->95008 95231->95017 95232->95027 95234 93d7f7 48 API calls 95233->95234 95235 9361db 95234->95235 95236 936009 95235->95236 95237 936016 __ftell_nolock 95236->95237 95238 936a63 48 API calls 95237->95238 95243 93617c Mailbox 95237->95243 95240 936048 95238->95240 95249 93607e Mailbox 95240->95249 95296 9361a6 95240->95296 95241 9361a6 48 API calls 95241->95249 95242 93614f 95242->95243 95244 93ce19 48 API calls 95242->95244 95243->95059 95245 936170 95244->95245 95247 9364cf 48 API calls 95245->95247 95246 93ce19 48 API calls 95246->95249 95247->95243 95248 9364cf 48 API calls 95248->95249 95249->95241 95249->95242 95249->95243 95249->95246 95249->95248 95299 9341a9 95250->95299 95253 933a06 95253->95065 95256 9a2ff0 95258 951c9d _free 47 API calls 95256->95258 95259 9a2ffd 95258->95259 95260 934252 84 API calls 95259->95260 95261 9a3006 95260->95261 95261->95261 95263 94f4ea 48 API calls 95262->95263 95264 936237 95263->95264 95264->95070 95266 93d6f4 95265->95266 95267 93d71b 95266->95267 95812 93d764 55 API calls 95266->95812 95267->95073 95270 93d654 95269->95270 95278 93d67e 95269->95278 95271 93d65b 95270->95271 95275 93d6c2 95270->95275 95272 93d6ab 95271->95272 95273 93d666 95271->95273 95272->95278 95814 94dce0 53 API calls 95272->95814 95813 93d9a0 53 API calls __cinit 95273->95813 95275->95272 95815 94dce0 53 API calls 95275->95815 95278->95081 95280 936406 95279->95280 95281 93641f 95279->95281 95283 936eed 48 API calls 95280->95283 95282 936a63 48 API calls 95281->95282 95284 9362d1 95282->95284 95283->95284 95285 950fa7 95284->95285 95286 950fb3 95285->95286 95287 951028 95285->95287 95294 950fd8 95286->95294 95816 957c0e 47 API calls __getptd_noexit 95286->95816 95818 95103a 59 API calls 3 library calls 95287->95818 95290 951035 95290->95087 95291 950fbf 95817 956e10 8 API calls __mbsnbicoll_l 95291->95817 95293 950fca 95293->95087 95294->95087 95295->95126 95297 93bdfa 48 API calls 95296->95297 95298 9361b1 95297->95298 95298->95240 95364 934214 95299->95364 95304 9341d4 LoadLibraryExW 95374 934291 95304->95374 95305 9a4f73 95306 934252 84 API calls 95305->95306 95308 9a4f7a 95306->95308 95310 934291 3 API calls 95308->95310 95313 9a4f82 95310->95313 95312 9341fb 95312->95313 95314 934207 95312->95314 95400 9344ed 95313->95400 95316 934252 84 API calls 95314->95316 95318 9339fe 95316->95318 95318->95253 95323 97c396 95318->95323 95320 9a4fa9 95408 934950 95320->95408 95322 9a4fb6 95324 934517 83 API calls 95323->95324 95325 97c405 95324->95325 95586 97c56d 95325->95586 95328 9344ed 64 API calls 95329 97c432 95328->95329 95330 9344ed 64 API calls 95329->95330 95331 97c442 95330->95331 95332 9344ed 64 API calls 95331->95332 95333 97c45d 95332->95333 95334 9344ed 64 API calls 95333->95334 95335 97c478 95334->95335 95336 934517 83 API calls 95335->95336 95337 97c48f 95336->95337 95338 95395c __crtLCMapStringA_stat 47 API calls 95337->95338 95339 97c496 95338->95339 95340 95395c __crtLCMapStringA_stat 47 API calls 95339->95340 95341 97c4a0 95340->95341 95342 9344ed 64 API calls 95341->95342 95343 97c4b4 95342->95343 95344 97bf5a GetSystemTimeAsFileTime 95343->95344 95345 97c4c7 95344->95345 95346 97c4f1 95345->95346 95347 97c4dc 95345->95347 95349 97c4f7 95346->95349 95350 97c556 95346->95350 95348 951c9d _free 47 API calls 95347->95348 95352 97c4e2 95348->95352 95592 97b965 118 API calls __fcloseall 95349->95592 95351 951c9d _free 47 API calls 95350->95351 95356 97c41b 95351->95356 95354 951c9d _free 47 API calls 95352->95354 95354->95356 95355 97c54e 95357 951c9d _free 47 API calls 95355->95357 95356->95256 95358 934252 95356->95358 95357->95356 95359 93425c 95358->95359 95361 934263 95358->95361 95593 9535e4 95359->95593 95362 934283 FreeLibrary 95361->95362 95363 934272 95361->95363 95362->95363 95363->95256 95413 934339 95364->95413 95367 93423c 95368 934244 FreeLibrary 95367->95368 95369 9341bb 95367->95369 95368->95369 95371 953499 95369->95371 95421 9534ae 95371->95421 95373 9341c8 95373->95304 95373->95305 95500 9342e4 95374->95500 95377 9342c1 FreeLibrary 95378 9341ec 95377->95378 95381 934380 95378->95381 95380 9342b8 95380->95377 95380->95378 95382 94f4ea 48 API calls 95381->95382 95383 934395 95382->95383 95384 9347b7 48 API calls 95383->95384 95385 9343a1 _memcpy_s 95384->95385 95386 9343dc 95385->95386 95388 9344d1 95385->95388 95389 934499 95385->95389 95387 934950 57 API calls 95386->95387 95392 9343e5 95387->95392 95519 97c750 93 API calls 95388->95519 95508 93406b CreateStreamOnHGlobal 95389->95508 95393 9344ed 64 API calls 95392->95393 95395 934479 95392->95395 95396 9a4ed7 95392->95396 95514 934517 95392->95514 95393->95392 95395->95312 95397 934517 83 API calls 95396->95397 95398 9a4eeb 95397->95398 95399 9344ed 64 API calls 95398->95399 95399->95395 95401 9a4fc0 95400->95401 95402 9344ff 95400->95402 95543 95381e 95402->95543 95405 97bf5a 95563 97bdb4 95405->95563 95407 97bf70 95407->95320 95409 9a5002 95408->95409 95410 93495f 95408->95410 95568 953e65 95410->95568 95412 934967 95412->95322 95417 93434b 95413->95417 95416 934321 LoadLibraryA GetProcAddress 95416->95367 95418 93422f 95417->95418 95419 934354 LoadLibraryA 95417->95419 95418->95367 95418->95416 95419->95418 95420 934365 GetProcAddress 95419->95420 95420->95418 95424 9534ba type_info::_Type_info_dtor 95421->95424 95422 9534cd 95469 957c0e 47 API calls __getptd_noexit 95422->95469 95424->95422 95426 9534fe 95424->95426 95425 9534d2 95470 956e10 8 API calls __mbsnbicoll_l 95425->95470 95440 95e4c8 95426->95440 95429 953503 95430 95350c 95429->95430 95431 953519 95429->95431 95471 957c0e 47 API calls __getptd_noexit 95430->95471 95433 953543 95431->95433 95434 953523 95431->95434 95454 95e5e0 95433->95454 95472 957c0e 47 API calls __getptd_noexit 95434->95472 95436 9534dd type_info::_Type_info_dtor @_EH4_CallFilterFunc@8 95436->95373 95441 95e4d4 type_info::_Type_info_dtor 95440->95441 95442 957cf4 __lock 47 API calls 95441->95442 95443 95e4e2 95442->95443 95444 95e559 95443->95444 95450 957d7c __mtinitlocknum 47 API calls 95443->95450 95452 95e552 95443->95452 95477 954e5b 48 API calls __lock 95443->95477 95478 954ec5 LeaveCriticalSection LeaveCriticalSection _doexit 95443->95478 95479 9569d0 47 API calls __crtLCMapStringA_stat 95444->95479 95447 95e5cc type_info::_Type_info_dtor 95447->95429 95448 95e560 95449 95e56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 95448->95449 95448->95452 95449->95452 95450->95443 95474 95e5d7 95452->95474 95463 95e600 __wopenfile 95454->95463 95455 95e61a 95484 957c0e 47 API calls __getptd_noexit 95455->95484 95456 95e7d5 95456->95455 95460 95e838 95456->95460 95458 95e61f 95485 956e10 8 API calls __mbsnbicoll_l 95458->95485 95481 9663c9 95460->95481 95461 95354e 95473 953570 LeaveCriticalSection LeaveCriticalSection _fseek 95461->95473 95463->95455 95463->95456 95486 95185b 59 API calls 2 library calls 95463->95486 95465 95e7ce 95465->95456 95487 95185b 59 API calls 2 library calls 95465->95487 95467 95e7ed 95467->95456 95488 95185b 59 API calls 2 library calls 95467->95488 95469->95425 95470->95436 95471->95436 95472->95436 95473->95436 95480 957e58 LeaveCriticalSection 95474->95480 95476 95e5de 95476->95447 95477->95443 95478->95443 95479->95448 95480->95476 95489 965bb1 95481->95489 95483 9663e2 95483->95461 95484->95458 95485->95461 95486->95465 95487->95467 95488->95456 95490 965bbd type_info::_Type_info_dtor 95489->95490 95491 965bcf 95490->95491 95493 965c06 95490->95493 95492 957c0e __mbsnbicoll_l 47 API calls 95491->95492 95494 965bd4 95492->95494 95495 965c78 __wsopen_helper 110 API calls 95493->95495 95496 956e10 __mbsnbicoll_l 8 API calls 95494->95496 95497 965c23 95495->95497 95499 965bde type_info::_Type_info_dtor 95496->95499 95498 965c4c __wsopen_helper LeaveCriticalSection 95497->95498 95498->95499 95499->95483 95504 9342f6 95500->95504 95503 9342cc LoadLibraryA GetProcAddress 95503->95380 95505 9342aa 95504->95505 95506 9342ff LoadLibraryA 95504->95506 95505->95380 95505->95503 95506->95505 95507 934310 GetProcAddress 95506->95507 95507->95505 95509 934085 FindResourceExW 95508->95509 95513 9340a2 95508->95513 95510 9a4f16 LoadResource 95509->95510 95509->95513 95511 9a4f2b SizeofResource 95510->95511 95510->95513 95512 9a4f3f LockResource 95511->95512 95511->95513 95512->95513 95513->95386 95515 934526 95514->95515 95516 9a4fe0 95514->95516 95520 953a8d 95515->95520 95518 934534 95518->95392 95519->95386 95522 953a99 type_info::_Type_info_dtor 95520->95522 95521 953aa7 95533 957c0e 47 API calls __getptd_noexit 95521->95533 95522->95521 95523 953acd 95522->95523 95535 954e1c 95523->95535 95526 953aac 95534 956e10 8 API calls __mbsnbicoll_l 95526->95534 95527 953ad3 95541 9539fe 81 API calls 5 library calls 95527->95541 95530 953ae2 95542 953b04 LeaveCriticalSection LeaveCriticalSection _fseek 95530->95542 95532 953ab7 type_info::_Type_info_dtor 95532->95518 95533->95526 95534->95532 95536 954e2c 95535->95536 95537 954e4e EnterCriticalSection 95535->95537 95536->95537 95538 954e34 95536->95538 95539 954e44 95537->95539 95540 957cf4 __lock 47 API calls 95538->95540 95539->95527 95540->95539 95541->95530 95542->95532 95546 953839 95543->95546 95545 934510 95545->95405 95547 953845 type_info::_Type_info_dtor 95546->95547 95548 953888 95547->95548 95549 95385b _memset 95547->95549 95558 953880 type_info::_Type_info_dtor 95547->95558 95550 954e1c __lock_file 48 API calls 95548->95550 95559 957c0e 47 API calls __getptd_noexit 95549->95559 95551 95388e 95550->95551 95561 95365b 62 API calls 5 library calls 95551->95561 95554 953875 95560 956e10 8 API calls __mbsnbicoll_l 95554->95560 95555 9538a4 95562 9538c2 LeaveCriticalSection LeaveCriticalSection _fseek 95555->95562 95558->95545 95559->95554 95560->95558 95561->95555 95562->95558 95566 95344a GetSystemTimeAsFileTime 95563->95566 95565 97bdc3 95565->95407 95567 953478 __aulldiv 95566->95567 95567->95565 95569 953e71 type_info::_Type_info_dtor 95568->95569 95570 953e94 95569->95570 95571 953e7f 95569->95571 95573 954e1c __lock_file 48 API calls 95570->95573 95582 957c0e 47 API calls __getptd_noexit 95571->95582 95575 953e9a 95573->95575 95574 953e84 95583 956e10 8 API calls __mbsnbicoll_l 95574->95583 95584 953b0c 55 API calls 6 library calls 95575->95584 95578 953ea5 95585 953ec5 LeaveCriticalSection LeaveCriticalSection _fseek 95578->95585 95580 953eb7 95581 953e8f type_info::_Type_info_dtor 95580->95581 95581->95412 95582->95574 95583->95581 95584->95578 95585->95580 95589 97c581 __tzset_nolock _wcscmp 95586->95589 95587 97bf5a GetSystemTimeAsFileTime 95587->95589 95588 97c417 95588->95328 95588->95356 95589->95587 95589->95588 95590 9344ed 64 API calls 95589->95590 95591 934517 83 API calls 95589->95591 95590->95589 95591->95589 95592->95355 95594 9535f0 type_info::_Type_info_dtor 95593->95594 95595 953604 95594->95595 95596 95361c 95594->95596 95622 957c0e 47 API calls __getptd_noexit 95595->95622 95598 954e1c __lock_file 48 API calls 95596->95598 95602 953614 type_info::_Type_info_dtor 95596->95602 95600 95362e 95598->95600 95599 953609 95623 956e10 8 API calls __mbsnbicoll_l 95599->95623 95606 953578 95600->95606 95602->95361 95607 953587 95606->95607 95608 95359b 95606->95608 95665 957c0e 47 API calls __getptd_noexit 95607->95665 95614 953597 95608->95614 95625 952c84 95608->95625 95610 95358c 95666 956e10 8 API calls __mbsnbicoll_l 95610->95666 95624 953653 LeaveCriticalSection LeaveCriticalSection _fseek 95614->95624 95618 9535b5 95642 95e9d2 95618->95642 95620 9535bb 95620->95614 95621 951c9d _free 47 API calls 95620->95621 95621->95614 95622->95599 95623->95602 95624->95602 95626 952c97 95625->95626 95630 952cbb 95625->95630 95627 952933 __fflush_nolock 47 API calls 95626->95627 95626->95630 95628 952cb4 95627->95628 95667 95af61 95628->95667 95631 95eb36 95630->95631 95632 9535af 95631->95632 95633 95eb43 95631->95633 95635 952933 95632->95635 95633->95632 95634 951c9d _free 47 API calls 95633->95634 95634->95632 95636 952952 95635->95636 95637 95293d 95635->95637 95636->95618 95773 957c0e 47 API calls __getptd_noexit 95637->95773 95639 952942 95774 956e10 8 API calls __mbsnbicoll_l 95639->95774 95641 95294d 95641->95618 95643 95e9de type_info::_Type_info_dtor 95642->95643 95644 95e9e6 95643->95644 95649 95e9fe 95643->95649 95790 957bda 47 API calls __getptd_noexit 95644->95790 95646 95ea7b 95794 957bda 47 API calls __getptd_noexit 95646->95794 95647 95e9eb 95791 957c0e 47 API calls __getptd_noexit 95647->95791 95649->95646 95652 95ea28 95649->95652 95651 95ea80 95795 957c0e 47 API calls __getptd_noexit 95651->95795 95653 95a8ed ___lock_fhandle 49 API calls 95652->95653 95655 95ea2e 95653->95655 95658 95ea41 95655->95658 95659 95ea4c 95655->95659 95656 95ea88 95796 956e10 8 API calls __mbsnbicoll_l 95656->95796 95775 95ea9c 95658->95775 95792 957c0e 47 API calls __getptd_noexit 95659->95792 95661 95e9f3 type_info::_Type_info_dtor 95661->95620 95663 95ea47 95793 95ea73 LeaveCriticalSection __unlock_fhandle 95663->95793 95665->95610 95666->95614 95668 95af6d type_info::_Type_info_dtor 95667->95668 95669 95af75 95668->95669 95670 95af8d 95668->95670 95765 957bda 47 API calls __getptd_noexit 95669->95765 95672 95b022 95670->95672 95676 95afbf 95670->95676 95770 957bda 47 API calls __getptd_noexit 95672->95770 95673 95af7a 95766 957c0e 47 API calls __getptd_noexit 95673->95766 95692 95a8ed 95676->95692 95677 95b027 95771 957c0e 47 API calls __getptd_noexit 95677->95771 95678 95af82 type_info::_Type_info_dtor 95678->95630 95681 95afc5 95683 95afd8 95681->95683 95684 95afeb 95681->95684 95682 95b02f 95772 956e10 8 API calls __mbsnbicoll_l 95682->95772 95701 95b043 95683->95701 95767 957c0e 47 API calls __getptd_noexit 95684->95767 95688 95afe4 95769 95b01a LeaveCriticalSection __unlock_fhandle 95688->95769 95689 95aff0 95768 957bda 47 API calls __getptd_noexit 95689->95768 95694 95a8f9 type_info::_Type_info_dtor 95692->95694 95693 95a946 EnterCriticalSection 95695 95a96c type_info::_Type_info_dtor 95693->95695 95694->95693 95696 957cf4 __lock 47 API calls 95694->95696 95695->95681 95697 95a91d 95696->95697 95698 95a928 InitializeCriticalSectionAndSpinCount 95697->95698 95699 95a93a 95697->95699 95698->95699 95700 95a970 ___lock_fhandle LeaveCriticalSection 95699->95700 95700->95693 95702 95b050 __ftell_nolock 95701->95702 95703 95b08d 95702->95703 95704 95b0ac 95702->95704 95735 95b082 95702->95735 95705 957bda __free_osfhnd 47 API calls 95703->95705 95708 95b105 95704->95708 95709 95b0e9 95704->95709 95707 95b092 95705->95707 95706 95a70c __ld12tod 6 API calls 95710 95b86b 95706->95710 95711 957c0e __mbsnbicoll_l 47 API calls 95707->95711 95712 95b11c 95708->95712 95715 95f82f __lseeki64_nolock 49 API calls 95708->95715 95713 957bda __free_osfhnd 47 API calls 95709->95713 95710->95688 95714 95b099 95711->95714 95716 963bf2 __stbuf 47 API calls 95712->95716 95717 95b0ee 95713->95717 95718 956e10 __mbsnbicoll_l 8 API calls 95714->95718 95715->95712 95719 95b12a 95716->95719 95720 957c0e __mbsnbicoll_l 47 API calls 95717->95720 95718->95735 95721 95b44b 95719->95721 95728 957a0d _LocaleUpdate::_LocaleUpdate 47 API calls 95719->95728 95722 95b0f5 95720->95722 95723 95b463 95721->95723 95724 95b7b8 WriteFile 95721->95724 95725 956e10 __mbsnbicoll_l 8 API calls 95722->95725 95729 95b55a 95723->95729 95738 95b479 95723->95738 95726 95b410 95724->95726 95727 95b7e1 GetLastError 95724->95727 95725->95735 95733 95b81b 95726->95733 95726->95735 95742 95b7f7 95726->95742 95727->95726 95732 95b150 GetConsoleMode 95728->95732 95730 95b565 95729->95730 95731 95b663 95729->95731 95730->95733 95747 95b5de WriteFile 95730->95747 95731->95733 95743 95b6d8 WideCharToMultiByte 95731->95743 95732->95721 95734 95b189 95732->95734 95733->95735 95736 957c0e __mbsnbicoll_l 47 API calls 95733->95736 95734->95721 95737 95b199 GetConsoleCP 95734->95737 95735->95706 95741 95b843 95736->95741 95737->95726 95763 95b1c2 95737->95763 95738->95733 95739 95b4e9 WriteFile 95738->95739 95739->95727 95740 95b526 95739->95740 95740->95726 95740->95738 95748 95b555 95740->95748 95744 957bda __free_osfhnd 47 API calls 95741->95744 95745 95b812 95742->95745 95746 95b7fe 95742->95746 95743->95727 95757 95b71f 95743->95757 95744->95735 95750 957bed __dosmaperr 47 API calls 95745->95750 95749 957c0e __mbsnbicoll_l 47 API calls 95746->95749 95747->95727 95751 95b62d 95747->95751 95748->95726 95753 95b803 95749->95753 95750->95735 95751->95726 95751->95730 95751->95748 95752 95b727 WriteFile 95755 95b77a GetLastError 95752->95755 95752->95757 95756 957bda __free_osfhnd 47 API calls 95753->95756 95754 951688 __chsize_nolock 57 API calls 95754->95763 95755->95757 95756->95735 95757->95726 95757->95731 95757->95748 95757->95752 95758 95b28f WideCharToMultiByte 95758->95726 95761 95b2ca WriteFile 95758->95761 95759 9640f7 59 API calls __chsize_nolock 95759->95763 95760 95b2f6 95760->95726 95760->95727 95762 965884 WriteConsoleW CreateFileW __chsize_nolock 95760->95762 95760->95763 95764 95b321 WriteFile 95760->95764 95761->95727 95761->95760 95762->95760 95763->95726 95763->95754 95763->95758 95763->95759 95763->95760 95764->95727 95764->95760 95765->95673 95766->95678 95767->95689 95768->95688 95769->95678 95770->95677 95771->95682 95772->95678 95773->95639 95774->95641 95797 95aba4 95775->95797 95777 95eaaa 95778 95eb00 95777->95778 95780 95eade 95777->95780 95782 95aba4 __lseeki64_nolock 47 API calls 95777->95782 95810 95ab1e 48 API calls 2 library calls 95778->95810 95780->95778 95783 95aba4 __lseeki64_nolock 47 API calls 95780->95783 95781 95eb08 95784 95eb2a 95781->95784 95811 957bed 47 API calls 3 library calls 95781->95811 95785 95ead5 95782->95785 95786 95eaea CloseHandle 95783->95786 95784->95663 95788 95aba4 __lseeki64_nolock 47 API calls 95785->95788 95786->95778 95789 95eaf6 GetLastError 95786->95789 95788->95780 95789->95778 95790->95647 95791->95661 95792->95663 95793->95661 95794->95651 95795->95656 95796->95661 95798 95abaf 95797->95798 95801 95abc4 95797->95801 95799 957bda __free_osfhnd 47 API calls 95798->95799 95800 95abb4 95799->95800 95803 957c0e __mbsnbicoll_l 47 API calls 95800->95803 95802 957bda __free_osfhnd 47 API calls 95801->95802 95804 95abe9 95801->95804 95805 95abf3 95802->95805 95806 95abbc 95803->95806 95804->95777 95807 957c0e __mbsnbicoll_l 47 API calls 95805->95807 95806->95777 95808 95abfb 95807->95808 95809 956e10 __mbsnbicoll_l 8 API calls 95808->95809 95809->95806 95810->95781 95811->95784 95812->95267 95813->95278 95814->95278 95815->95272 95816->95291 95817->95293 95818->95290 95820 95f8a0 __ftell_nolock 95819->95820 95821 9340b4 GetLongPathNameW 95820->95821 95822 936a63 48 API calls 95821->95822 95823 9340dc 95822->95823 95824 9349a0 95823->95824 95825 93d7f7 48 API calls 95824->95825 95826 9349b2 95825->95826 95827 93660f 49 API calls 95826->95827 95828 9349bd 95827->95828 95829 9349c8 95828->95829 95830 9a2e35 95828->95830 95832 9364cf 48 API calls 95829->95832 95834 9a2e4f 95830->95834 95877 94d35e 60 API calls 95830->95877 95833 9349d4 95832->95833 95871 9328a6 95833->95871 95836 9349e7 Mailbox 95836->95142 95838 9341a9 136 API calls 95837->95838 95839 93415e 95838->95839 95840 9a3489 95839->95840 95841 9341a9 136 API calls 95839->95841 95842 97c396 122 API calls 95840->95842 95843 934172 95841->95843 95844 9a349e 95842->95844 95843->95840 95845 93417a 95843->95845 95846 9a34bf 95844->95846 95847 9a34a2 95844->95847 95849 9a34aa 95845->95849 95850 934186 95845->95850 95848 94f4ea 48 API calls 95846->95848 95851 934252 84 API calls 95847->95851 95860 9a3504 Mailbox 95848->95860 95972 976b49 87 API calls _wprintf 95849->95972 95878 93c833 95850->95878 95851->95849 95854 9a34b8 95854->95846 95856 9a36b4 95857 951c9d _free 47 API calls 95856->95857 95858 9a36bc 95857->95858 95859 934252 84 API calls 95858->95859 95864 9a36c5 95859->95864 95860->95856 95861 93ba85 48 API calls 95860->95861 95860->95864 95868 93ce19 48 API calls 95860->95868 95966 934dd9 95860->95966 95973 972551 48 API calls _memcpy_s 95860->95973 95974 972472 60 API calls 2 library calls 95860->95974 95975 979c12 48 API calls 95860->95975 95861->95860 95865 951c9d _free 47 API calls 95864->95865 95867 934252 84 API calls 95864->95867 95976 9725b5 86 API calls 4 library calls 95864->95976 95865->95864 95867->95864 95868->95860 95872 9328b8 95871->95872 95876 9328d7 _memcpy_s 95871->95876 95875 94f4ea 48 API calls 95872->95875 95873 94f4ea 48 API calls 95874 9328ee 95873->95874 95874->95836 95875->95876 95876->95873 95877->95830 95879 93c843 __ftell_nolock 95878->95879 95880 93c860 95879->95880 95881 9a3095 95879->95881 95982 9348ba 49 API calls 95880->95982 96001 9725b5 86 API calls 4 library calls 95881->96001 95884 9a30a8 96002 9725b5 86 API calls 4 library calls 95884->96002 95885 93c882 95983 934550 56 API calls 95885->95983 95887 93c897 95887->95884 95889 93c89f 95887->95889 95891 93d7f7 48 API calls 95889->95891 95890 9a30c4 95893 93c90c 95890->95893 95892 93c8ab 95891->95892 95984 94e968 49 API calls __ftell_nolock 95892->95984 95895 93c91a 95893->95895 95896 9a30d7 95893->95896 95987 951dfc 95895->95987 95900 934907 CloseHandle 95896->95900 95897 93c8b7 95898 93d7f7 48 API calls 95897->95898 95901 93c8c3 95898->95901 95902 9a30e3 95900->95902 95903 93660f 49 API calls 95901->95903 95904 9341a9 136 API calls 95902->95904 95905 93c8d1 95903->95905 95906 9a310d 95904->95906 95985 94eb66 SetFilePointerEx ReadFile 95905->95985 95907 9a3136 95906->95907 95910 97c396 122 API calls 95906->95910 96003 9725b5 86 API calls 4 library calls 95907->96003 95909 93c943 _wcscat _wcscpy 95913 93c96d SetCurrentDirectoryW 95909->95913 95914 9a3129 95910->95914 95911 93c8fd 95986 9346ce SetFilePointerEx SetFilePointerEx 95911->95986 95917 94f4ea 48 API calls 95913->95917 95919 9a3152 95914->95919 95920 9a3131 95914->95920 95916 9a314d 95925 93cad1 Mailbox 95916->95925 95918 93c988 95917->95918 95921 9347b7 48 API calls 95918->95921 95923 934252 84 API calls 95919->95923 95922 934252 84 API calls 95920->95922 95936 93c993 Mailbox __wsetenvp 95921->95936 95922->95907 95924 9a3157 95923->95924 95926 94f4ea 48 API calls 95924->95926 95977 9348dd 95925->95977 95933 9a3194 95926->95933 95927 93ca9d 95997 934907 95927->95997 95931 93caa9 SetCurrentDirectoryW 95931->95925 95932 933d98 95932->95008 95932->95015 95935 93ba85 48 API calls 95933->95935 95963 9a31dd Mailbox 95935->95963 95936->95927 95947 9a345f 95936->95947 95949 93ce19 48 API calls 95936->95949 95952 9a3467 95936->95952 95990 93b337 56 API calls _wcscpy 95936->95990 95991 94c258 GetStringTypeW 95936->95991 95992 93cb93 59 API calls __wcsnicmp 95936->95992 95993 93cb5a GetStringTypeW __wsetenvp 95936->95993 95994 9516d0 GetStringTypeW __towlower_l 95936->95994 95995 93cc24 162 API calls 3 library calls 95936->95995 95996 94c682 48 API calls 95936->95996 95938 9a33ce 96008 979b72 48 API calls 95938->96008 95942 9a3480 95942->95927 95943 9a33f0 96009 9929e8 48 API calls _memcpy_s 95943->96009 95945 9a33fd 95948 951c9d _free 47 API calls 95945->95948 96011 97240b 48 API calls 3 library calls 95947->96011 95948->95925 95949->95936 95951 93ba85 48 API calls 95951->95963 96012 9725b5 86 API calls 4 library calls 95952->96012 95957 93ce19 48 API calls 95957->95963 95960 9a3420 96010 9725b5 86 API calls 4 library calls 95960->96010 95962 9a3439 95964 951c9d _free 47 API calls 95962->95964 95963->95938 95963->95951 95963->95957 95963->95960 96004 972551 48 API calls _memcpy_s 95963->96004 96005 972472 60 API calls 2 library calls 95963->96005 96006 979c12 48 API calls 95963->96006 96007 94c682 48 API calls 95963->96007 95965 9a344c 95964->95965 95965->95925 95967 934dec 95966->95967 95970 934e9a 95966->95970 95968 94f4ea 48 API calls 95967->95968 95969 934e1e 95967->95969 95968->95969 95969->95970 95971 94f4ea 48 API calls 95969->95971 95970->95860 95971->95969 95972->95854 95973->95860 95974->95860 95975->95860 95976->95864 95978 934907 CloseHandle 95977->95978 95979 9348e5 Mailbox 95978->95979 95980 934907 CloseHandle 95979->95980 95981 9348fc 95980->95981 95981->95932 95982->95885 95983->95887 95984->95897 95985->95911 95986->95893 96013 951e46 95987->96013 95990->95936 95991->95936 95992->95936 95993->95936 95994->95936 95995->95936 95996->95936 95998 934911 95997->95998 95999 934920 95997->95999 95998->95931 95999->95998 96000 934925 CloseHandle 95999->96000 96000->95998 96001->95884 96002->95890 96003->95916 96004->95963 96005->95963 96006->95963 96007->95963 96008->95943 96009->95945 96010->95962 96011->95952 96012->95942 96014 951e61 96013->96014 96017 951e55 96013->96017 96037 957c0e 47 API calls __getptd_noexit 96014->96037 96016 952019 96019 951e41 96016->96019 96038 956e10 8 API calls __mbsnbicoll_l 96016->96038 96017->96014 96027 951ed4 96017->96027 96032 959d6b 47 API calls __mbsnbicoll_l 96017->96032 96019->95909 96021 951f5f 96021->96014 96023 951f7b 96021->96023 96034 959d6b 47 API calls __mbsnbicoll_l 96021->96034 96022 951fa0 96022->96014 96022->96019 96024 951fb0 96022->96024 96023->96014 96023->96019 96029 951f91 96023->96029 96036 959d6b 47 API calls __mbsnbicoll_l 96024->96036 96026 951f41 96026->96021 96026->96022 96027->96014 96027->96026 96033 959d6b 47 API calls __mbsnbicoll_l 96027->96033 96035 959d6b 47 API calls __mbsnbicoll_l 96029->96035 96032->96027 96033->96026 96034->96023 96035->96019 96036->96019 96037->96016 96038->96019 96040 934c8b 96039->96040 96045 934d94 96039->96045 96041 94f4ea 48 API calls 96040->96041 96040->96045 96042 934cb2 96041->96042 96043 94f4ea 48 API calls 96042->96043 96049 934d22 96043->96049 96044 93b470 91 API calls 96044->96049 96045->95148 96047 934dd9 48 API calls 96047->96049 96048 93ba85 48 API calls 96048->96049 96049->96044 96049->96045 96049->96047 96049->96048 96052 979af1 48 API calls 96049->96052 96050->95151 96051->95153 96052->96049 96054 9a418d EnumResourceNamesW 96053->96054 96055 93403c LoadImageW 96053->96055 96056 933ee1 RegisterClassExW 96054->96056 96055->96056 96057 933f53 7 API calls 96056->96057 96057->95167 96059 93f130 96058->96059 96062 93fe30 335 API calls 96059->96062 96066 93f199 96059->96066 96060 93f3dd 96063 9a87c8 96060->96063 96072 93f3f2 96060->96072 96110 93f431 Mailbox 96060->96110 96061 93f595 96069 93d7f7 48 API calls 96061->96069 96061->96110 96064 9a8728 96062->96064 96192 97cc5c 86 API calls 4 library calls 96063->96192 96064->96066 96189 97cc5c 86 API calls 4 library calls 96064->96189 96066->96060 96066->96061 96070 93d7f7 48 API calls 96066->96070 96102 93f229 96066->96102 96067 93fe30 335 API calls 96067->96110 96071 9a87a3 96069->96071 96074 9a8772 96070->96074 96191 950f0a 52 API calls __cinit 96071->96191 96101 93f418 96072->96101 96193 979af1 48 API calls 96072->96193 96073 9a8b1b 96092 9a8bcf 96073->96092 96093 9a8b2c 96073->96093 96190 950f0a 52 API calls __cinit 96074->96190 96077 93f770 96081 9a8a45 96077->96081 96099 93f77a 96077->96099 96079 93d6e9 55 API calls 96079->96110 96080 9a8b7e 96202 98e40a 335 API calls Mailbox 96080->96202 96199 94c1af 48 API calls 96081->96199 96082 9a8c53 96207 97cc5c 86 API calls 4 library calls 96082->96207 96083 9a8810 96194 98eef8 335 API calls 96083->96194 96084 93fe30 335 API calls 96104 93f6aa 96084->96104 96085 97cc5c 86 API calls 96085->96110 96086 9a8beb 96205 98bdbd 335 API calls Mailbox 96086->96205 96204 97cc5c 86 API calls 4 library calls 96092->96204 96201 98f5ee 335 API calls 96093->96201 96096 941b90 48 API calls 96096->96110 96097 941b90 48 API calls 96097->96110 96099->96096 96100 9a8c00 96122 93f537 Mailbox 96100->96122 96206 97cc5c 86 API calls 4 library calls 96100->96206 96101->96073 96101->96104 96101->96110 96102->96060 96102->96061 96102->96101 96102->96110 96103 93fce0 96103->96122 96203 97cc5c 86 API calls 4 library calls 96103->96203 96104->96077 96104->96084 96104->96103 96104->96110 96104->96122 96106 9a8823 96106->96101 96109 9a884b 96106->96109 96195 98ccdc 48 API calls 96109->96195 96110->96067 96110->96079 96110->96080 96110->96082 96110->96085 96110->96086 96110->96097 96110->96103 96110->96122 96188 93dd47 48 API calls _memcpy_s 96110->96188 96200 9697ed InterlockedDecrement 96110->96200 96208 94c1af 48 API calls 96110->96208 96112 9a8857 96114 9a88aa 96112->96114 96115 9a8865 96112->96115 96119 9a88a0 Mailbox 96114->96119 96197 97a69d 48 API calls 96114->96197 96196 979b72 48 API calls 96115->96196 96116 93fe30 335 API calls 96116->96122 96119->96116 96120 9a88e7 96198 93bc74 48 API calls 96120->96198 96122->95219 96124 944637 96123->96124 96125 94479f 96123->96125 96126 944643 96124->96126 96127 9a6e05 96124->96127 96128 93ce19 48 API calls 96125->96128 96209 944300 96126->96209 96268 98e822 335 API calls Mailbox 96127->96268 96135 9446e4 Mailbox 96128->96135 96131 944739 Mailbox 96131->95219 96132 9a6e11 96132->96131 96269 97cc5c 86 API calls 4 library calls 96132->96269 96134 944659 96134->96131 96134->96132 96134->96135 96137 986ff0 335 API calls 96135->96137 96224 97fa0c 96135->96224 96265 976524 96135->96265 96137->96131 96378 93bd30 96139->96378 96141 943267 96160 943313 _memcpy_s Mailbox 96141->96160 96390 94c36b 86 API calls 96141->96390 96145 93d645 53 API calls 96145->96160 96148 93d6e9 55 API calls 96148->96160 96151 93fe30 335 API calls 96151->96160 96153 94c3c3 48 API calls 96153->96160 96154 97cc5c 86 API calls 96154->96160 96156 93e8d0 335 API calls 96156->96160 96158 94c2d6 48 API calls 96158->96160 96159 936eed 48 API calls 96159->96160 96160->96145 96160->96148 96160->96151 96160->96153 96160->96154 96160->96156 96160->96158 96160->96159 96162 94f4ea 48 API calls 96160->96162 96163 93dcae 50 API calls 96160->96163 96164 943635 Mailbox 96160->96164 96383 932b7a 96160->96383 96391 93d9a0 53 API calls __cinit 96160->96391 96392 93d8c0 53 API calls 96160->96392 96393 98f320 335 API calls 96160->96393 96394 98f5ee 335 API calls 96160->96394 96395 931caa 49 API calls 96160->96395 96396 98cda2 82 API calls Mailbox 96160->96396 96397 9780e3 53 API calls 96160->96397 96398 93d764 55 API calls 96160->96398 96399 97c942 50 API calls 96160->96399 96162->96160 96163->96160 96164->95219 96166 94e253 96165->96166 96167 9adf42 96165->96167 96166->95219 96168 9adf77 96167->96168 96169 9adf59 TranslateAcceleratorW 96167->96169 96169->96166 96171 94dc71 96170->96171 96172 94dca3 96170->96172 96171->96172 96173 94dc96 IsDialogMessageW 96171->96173 96174 9add1d GetClassLongW 96171->96174 96172->95219 96173->96171 96173->96172 96174->96171 96174->96173 96175->95219 96176->95219 96177->95183 96178->95176 96179->95181 96180->95219 96181->95219 96182->95220 96183->95220 96184->95220 96185->95220 96186->95220 96187->95220 96188->96110 96189->96066 96190->96102 96191->96110 96192->96122 96193->96083 96194->96106 96195->96112 96196->96119 96197->96120 96198->96119 96199->96110 96200->96110 96201->96110 96202->96103 96203->96122 96204->96122 96205->96100 96206->96122 96207->96122 96208->96110 96210 9a6e60 96209->96210 96213 94432c 96209->96213 96271 97cc5c 86 API calls 4 library calls 96210->96271 96212 9a6e71 96272 97cc5c 86 API calls 4 library calls 96212->96272 96213->96212 96220 944366 _memcpy_s 96213->96220 96215 944435 96221 944445 96215->96221 96270 98cda2 82 API calls Mailbox 96215->96270 96216 94f4ea 48 API calls 96216->96220 96218 9444b1 96218->96134 96219 93fe30 335 API calls 96219->96220 96220->96215 96220->96216 96220->96219 96220->96221 96222 9a6ebd 96220->96222 96221->96134 96273 97cc5c 86 API calls 4 library calls 96222->96273 96225 97fa1c __ftell_nolock 96224->96225 96226 97fa44 96225->96226 96335 93d286 48 API calls 96225->96335 96228 93936c 81 API calls 96226->96228 96229 97fa5e 96228->96229 96230 97fa80 96229->96230 96231 97fb68 96229->96231 96243 97fb92 96229->96243 96232 93936c 81 API calls 96230->96232 96233 9341a9 136 API calls 96231->96233 96238 97fa8c _wcscpy _wcschr 96232->96238 96234 97fb79 96233->96234 96235 97fb8e 96234->96235 96236 9341a9 136 API calls 96234->96236 96237 93936c 81 API calls 96235->96237 96235->96243 96236->96235 96239 97fbc7 96237->96239 96244 97fab0 _wcscat _wcscpy 96238->96244 96248 97fade _wcscat 96238->96248 96240 951dfc __wsplitpath 47 API calls 96239->96240 96249 97fbeb _wcscat _wcscpy 96240->96249 96241 93936c 81 API calls 96242 97fafc _wcscpy 96241->96242 96336 9772cb GetFileAttributesW 96242->96336 96243->96131 96246 93936c 81 API calls 96244->96246 96246->96248 96247 97fb1c __wsetenvp 96247->96243 96250 93936c 81 API calls 96247->96250 96248->96241 96253 93936c 81 API calls 96249->96253 96251 97fb48 96250->96251 96337 9760dd 77 API calls 4 library calls 96251->96337 96254 97fc82 96253->96254 96274 97690b 96254->96274 96255 97fb5c 96255->96243 96257 97fca2 96258 976524 3 API calls 96257->96258 96259 97fcb1 96258->96259 96260 93936c 81 API calls 96259->96260 96262 97fce2 96259->96262 96261 97fccb 96260->96261 96280 97bfa4 96261->96280 96264 934252 84 API calls 96262->96264 96264->96243 96374 976ca9 GetFileAttributesW 96265->96374 96268->96132 96269->96131 96270->96218 96271->96212 96272->96221 96273->96221 96275 976918 _wcschr __ftell_nolock 96274->96275 96276 951dfc __wsplitpath 47 API calls 96275->96276 96279 97692e _wcscat _wcscpy 96275->96279 96277 97695d 96276->96277 96278 951dfc __wsplitpath 47 API calls 96277->96278 96278->96279 96279->96257 96281 97bfb1 __ftell_nolock 96280->96281 96282 94f4ea 48 API calls 96281->96282 96283 97c00e 96282->96283 96284 9347b7 48 API calls 96283->96284 96285 97c018 96284->96285 96286 97bdb4 GetSystemTimeAsFileTime 96285->96286 96287 97c023 96286->96287 96288 934517 83 API calls 96287->96288 96289 97c036 _wcscmp 96288->96289 96290 97c107 96289->96290 96291 97c05a 96289->96291 96292 97c56d 94 API calls 96290->96292 96293 97c56d 94 API calls 96291->96293 96294 97c0d3 _wcscat 96292->96294 96295 97c05f 96293->96295 96297 9344ed 64 API calls 96294->96297 96318 97c110 96294->96318 96296 951dfc __wsplitpath 47 API calls 96295->96296 96295->96318 96301 97c088 _wcscat _wcscpy 96296->96301 96298 97c12c 96297->96298 96299 9344ed 64 API calls 96298->96299 96300 97c13c 96299->96300 96302 9344ed 64 API calls 96300->96302 96303 951dfc __wsplitpath 47 API calls 96301->96303 96304 97c157 96302->96304 96303->96294 96305 9344ed 64 API calls 96304->96305 96306 97c167 96305->96306 96307 9344ed 64 API calls 96306->96307 96308 97c182 96307->96308 96309 9344ed 64 API calls 96308->96309 96310 97c192 96309->96310 96311 9344ed 64 API calls 96310->96311 96312 97c1a2 96311->96312 96313 9344ed 64 API calls 96312->96313 96314 97c1b2 96313->96314 96338 97c71a GetTempPathW GetTempFileNameW 96314->96338 96316 97c1be 96317 953499 117 API calls 96316->96317 96329 97c1cf 96317->96329 96318->96262 96319 97c289 96320 9535e4 __fcloseall 83 API calls 96319->96320 96321 97c294 96320->96321 96323 97c2ae 96321->96323 96324 97c29a DeleteFileW 96321->96324 96322 9344ed 64 API calls 96322->96329 96325 97c342 CopyFileW 96323->96325 96330 97c2b8 96323->96330 96324->96318 96326 97c36a DeleteFileW 96325->96326 96327 97c358 DeleteFileW 96325->96327 96352 97c6d9 CreateFileW 96326->96352 96327->96318 96329->96318 96329->96319 96329->96322 96339 952aae 96329->96339 96355 97b965 118 API calls __fcloseall 96330->96355 96333 97c32d 96333->96326 96334 97c331 DeleteFileW 96333->96334 96334->96318 96335->96226 96336->96247 96337->96255 96338->96316 96340 952aba type_info::_Type_info_dtor 96339->96340 96341 952ae4 type_info::_Type_info_dtor 96340->96341 96342 952ad4 96340->96342 96343 952aec 96340->96343 96341->96329 96368 957c0e 47 API calls __getptd_noexit 96342->96368 96344 954e1c __lock_file 48 API calls 96343->96344 96346 952af2 96344->96346 96356 952957 96346->96356 96347 952ad9 96369 956e10 8 API calls __mbsnbicoll_l 96347->96369 96353 97c715 96352->96353 96354 97c6ff SetFileTime CloseHandle 96352->96354 96353->96318 96354->96353 96355->96333 96358 952966 96356->96358 96363 952984 96356->96363 96357 952974 96371 957c0e 47 API calls __getptd_noexit 96357->96371 96358->96357 96358->96363 96366 95299c _memcpy_s 96358->96366 96360 952979 96372 956e10 8 API calls __mbsnbicoll_l 96360->96372 96370 952b24 LeaveCriticalSection LeaveCriticalSection _fseek 96363->96370 96364 952c84 __flush 78 API calls 96364->96366 96365 952933 __fflush_nolock 47 API calls 96365->96366 96366->96363 96366->96364 96366->96365 96367 95af61 __flush 78 API calls 96366->96367 96373 958e63 78 API calls 7 library calls 96366->96373 96367->96366 96368->96347 96369->96341 96370->96341 96371->96360 96372->96363 96373->96366 96375 976529 96374->96375 96376 976cc4 FindFirstFileW 96374->96376 96375->96131 96376->96375 96377 976cd9 FindClose 96376->96377 96377->96375 96379 93bd3f 96378->96379 96382 93bd5a 96378->96382 96380 93bdfa 48 API calls 96379->96380 96381 93bd47 CharUpperBuffW 96380->96381 96381->96382 96382->96141 96384 9a436a 96383->96384 96385 932b8b 96383->96385 96386 94f4ea 48 API calls 96385->96386 96388 932b92 96386->96388 96387 932bb3 96387->96160 96388->96387 96400 932bce 48 API calls 96388->96400 96390->96160 96391->96160 96392->96160 96393->96160 96394->96160 96395->96160 96396->96160 96397->96160 96398->96160 96399->96160 96400->96387 96401 9a9c06 96412 94d3be 96401->96412 96403 9a9c1c 96411 9a9c91 Mailbox 96403->96411 96421 931caa 49 API calls 96403->96421 96405 943200 335 API calls 96406 9a9cc5 96405->96406 96409 9aa7ab Mailbox 96406->96409 96423 97cc5c 86 API calls 4 library calls 96406->96423 96408 9a9c71 96408->96406 96422 97b171 48 API calls 96408->96422 96411->96405 96413 94d3dc 96412->96413 96414 94d3ca 96412->96414 96416 94d3e2 96413->96416 96417 94d40b 96413->96417 96424 93dcae 50 API calls Mailbox 96414->96424 96418 94f4ea 48 API calls 96416->96418 96425 93dcae 50 API calls Mailbox 96417->96425 96420 94d3d4 96418->96420 96420->96403 96421->96408 96422->96411 96423->96409 96424->96420 96425->96420 96426 94221a 96427 94271e 96426->96427 96428 942223 96426->96428 96436 941eba Mailbox 96427->96436 96437 96a58f 48 API calls _memcpy_s 96427->96437 96428->96427 96429 93936c 81 API calls 96428->96429 96430 94224e 96429->96430 96430->96427 96431 94225e 96430->96431 96434 93b384 48 API calls 96431->96434 96433 9abe8a 96435 936eed 48 API calls 96433->96435 96434->96436 96435->96436 96437->96433

                              Executed Functions

                              Function 0095B043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 643 95b043-95b080 call 95f8a0 646 95b082-95b084 643->646 647 95b089-95b08b 643->647 648 95b860-95b86c call 95a70c 646->648 649 95b08d-95b0a7 call 957bda call 957c0e call 956e10 647->649 650 95b0ac-95b0d9 647->650 649->648 652 95b0e0-95b0e7 650->652 653 95b0db-95b0de 650->653 657 95b105 652->657 658 95b0e9-95b100 call 957bda call 957c0e call 956e10 652->658 653->652 656 95b10b-95b110 653->656 661 95b112-95b11c call 95f82f 656->661 662 95b11f-95b12d call 963bf2 656->662 657->656 686 95b851-95b854 658->686 661->662 673 95b133-95b145 662->673 674 95b44b-95b45d 662->674 673->674 676 95b14b-95b183 call 957a0d GetConsoleMode 673->676 677 95b463-95b473 674->677 678 95b7b8-95b7d5 WriteFile 674->678 676->674 699 95b189-95b18f 676->699 683 95b479-95b484 677->683 684 95b55a-95b55f 677->684 680 95b7d7-95b7df 678->680 681 95b7e1-95b7e7 GetLastError 678->681 687 95b7e9 680->687 681->687 691 95b81b-95b833 683->691 692 95b48a-95b49a 683->692 688 95b565-95b56e 684->688 689 95b663-95b66e 684->689 698 95b85e-95b85f 686->698 696 95b7ef-95b7f1 687->696 688->691 697 95b574 688->697 689->691 695 95b674 689->695 693 95b835-95b838 691->693 694 95b83e-95b84e call 957c0e call 957bda 691->694 700 95b4a0-95b4a3 692->700 693->694 701 95b83a-95b83c 693->701 694->686 702 95b67e-95b693 695->702 704 95b856-95b85c 696->704 705 95b7f3-95b7f5 696->705 706 95b57e-95b595 697->706 698->648 707 95b191-95b193 699->707 708 95b199-95b1bc GetConsoleCP 699->708 709 95b4a5-95b4be 700->709 710 95b4e9-95b520 WriteFile 700->710 701->698 714 95b699-95b69b 702->714 704->698 705->691 716 95b7f7-95b7fc 705->716 717 95b59b-95b59e 706->717 707->674 707->708 718 95b440-95b446 708->718 719 95b1c2-95b1ca 708->719 711 95b4c0-95b4ca 709->711 712 95b4cb-95b4e7 709->712 710->681 713 95b526-95b538 710->713 711->712 712->700 712->710 713->696 721 95b53e-95b54f 713->721 722 95b69d-95b6b3 714->722 723 95b6d8-95b719 WideCharToMultiByte 714->723 725 95b812-95b819 call 957bed 716->725 726 95b7fe-95b810 call 957c0e call 957bda 716->726 727 95b5a0-95b5b6 717->727 728 95b5de-95b627 WriteFile 717->728 718->705 720 95b1d4-95b1d6 719->720 729 95b1dc-95b1fe 720->729 730 95b36b-95b36e 720->730 721->692 731 95b555 721->731 732 95b6b5-95b6c4 722->732 733 95b6c7-95b6d6 722->733 723->681 735 95b71f-95b721 723->735 725->686 726->686 737 95b5cd-95b5dc 727->737 738 95b5b8-95b5ca 727->738 728->681 740 95b62d-95b645 728->740 743 95b217-95b223 call 951688 729->743 744 95b200-95b215 729->744 745 95b375-95b3a2 730->745 746 95b370-95b373 730->746 731->696 732->733 733->714 733->723 747 95b727-95b75a WriteFile 735->747 737->717 737->728 738->737 740->696 742 95b64b-95b658 740->742 742->706 749 95b65e 742->749 764 95b225-95b239 743->764 765 95b269-95b26b 743->765 750 95b271-95b283 call 9640f7 744->750 752 95b3a8-95b3ab 745->752 746->745 746->752 753 95b75c-95b776 747->753 754 95b77a-95b78e GetLastError 747->754 749->696 774 95b435-95b43b 750->774 775 95b289 750->775 757 95b3b2-95b3c5 call 965884 752->757 758 95b3ad-95b3b0 752->758 753->747 760 95b778 753->760 762 95b794-95b796 754->762 757->681 778 95b3cb-95b3d5 757->778 758->757 766 95b407-95b40a 758->766 760->762 762->687 763 95b798-95b7b0 762->763 763->702 769 95b7b6 763->769 771 95b412-95b42d 764->771 772 95b23f-95b254 call 9640f7 764->772 765->750 766->720 770 95b410 766->770 769->696 770->774 771->774 772->774 785 95b25a-95b267 772->785 774->687 776 95b28f-95b2c4 WideCharToMultiByte 775->776 776->774 781 95b2ca-95b2f0 WriteFile 776->781 779 95b3d7-95b3ee call 965884 778->779 780 95b3fb-95b401 778->780 779->681 788 95b3f4-95b3f5 779->788 780->766 781->681 784 95b2f6-95b30e 781->784 784->774 787 95b314-95b31b 784->787 785->776 787->780 789 95b321-95b34c WriteFile 787->789 788->780 789->681 790 95b352-95b359 789->790 790->774 791 95b35f-95b366 790->791 791->780
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 055cdb899ce90b9075861d494802ff78cc9e30a08eefd9eba8b1f31beb8b1b4c
                              • Instruction ID: c3747819ece5d1e0e2f32fee4d4501d67f64e0ffd8a9c01548cea2f0688e979e
                              • Opcode Fuzzy Hash: 055cdb899ce90b9075861d494802ff78cc9e30a08eefd9eba8b1f31beb8b1b4c
                              • Instruction Fuzzy Hash: 31326E75B022288FDB24CF55DC816E9B7B9FF4A311F1841D9E80AA7A91D7309E84CF52
                              Function 00933D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00933AA3,?), ref: 00933D45
                              • IsDebuggerPresent.KERNEL32(?,?,?,?,00933AA3,?), ref: 00933D57
                              • GetFullPathNameW.KERNEL32(00007FFF,?,?,009F1148,009F1130,?,?,?,?,00933AA3,?), ref: 00933DC8
                                • Part of subcall function 00936430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00933DEE,009F1148,?,?,?,?,?,00933AA3,?), ref: 00936471
                              • SetCurrentDirectoryW.KERNEL32(?,?,?,00933AA3,?), ref: 00933E48
                              • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,009E28F4,00000010), ref: 009A1CCE
                              • SetCurrentDirectoryW.KERNEL32(?,009F1148,?,?,?,?,?,00933AA3,?), ref: 009A1D06
                              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,009CDAB4,009F1148,?,?,?,?,?,00933AA3,?), ref: 009A1D89
                              • ShellExecuteW.SHELL32(00000000,?,?,?,?,00933AA3), ref: 009A1D90
                                • Part of subcall function 00933E6E: GetSysColorBrush.USER32(0000000F), ref: 00933E79
                                • Part of subcall function 00933E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00933E88
                                • Part of subcall function 00933E6E: LoadIconW.USER32(00000063), ref: 00933E9E
                                • Part of subcall function 00933E6E: LoadIconW.USER32(000000A4), ref: 00933EB0
                                • Part of subcall function 00933E6E: LoadIconW.USER32(000000A2), ref: 00933EC2
                                • Part of subcall function 00933E6E: RegisterClassExW.USER32(?), ref: 00933F30
                                • Part of subcall function 009336B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 009336E6
                                • Part of subcall function 009336B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00933707
                                • Part of subcall function 009336B8: ShowWindow.USER32(00000000,?,?,?,?,00933AA3,?), ref: 0093371B
                                • Part of subcall function 009336B8: ShowWindow.USER32(00000000,?,?,?,?,00933AA3,?), ref: 00933724
                                • Part of subcall function 00934FFC: _memset.LIBCMT ref: 00935022
                                • Part of subcall function 00934FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 009350CB
                              Strings
                              • This is a third-party compiled AutoIt script., xrefs: 009A1CC8
                              • runas, xrefs: 009A1D84
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                              • String ID: This is a third-party compiled AutoIt script.$runas
                              • API String ID: 438480954-3287110873
                              • Opcode ID: c0e32c33f0aee082a0f3ea5ae9d5b219d78fe1995dfae0e6c03559958f415309
                              • Instruction ID: f63cadf3ec60bdf399181345809fd85b492afd703f422ffa499dcaa436e8edbd
                              • Opcode Fuzzy Hash: c0e32c33f0aee082a0f3ea5ae9d5b219d78fe1995dfae0e6c03559958f415309
                              • Instruction Fuzzy Hash: 28511530A4C248FBCB21ABF1DC41FFE7BB99B8A714F008124F241A21A2DA744A45DF61
                              Function 0094DDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1075 94ddc0-94de4f call 93d7f7 GetVersionExW call 936a63 call 94dfb4 call 936571 1084 94de55-94de56 1075->1084 1085 9a24c8-9a24cb 1075->1085 1088 94de92-94dea2 call 94df77 1084->1088 1089 94de58-94de63 1084->1089 1086 9a24cd 1085->1086 1087 9a24e4-9a24e8 1085->1087 1091 9a24d0 1086->1091 1092 9a24ea-9a24f3 1087->1092 1093 9a24d3-9a24dc 1087->1093 1104 94dea4-94dec1 GetCurrentProcess call 94df5f 1088->1104 1105 94dec7-94dee1 1088->1105 1094 9a244e-9a2454 1089->1094 1095 94de69-94de6b 1089->1095 1091->1093 1092->1091 1101 9a24f5-9a24f8 1092->1101 1093->1087 1099 9a245e-9a2464 1094->1099 1100 9a2456-9a2459 1094->1100 1096 9a2469-9a2475 1095->1096 1097 94de71-94de74 1095->1097 1106 9a247f-9a2485 1096->1106 1107 9a2477-9a247a 1096->1107 1102 94de7a-94de89 1097->1102 1103 9a2495-9a2498 1097->1103 1099->1088 1100->1088 1101->1093 1108 9a248a-9a2490 1102->1108 1109 94de8f 1102->1109 1103->1088 1110 9a249e-9a24b3 1103->1110 1104->1105 1127 94dec3 1104->1127 1112 94df31-94df3b GetSystemInfo 1105->1112 1113 94dee3-94def7 call 94e00c 1105->1113 1106->1088 1107->1088 1108->1088 1109->1088 1114 9a24bd-9a24c3 1110->1114 1115 9a24b5-9a24b8 1110->1115 1117 94df0e-94df1a 1112->1117 1122 94df29-94df2f GetSystemInfo 1113->1122 1123 94def9-94df01 call 94dff4 GetNativeSystemInfo 1113->1123 1114->1088 1115->1088 1119 94df21-94df26 1117->1119 1120 94df1c-94df1f FreeLibrary 1117->1120 1120->1119 1126 94df03-94df07 1122->1126 1123->1126 1126->1117 1129 94df09-94df0c FreeLibrary 1126->1129 1127->1105 1129->1117
                              APIs
                              • GetVersionExW.KERNEL32(?), ref: 0094DDEC
                              • GetCurrentProcess.KERNEL32(00000000,009CDC38,?,?), ref: 0094DEAC
                              • GetNativeSystemInfo.KERNELBASE(?,009CDC38,?,?), ref: 0094DF01
                              • FreeLibrary.KERNEL32(00000000,?,?), ref: 0094DF0C
                              • FreeLibrary.KERNEL32(00000000,?,?), ref: 0094DF1F
                              • GetSystemInfo.KERNEL32(?,009CDC38,?,?), ref: 0094DF29
                              • GetSystemInfo.KERNEL32(?,009CDC38,?,?), ref: 0094DF35
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                              • String ID:
                              • API String ID: 3851250370-0
                              • Opcode ID: b9d2b9d0207d1a7a2c2d689830a099e17db5c0be5cc8028be7aeacc80ef1748c
                              • Instruction ID: f58107e95e7d27b8824ebebce26d44c36276e6190936e47f39f23d5be69e90f2
                              • Opcode Fuzzy Hash: b9d2b9d0207d1a7a2c2d689830a099e17db5c0be5cc8028be7aeacc80ef1748c
                              • Instruction Fuzzy Hash: 3661C0B581B384CFCF15CF6898C19EE7FB8AF6A300B1989D9D8459F207D624C908CB65
                              Function 0093406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1147 93406b-934083 CreateStreamOnHGlobal 1148 9340a3-9340a6 1147->1148 1149 934085-93409c FindResourceExW 1147->1149 1150 9340a2 1149->1150 1151 9a4f16-9a4f25 LoadResource 1149->1151 1150->1148 1151->1150 1152 9a4f2b-9a4f39 SizeofResource 1151->1152 1152->1150 1153 9a4f3f-9a4f4a LockResource 1152->1153 1153->1150 1154 9a4f50-9a4f58 1153->1154 1155 9a4f5c-9a4f6e 1154->1155 1155->1150
                              APIs
                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0093449E,?,?,00000000,00000001), ref: 0093407B
                              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0093449E,?,?,00000000,00000001), ref: 00934092
                              • LoadResource.KERNEL32(?,00000000,?,?,0093449E,?,?,00000000,00000001,?,?,?,?,?,?,009341FB), ref: 009A4F1A
                              • SizeofResource.KERNEL32(?,00000000,?,?,0093449E,?,?,00000000,00000001,?,?,?,?,?,?,009341FB), ref: 009A4F2F
                              • LockResource.KERNEL32(0093449E,?,?,0093449E,?,?,00000000,00000001,?,?,?,?,?,?,009341FB,00000000), ref: 009A4F42
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                              • String ID: SCRIPT
                              • API String ID: 3051347437-3967369404
                              • Opcode ID: ff9a00ecd1055882da6d63e61bc509a6ca9e4b44e7ee3c2b7f638d1f75ea8456
                              • Instruction ID: a3a6e75aca505a9bb0848a162118022b191b0014a55572ad4e7c8f072e7d697a
                              • Opcode Fuzzy Hash: ff9a00ecd1055882da6d63e61bc509a6ca9e4b44e7ee3c2b7f638d1f75ea8456
                              • Instruction Fuzzy Hash: 0C117070204701BFE7258B65ED48F277BBDEBC5B61F10412CF61286250DB71EC009A21
                              Function 00976CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                              Download Yara Rule
                              APIs
                              • GetFileAttributesW.KERNELBASE(?,009A2F49), ref: 00976CB9
                              • FindFirstFileW.KERNELBASE(?,?), ref: 00976CCA
                              • FindClose.KERNEL32(00000000), ref: 00976CDA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: FileFind$AttributesCloseFirst
                              • String ID:
                              • API String ID: 48322524-0
                              • Opcode ID: 18c5978efc5370ae3fd1f84d1d6e5b67a020ecef6ca794cd0416f6803cb072cf
                              • Instruction ID: 945abd97760056c2b04345dd2a05502b22d188a01ad13965ca6dd3b054605c40
                              • Opcode Fuzzy Hash: 18c5978efc5370ae3fd1f84d1d6e5b67a020ecef6ca794cd0416f6803cb072cf
                              • Instruction Fuzzy Hash: 44E0D832829811578214673CED0D4E9376CEA05339F104715F5F5C11D0F770ED0456D5
                              Function 00943200 Relevance: 1.0, Instructions: 986COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: BuffCharUpper
                              • String ID:
                              • API String ID: 3964851224-0
                              • Opcode ID: 0b6c9ff1c7b22c097439027db2f8c64425f8126d90154f4e7c515e6d3746798c
                              • Instruction ID: e252fe90723ee202bac27cc394c72f0e233449573f674592e145225879e8925b
                              • Opcode Fuzzy Hash: 0b6c9ff1c7b22c097439027db2f8c64425f8126d90154f4e7c515e6d3746798c
                              • Instruction Fuzzy Hash: 539277706083019FD724DF28C490F6ABBE5BF89304F14885DE99A8B3A2D775E945CB92
                              Function 0093E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                              Download Yara Rule
                              APIs
                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0093E959
                              • timeGetTime.WINMM ref: 0093EBFA
                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0093ED2E
                              • TranslateMessage.USER32(?), ref: 0093ED3F
                              • DispatchMessageW.USER32(?), ref: 0093ED4A
                              • LockWindowUpdate.USER32(00000000), ref: 0093ED79
                              • DestroyWindow.USER32 ref: 0093ED85
                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0093ED9F
                              • Sleep.KERNEL32(0000000A), ref: 009A5270
                              • TranslateMessage.USER32(?), ref: 009A59F7
                              • DispatchMessageW.USER32(?), ref: 009A5A05
                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009A5A19
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                              • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                              • API String ID: 2641332412-570651680
                              • Opcode ID: 10179ad8c5e75834dbcf1b6ef4eba23eb394259c1c3ac5984103d3e467cfce0a
                              • Instruction ID: 9099bcec3c593fd831bc04ef8844d343c9925cec6ed9beb451e46e0956d86853
                              • Opcode Fuzzy Hash: 10179ad8c5e75834dbcf1b6ef4eba23eb394259c1c3ac5984103d3e467cfce0a
                              • Instruction Fuzzy Hash: 9662AF70608341DFDB25DF24C885BAA77E8BF85304F18496DF98A8B2D2DB759844CF92
                              Function 00965C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • ___createFile.LIBCMT ref: 00965EC3
                              • ___createFile.LIBCMT ref: 00965F04
                              • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00965F2D
                              • __dosmaperr.LIBCMT ref: 00965F34
                              • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00965F47
                              • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00965F6A
                              • __dosmaperr.LIBCMT ref: 00965F73
                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00965F7C
                              • __set_osfhnd.LIBCMT ref: 00965FAC
                              • __lseeki64_nolock.LIBCMT ref: 00966016
                              • __close_nolock.LIBCMT ref: 0096603C
                              • __chsize_nolock.LIBCMT ref: 0096606C
                              • __lseeki64_nolock.LIBCMT ref: 0096607E
                              • __lseeki64_nolock.LIBCMT ref: 00966176
                              • __lseeki64_nolock.LIBCMT ref: 0096618B
                              • __close_nolock.LIBCMT ref: 009661EB
                                • Part of subcall function 0095EA9C: CloseHandle.KERNELBASE(00000000,009DEEF4,00000000,?,00966041,009DEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0095EAEC
                                • Part of subcall function 0095EA9C: GetLastError.KERNEL32(?,00966041,009DEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0095EAF6
                                • Part of subcall function 0095EA9C: __free_osfhnd.LIBCMT ref: 0095EB03
                                • Part of subcall function 0095EA9C: __dosmaperr.LIBCMT ref: 0095EB25
                                • Part of subcall function 00957C0E: __getptd_noexit.LIBCMT ref: 00957C0E
                              • __lseeki64_nolock.LIBCMT ref: 0096620D
                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00966342
                              • ___createFile.LIBCMT ref: 00966361
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0096636E
                              • __dosmaperr.LIBCMT ref: 00966375
                              • __free_osfhnd.LIBCMT ref: 00966395
                              • __invoke_watson.LIBCMT ref: 009663C3
                              • __wsopen_helper.LIBCMT ref: 009663DD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                              • String ID: @
                              • API String ID: 3896587723-2766056989
                              • Opcode ID: 24f19fc2db0baad1e573903116d479307abd60aa98e0c349fe9b666fe3d97406
                              • Instruction ID: 3d508be7100da99221eaa03bd6079ccc4bd00f4a39ba2868722e9a98f2d9028a
                              • Opcode Fuzzy Hash: 24f19fc2db0baad1e573903116d479307abd60aa98e0c349fe9b666fe3d97406
                              • Instruction Fuzzy Hash: 2022887190460A9FEF299F68DC65BBD7B79EF41324F254229E821EB2D2C3398D40C791
                              Function 0097FA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • _wcscpy.LIBCMT ref: 0097FA96
                              • _wcschr.LIBCMT ref: 0097FAA4
                              • _wcscpy.LIBCMT ref: 0097FABB
                              • _wcscat.LIBCMT ref: 0097FACA
                              • _wcscat.LIBCMT ref: 0097FAE8
                              • _wcscpy.LIBCMT ref: 0097FB09
                              • __wsplitpath.LIBCMT ref: 0097FBE6
                              • _wcscpy.LIBCMT ref: 0097FC0B
                              • _wcscpy.LIBCMT ref: 0097FC1D
                              • _wcscpy.LIBCMT ref: 0097FC32
                              • _wcscat.LIBCMT ref: 0097FC47
                              • _wcscat.LIBCMT ref: 0097FC59
                              • _wcscat.LIBCMT ref: 0097FC6E
                                • Part of subcall function 0097BFA4: _wcscmp.LIBCMT ref: 0097C03E
                                • Part of subcall function 0097BFA4: __wsplitpath.LIBCMT ref: 0097C083
                                • Part of subcall function 0097BFA4: _wcscpy.LIBCMT ref: 0097C096
                                • Part of subcall function 0097BFA4: _wcscat.LIBCMT ref: 0097C0A9
                                • Part of subcall function 0097BFA4: __wsplitpath.LIBCMT ref: 0097C0CE
                                • Part of subcall function 0097BFA4: _wcscat.LIBCMT ref: 0097C0E4
                                • Part of subcall function 0097BFA4: _wcscat.LIBCMT ref: 0097C0F7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                              • String ID: >>>AUTOIT SCRIPT<<<
                              • API String ID: 2955681530-2806939583
                              • Opcode ID: 32f5d15e0b4bae569bccb44910837fc2cfd26f53eeac62f2566b7c34c7814309
                              • Instruction ID: 5652a1502b5e5a379955274d7f0b6c8c77b1cbad759a90d745bfdd7738e33003
                              • Opcode Fuzzy Hash: 32f5d15e0b4bae569bccb44910837fc2cfd26f53eeac62f2566b7c34c7814309
                              • Instruction Fuzzy Hash: B69193725047059FCB24EB55C891F9AB3E8BFD4310F048869F99D97291DB34EA48CB92
                              Function 00933F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetSysColorBrush.USER32(0000000F), ref: 00933F86
                              • RegisterClassExW.USER32(00000030), ref: 00933FB0
                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00933FC1
                              • InitCommonControlsEx.COMCTL32(?), ref: 00933FDE
                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00933FEE
                              • LoadIconW.USER32(000000A9), ref: 00934004
                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00934013
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                              • API String ID: 2914291525-1005189915
                              • Opcode ID: d8ca5f99b4a2d49e6a5c96672f88fd5a65e3b333931cda8f8816a944f43ecba7
                              • Instruction ID: f5ec62eda58df9ea19c89d91a747f9ec856c8c1bc3b05a507548244c48c97299
                              • Opcode Fuzzy Hash: d8ca5f99b4a2d49e6a5c96672f88fd5a65e3b333931cda8f8816a944f43ecba7
                              • Instruction Fuzzy Hash: 8321C5B5929318EFDB00DFA5E989BDDBBB4FB08710F00421AF521E62A0E7B54544EF91
                              Function 0097BFA4 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 0097BDB4: __time64.LIBCMT ref: 0097BDBE
                                • Part of subcall function 00934517: _fseek.LIBCMT ref: 0093452F
                              • __wsplitpath.LIBCMT ref: 0097C083
                                • Part of subcall function 00951DFC: __wsplitpath_helper.LIBCMT ref: 00951E3C
                              • _wcscpy.LIBCMT ref: 0097C096
                              • _wcscat.LIBCMT ref: 0097C0A9
                              • __wsplitpath.LIBCMT ref: 0097C0CE
                              • _wcscat.LIBCMT ref: 0097C0E4
                              • _wcscat.LIBCMT ref: 0097C0F7
                              • _wcscmp.LIBCMT ref: 0097C03E
                                • Part of subcall function 0097C56D: _wcscmp.LIBCMT ref: 0097C65D
                                • Part of subcall function 0097C56D: _wcscmp.LIBCMT ref: 0097C670
                              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0097C2A1
                              • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0097C338
                              • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0097C34E
                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0097C35F
                              • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0097C371
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                              • String ID:
                              • API String ID: 2378138488-0
                              • Opcode ID: b5b982d9b837f38fc43582297ab8af44c248b89c08a83f96e0fa28e9a668bc04
                              • Instruction ID: e747ac4b2f3aa260c4ebc06886979d80542e53df438bcd9d1ce083be87dfa5cb
                              • Opcode Fuzzy Hash: b5b982d9b837f38fc43582297ab8af44c248b89c08a83f96e0fa28e9a668bc04
                              • Instruction Fuzzy Hash: C3C10DB2A00219AFDF15DF95CC85FDEB7BDAF85310F1080AAF609E6151DB709A848F61
                              Function 00933742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 957 933742-933762 959 9337c2-9337c4 957->959 960 933764-933767 957->960 959->960 963 9337c6 959->963 961 933769-933770 960->961 962 9337c8 960->962 964 933776-93377b 961->964 965 93382c-933834 PostQuitMessage 961->965 967 9a1e00-9a1e2e call 932ff6 call 94e312 962->967 968 9337ce-9337d1 962->968 966 9337ab-9337b3 DefWindowProcW 963->966 970 9a1e88-9a1e9c call 974ddd 964->970 971 933781-933783 964->971 972 9337f2-9337f4 965->972 973 9337b9-9337bf 966->973 1002 9a1e33-9a1e3a 967->1002 974 9337d3-9337d4 968->974 975 9337f6-93381d SetTimer RegisterWindowMessageW 968->975 970->972 995 9a1ea2 970->995 977 933836-933840 call 94eb83 971->977 978 933789-93378e 971->978 972->973 981 9a1da3-9a1da6 974->981 982 9337da-9337ed KillTimer call 933847 call 93390f 974->982 975->972 979 93381f-93382a CreatePopupMenu 975->979 996 933845 977->996 984 9a1e6d-9a1e74 978->984 985 933794-933799 978->985 979->972 988 9a1da8-9a1daa 981->988 989 9a1ddc-9a1dfb MoveWindow 981->989 982->972 984->966 991 9a1e7a-9a1e83 call 96a5f3 984->991 993 9a1e58-9a1e68 call 9755bd 985->993 994 93379f-9337a5 985->994 997 9a1dcb-9a1dd7 SetFocus 988->997 998 9a1dac-9a1daf 988->998 989->972 991->966 993->972 994->966 994->1002 995->966 996->972 997->972 998->994 1003 9a1db5-9a1dc6 call 932ff6 998->1003 1002->966 1006 9a1e40-9a1e53 call 933847 call 934ffc 1002->1006 1003->972 1006->966
                              APIs
                              • DefWindowProcW.USER32(?,?,?,?), ref: 009337B3
                              • KillTimer.USER32(?,00000001), ref: 009337DD
                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00933800
                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0093380B
                              • CreatePopupMenu.USER32 ref: 0093381F
                              • PostQuitMessage.USER32(00000000), ref: 0093382E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                              • String ID: TaskbarCreated
                              • API String ID: 129472671-2362178303
                              • Opcode ID: 5f1986467a579f1ee5282efde47c7f3fa8afd6ec7b10fefea1bc53e00694fb10
                              • Instruction ID: 1cd30f453b3cb0fe3304ad58f7a774dba372abfce079ac9ff2b841a165904eae
                              • Opcode Fuzzy Hash: 5f1986467a579f1ee5282efde47c7f3fa8afd6ec7b10fefea1bc53e00694fb10
                              • Instruction Fuzzy Hash: FE414DF52A824AE7DB246F28DD4EF7A3799F740300F048525F607D21A1DB649D50EFA2
                              Function 00933E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetSysColorBrush.USER32(0000000F), ref: 00933E79
                              • LoadCursorW.USER32(00000000,00007F00), ref: 00933E88
                              • LoadIconW.USER32(00000063), ref: 00933E9E
                              • LoadIconW.USER32(000000A4), ref: 00933EB0
                              • LoadIconW.USER32(000000A2), ref: 00933EC2
                                • Part of subcall function 00934024: LoadImageW.USER32(00930000,00000063,00000001,00000010,00000010,00000000), ref: 00934048
                              • RegisterClassExW.USER32(?), ref: 00933F30
                                • Part of subcall function 00933F53: GetSysColorBrush.USER32(0000000F), ref: 00933F86
                                • Part of subcall function 00933F53: RegisterClassExW.USER32(00000030), ref: 00933FB0
                                • Part of subcall function 00933F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00933FC1
                                • Part of subcall function 00933F53: InitCommonControlsEx.COMCTL32(?), ref: 00933FDE
                                • Part of subcall function 00933F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00933FEE
                                • Part of subcall function 00933F53: LoadIconW.USER32(000000A9), ref: 00934004
                                • Part of subcall function 00933F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00934013
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                              • String ID: #$0$AutoIt v3
                              • API String ID: 423443420-4155596026
                              • Opcode ID: c3b9cf3ebff8273d96ed3ce0c91a804779ea5ef4fa579d95fc781acc56be00cd
                              • Instruction ID: 2db0698a2d603d8dddd6fe091e179688bf01441070237f4a595eeed63cb17445
                              • Opcode Fuzzy Hash: c3b9cf3ebff8273d96ed3ce0c91a804779ea5ef4fa579d95fc781acc56be00cd
                              • Instruction Fuzzy Hash: 022131B0E18304EBDB14DFA9ED45AA9BBF5EB48710F14422AE214A22A0D7754640EFD1
                              Function 00FEF958 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1021 fef958-fefa06 call fed358 1024 fefa0d-fefa33 call ff0868 CreateFileW 1021->1024 1027 fefa3a-fefa4a 1024->1027 1028 fefa35 1024->1028 1036 fefa4c 1027->1036 1037 fefa51-fefa6b VirtualAlloc 1027->1037 1029 fefb85-fefb89 1028->1029 1030 fefbcb-fefbce 1029->1030 1031 fefb8b-fefb8f 1029->1031 1033 fefbd1-fefbd8 1030->1033 1034 fefb9b-fefb9f 1031->1034 1035 fefb91-fefb94 1031->1035 1040 fefc2d-fefc42 1033->1040 1041 fefbda-fefbe5 1033->1041 1042 fefbaf-fefbb3 1034->1042 1043 fefba1-fefbab 1034->1043 1035->1034 1036->1029 1038 fefa6d 1037->1038 1039 fefa72-fefa89 ReadFile 1037->1039 1038->1029 1044 fefa8b 1039->1044 1045 fefa90-fefad0 VirtualAlloc 1039->1045 1048 fefc44-fefc4f VirtualFree 1040->1048 1049 fefc52-fefc5a 1040->1049 1046 fefbe9-fefbf5 1041->1046 1047 fefbe7 1041->1047 1050 fefbb5-fefbbf 1042->1050 1051 fefbc3 1042->1051 1043->1042 1044->1029 1052 fefad7-fefaf2 call ff0ab8 1045->1052 1053 fefad2 1045->1053 1054 fefc09-fefc15 1046->1054 1055 fefbf7-fefc07 1046->1055 1047->1040 1048->1049 1050->1051 1051->1030 1061 fefafd-fefb07 1052->1061 1053->1029 1058 fefc17-fefc20 1054->1058 1059 fefc22-fefc28 1054->1059 1057 fefc2b 1055->1057 1057->1033 1058->1057 1059->1057 1062 fefb3a-fefb4e call ff08c8 1061->1062 1063 fefb09-fefb38 call ff0ab8 1061->1063 1068 fefb52-fefb56 1062->1068 1069 fefb50 1062->1069 1063->1061 1071 fefb58-fefb5c CloseHandle 1068->1071 1072 fefb62-fefb66 1068->1072 1069->1029 1071->1072 1073 fefb68-fefb73 VirtualFree 1072->1073 1074 fefb76-fefb7f 1072->1074 1073->1074 1074->1024 1074->1029
                              APIs
                              • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00FEFA29
                              • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00FEFC4F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290917379.0000000000FED000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fed000_RFQ.jbxd
                              Similarity
                              • API ID: CreateFileFreeVirtual
                              • String ID:
                              • API String ID: 204039940-0
                              • Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                              • Instruction ID: 0a36347021a4589ebdb4805f26adb2c5a9c42a40cc8b0c2a7a26c15583847239
                              • Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                              • Instruction Fuzzy Hash: 36A13971E00249EBDB14CFA5C894BEEB7B5FF88314F2081A9E605BB280D7799A44DF54
                              Function 009349FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1130 9349fb-934a25 call 93bcce RegOpenKeyExW 1133 9a41cc-9a41e3 RegQueryValueExW 1130->1133 1134 934a2b-934a2f 1130->1134 1135 9a4246-9a424f RegCloseKey 1133->1135 1136 9a41e5-9a4222 call 94f4ea call 9347b7 RegQueryValueExW 1133->1136 1141 9a423d-9a4245 call 9347e2 1136->1141 1142 9a4224-9a423b call 936a63 1136->1142 1141->1135 1142->1141
                              APIs
                              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00934A1D
                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 009A41DB
                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 009A421A
                              • RegCloseKey.ADVAPI32(?), ref: 009A4249
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: QueryValue$CloseOpen
                              • String ID: Include$Software\AutoIt v3\AutoIt
                              • API String ID: 1586453840-614718249
                              • Opcode ID: f7402e50cba630294547fb128af6a0b119c48f45b14e0813fd2c95f5d6fddc73
                              • Instruction ID: 90ff7cc9ab6ecb11cbed4e56d8ad38b715f7d471b66a7d9cc6c51c5970efdae3
                              • Opcode Fuzzy Hash: f7402e50cba630294547fb128af6a0b119c48f45b14e0813fd2c95f5d6fddc73
                              • Instruction Fuzzy Hash: 4B117F71A41109BFEB04ABA4CE86EFF7BBCEF55354F000068B502D2191EA70AE02DB50
                              Function 009336B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1157 9336b8-933728 CreateWindowExW * 2 ShowWindow * 2
                              APIs
                              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 009336E6
                              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00933707
                              • ShowWindow.USER32(00000000,?,?,?,?,00933AA3,?), ref: 0093371B
                              • ShowWindow.USER32(00000000,?,?,?,?,00933AA3,?), ref: 00933724
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Window$CreateShow
                              • String ID: AutoIt v3$edit
                              • API String ID: 1584632944-3779509399
                              • Opcode ID: be1347d16f6bd0a4143a40861993e73029a6c15b5e7420ce58ce5fa7992509e3
                              • Instruction ID: 9fac1a90ad094e9edf53276890e8c70a59b120077e98d61763d9936dec84e08e
                              • Opcode Fuzzy Hash: be1347d16f6bd0a4143a40861993e73029a6c15b5e7420ce58ce5fa7992509e3
                              • Instruction Fuzzy Hash: A7F0DA719692D0BAEB315757AC48E772E7DD7C6F20B04012EFA04A21A0D9610895EAF1
                              Function 00FEF708 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 153fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1262 fef708-fef859 call fed358 call fef5f8 CreateFileW 1269 fef85b 1262->1269 1270 fef860-fef870 1262->1270 1271 fef910-fef915 1269->1271 1273 fef877-fef891 VirtualAlloc 1270->1273 1274 fef872 1270->1274 1275 fef895-fef8ac ReadFile 1273->1275 1276 fef893 1273->1276 1274->1271 1277 fef8ae 1275->1277 1278 fef8b0-fef8ea call fef638 call fee5f8 1275->1278 1276->1271 1277->1271 1283 fef8ec-fef901 call fef688 1278->1283 1284 fef906-fef90e ExitProcess 1278->1284 1283->1284 1284->1271
                              APIs
                                • Part of subcall function 00FEF5F8: Sleep.KERNELBASE(000001F4), ref: 00FEF609
                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00FEF84F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290917379.0000000000FED000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fed000_RFQ.jbxd
                              Similarity
                              • API ID: CreateFileSleep
                              • String ID: FSR9Z3CO2279G5QAYTGK6
                              • API String ID: 2694422964-274842691
                              • Opcode ID: c3e2a0fc003fbc317ca673fc4dbe75977c5102db535a2c7d65c7c07597b2dd7f
                              • Instruction ID: 0211b48a3ac7b4dc1513b6deef552b182c1a8550ead8ebeeade766bc3a65023b
                              • Opcode Fuzzy Hash: c3e2a0fc003fbc317ca673fc4dbe75977c5102db535a2c7d65c7c07597b2dd7f
                              • Instruction Fuzzy Hash: F151B531D04288DBEF11DBB4C844BEEBBB5AF55300F1441A9E248BB2C1D7BA1B49CB65
                              Function 009351AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1286 9351af-9351c5 1287 9352a2-9352a6 1286->1287 1288 9351cb-9351e0 call 936b0f 1286->1288 1291 9351e6-935206 call 936a63 1288->1291 1292 9a3ca1-9a3cb0 LoadStringW 1288->1292 1295 9a3cbb-9a3cd3 call 93510d call 934db1 1291->1295 1296 93520c-935210 1291->1296 1292->1295 1305 935220-93529d call 950d50 call 9350e6 call 950d23 Shell_NotifyIconW call 93cb37 1295->1305 1307 9a3cd9-9a3cf7 call 93518c call 934db1 call 93518c 1295->1307 1298 9352a7-9352b0 call 936eed 1296->1298 1299 935216-93521b call 93510d 1296->1299 1298->1305 1299->1305 1305->1287 1307->1305
                              APIs
                              • _memset.LIBCMT ref: 0093522F
                              • _wcscpy.LIBCMT ref: 00935283
                              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00935293
                              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 009A3CB0
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: IconLoadNotifyShell_String_memset_wcscpy
                              • String ID: Line:
                              • API String ID: 1053898822-1585850449
                              • Opcode ID: 133942dbc5e76c2620bb2d2a9b97e0bed6206ab1937588fa43fcde0eef2015cf
                              • Instruction ID: fac355ce903b6794e4cd4937a189a846440961b3e97d195661f887f873373813
                              • Opcode Fuzzy Hash: 133942dbc5e76c2620bb2d2a9b97e0bed6206ab1937588fa43fcde0eef2015cf
                              • Instruction Fuzzy Hash: 3331AD7150C740AFD321EBA0DC46FEF77E8AB88314F00891AF59992091EB70A648CFD6
                              Function 00934139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009341A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,009339FE,?,00000001), ref: 009341DB
                              • _free.LIBCMT ref: 009A36B7
                              • _free.LIBCMT ref: 009A36FE
                                • Part of subcall function 0093C833: __wsplitpath.LIBCMT ref: 0093C93E
                                • Part of subcall function 0093C833: _wcscpy.LIBCMT ref: 0093C953
                                • Part of subcall function 0093C833: _wcscat.LIBCMT ref: 0093C968
                                • Part of subcall function 0093C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0093C978
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                              • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                              • API String ID: 805182592-1757145024
                              • Opcode ID: 1029530352da0d19f61efe5139113f4428c73694d96f72622042e8f578a866ce
                              • Instruction ID: 6c068dcc69f072837771dd5bf2833d944991c9ba0a46b4e638c5ffbfcad684ad
                              • Opcode Fuzzy Hash: 1029530352da0d19f61efe5139113f4428c73694d96f72622042e8f578a866ce
                              • Instruction Fuzzy Hash: AC916271910219AFCF04EFA4CC92AEEB7B4FF59310F548429F416AB291DB34AA45CF90
                              Function 00934A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00935374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009F1148,?,009361FF,?,00000000,00000001,00000000), ref: 00935392
                                • Part of subcall function 009349FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00934A1D
                              • _wcscat.LIBCMT ref: 009A2D80
                              • _wcscat.LIBCMT ref: 009A2DB5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: _wcscat$FileModuleNameOpen
                              • String ID: \$\Include\
                              • API String ID: 3592542968-2640467822
                              • Opcode ID: 3165941560893628ca2c79648b327020d9d804cc2de6541f999d10858cfb23f8
                              • Instruction ID: a098c0e7603886e82240b071373b22ffa13277bdde9103f732262afcb06df20e
                              • Opcode Fuzzy Hash: 3165941560893628ca2c79648b327020d9d804cc2de6541f999d10858cfb23f8
                              • Instruction Fuzzy Hash: 2D51827152D3409BC314EF59D982AAAB7F8FF89300F50452EF685932A1EB309908DF5A
                              Function 009534AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                              Download Yara Rule
                              APIs
                              • __getstream.LIBCMT ref: 009534FE
                                • Part of subcall function 00957C0E: __getptd_noexit.LIBCMT ref: 00957C0E
                              • @_EH4_CallFilterFunc@8.LIBCMT ref: 00953539
                              • __wopenfile.LIBCMT ref: 00953549
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                              • String ID: <G
                              • API String ID: 1820251861-2138716496
                              • Opcode ID: bee998a4844423ae15f5d3f851fcf931aea8c12b27bfd973346555e7c001cb06
                              • Instruction ID: 3110a0007c08a492987f2fde2ac8def95729861f7a75fe96270168b9311a3c42
                              • Opcode Fuzzy Hash: bee998a4844423ae15f5d3f851fcf931aea8c12b27bfd973346555e7c001cb06
                              • Instruction Fuzzy Hash: A9110A70A002069BDB12FFB39C4276E77A4AF85392B14C825FC19C7291FB34CB1997A1
                              Function 0094D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0094D28B,SwapMouseButtons,00000004,?), ref: 0094D2BC
                              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0094D28B,SwapMouseButtons,00000004,?,?,?,?,0094C865), ref: 0094D2DD
                              • RegCloseKey.KERNELBASE(00000000,?,?,0094D28B,SwapMouseButtons,00000004,?,?,?,?,0094C865), ref: 0094D2FF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: CloseOpenQueryValue
                              • String ID: Control Panel\Mouse
                              • API String ID: 3677997916-824357125
                              • Opcode ID: d1ae361b30403670a670cdcffaaada33d38c3e236c51324c2fe83beb98a44d4b
                              • Instruction ID: 4a8259bed96bc9fa15009ef34a7285153b61494427b656c07d535f5a7ae83714
                              • Opcode Fuzzy Hash: d1ae361b30403670a670cdcffaaada33d38c3e236c51324c2fe83beb98a44d4b
                              • Instruction Fuzzy Hash: 64117979616209BFDB218FA4CC84EAF7BBCEF05758F004929E801D7114E671EE40AB60
                              Function 00FEE5F8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                              Download Yara Rule
                              APIs
                              • CreateProcessW.KERNELBASE(?,00000000), ref: 00FEEE25
                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00FEEE49
                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00FEEE6B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290917379.0000000000FED000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fed000_RFQ.jbxd
                              Similarity
                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                              • String ID:
                              • API String ID: 2438371351-0
                              • Opcode ID: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
                              • Instruction ID: b88c4eec25ec382cbc1d0be74cfd2fb0d2e23ef637a3df2e2d39a53961e52ff7
                              • Opcode Fuzzy Hash: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
                              • Instruction Fuzzy Hash: 7862FA30A14258DBEB24CFA4C841BDEB376EF58300F1091A9D10DEB391E77A9E85DB59
                              Function 0097C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00934517: _fseek.LIBCMT ref: 0093452F
                                • Part of subcall function 0097C56D: _wcscmp.LIBCMT ref: 0097C65D
                                • Part of subcall function 0097C56D: _wcscmp.LIBCMT ref: 0097C670
                              • _free.LIBCMT ref: 0097C4DD
                              • _free.LIBCMT ref: 0097C4E4
                              • _free.LIBCMT ref: 0097C54F
                                • Part of subcall function 00951C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00957A85), ref: 00951CB1
                                • Part of subcall function 00951C9D: GetLastError.KERNEL32(00000000,?,00957A85), ref: 00951CC3
                              • _free.LIBCMT ref: 0097C557
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                              • String ID:
                              • API String ID: 1552873950-0
                              • Opcode ID: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
                              • Instruction ID: 91282ae54ce5661c7216039ff88169899aac7353b61def825cd480642a7d4913
                              • Opcode Fuzzy Hash: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
                              • Instruction Fuzzy Hash: 1A515CF1A04218AFDF149F64DC81BADBBB9EF48304F1044AEF65DA3251DB716A808F58
                              Function 0094EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 0094EBB2
                                • Part of subcall function 009351AF: _memset.LIBCMT ref: 0093522F
                                • Part of subcall function 009351AF: _wcscpy.LIBCMT ref: 00935283
                                • Part of subcall function 009351AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00935293
                              • KillTimer.USER32(?,00000001,?,?), ref: 0094EC07
                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0094EC16
                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 009A3C88
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                              • String ID:
                              • API String ID: 1378193009-0
                              • Opcode ID: 6ee9746737516f70e407566919ebd838dccfa6229773d7067697237fefc2e075
                              • Instruction ID: 3d8607d02c3700732b79748eb44437f98dd3dbb6c8a71931bece26596b2fd2e9
                              • Opcode Fuzzy Hash: 6ee9746737516f70e407566919ebd838dccfa6229773d7067697237fefc2e075
                              • Instruction Fuzzy Hash: F721DA709087849FE7329B248C95FE7BBFCAB46318F04448DE6CA56181D7742A84CB91
                              Function 009340E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 009A3725
                              • GetOpenFileNameW.COMDLG32 ref: 009A376F
                                • Part of subcall function 0093660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009353B1,?,?,009361FF,?,00000000,00000001,00000000), ref: 0093662F
                                • Part of subcall function 009340A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009340C6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Name$Path$FileFullLongOpen_memset
                              • String ID: X
                              • API String ID: 3777226403-3081909835
                              • Opcode ID: 3e9c9ae3e538d345d5c3ea060d9e757c78fdc02878d58f018f6108464cab4bf3
                              • Instruction ID: 7f63cb0a4f62ea6948550803620a0354996435cef9581429d373dd8810173cb9
                              • Opcode Fuzzy Hash: 3e9c9ae3e538d345d5c3ea060d9e757c78fdc02878d58f018f6108464cab4bf3
                              • Instruction Fuzzy Hash: 5321B771A14298AFCF11DFD4D845BEEBBFC9F89304F008059E505E7241DBB46A898FA5
                              Function 0097C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              • GetTempPathW.KERNEL32(00000104,?), ref: 0097C72F
                              • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0097C746
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Temp$FileNamePath
                              • String ID: aut
                              • API String ID: 3285503233-3010740371
                              • Opcode ID: 8493969d1e82c8b03907281049634f088bebb66c6c01128c4abcc511684529e2
                              • Instruction ID: 456116110b26a8077be234c595d6c85e571b2bfa06c89e63cb92dda28b36688e
                              • Opcode Fuzzy Hash: 8493969d1e82c8b03907281049634f088bebb66c6c01128c4abcc511684529e2
                              • Instruction Fuzzy Hash: 84D05E7150030EAFDB10AB90DD0EF8A776C9B00728F0002A07660A50B2EBB0E6998B54
                              Function 0098F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5896a4c2f979152d10115ea75f05b4a16b9cf805f25d3ca691ad1cdfc14d64fe
                              • Instruction ID: 1234db47a0272e7f198a56b91bd2c2286b61f5ad23c58b7aeae43eab2f875881
                              • Opcode Fuzzy Hash: 5896a4c2f979152d10115ea75f05b4a16b9cf805f25d3ca691ad1cdfc14d64fe
                              • Instruction Fuzzy Hash: 77F148716083019FCB10EF28C891B5AB7E5BFC8314F14896EF9999B392D735E905CB82
                              Function 00934FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 00935022
                              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 009350CB
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: IconNotifyShell__memset
                              • String ID:
                              • API String ID: 928536360-0
                              • Opcode ID: 88c3617f8c8cd7dde641db8cb72faa3e2d91a9cea9e293fd88c2ea917dc06743
                              • Instruction ID: 035a32352aa05899cbd8bd4508533ab8c3c2823dd103e563748c610602a4bc72
                              • Opcode Fuzzy Hash: 88c3617f8c8cd7dde641db8cb72faa3e2d91a9cea9e293fd88c2ea917dc06743
                              • Instruction Fuzzy Hash: 96318EB1608701CFD725EF24D8856ABBBE8FF49304F00092EF59E82251E772A944CF92
                              Function 0095395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __FF_MSGBANNER.LIBCMT ref: 00953973
                                • Part of subcall function 009581C2: __NMSG_WRITE.LIBCMT ref: 009581E9
                                • Part of subcall function 009581C2: __NMSG_WRITE.LIBCMT ref: 009581F3
                              • __NMSG_WRITE.LIBCMT ref: 0095397A
                                • Part of subcall function 0095821F: GetModuleFileNameW.KERNEL32(00000000,009F0312,00000104,00000000,00000001,00000000), ref: 009582B1
                                • Part of subcall function 0095821F: ___crtMessageBoxW.LIBCMT ref: 0095835F
                                • Part of subcall function 00951145: ___crtCorExitProcess.LIBCMT ref: 0095114B
                                • Part of subcall function 00951145: ExitProcess.KERNEL32 ref: 00951154
                                • Part of subcall function 00957C0E: __getptd_noexit.LIBCMT ref: 00957C0E
                              • RtlAllocateHeap.NTDLL(00FA0000,00000000,00000001,00000001,00000000,?,?,0094F507,?,0000000E), ref: 0095399F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                              • String ID:
                              • API String ID: 1372826849-0
                              • Opcode ID: 34b89e81e03f79322a954f944bb058b5e1dbef437b9163566e65f41a20e8425f
                              • Instruction ID: d1b201a85d80edcf6c1b054e276bf68b4826e6546ddc9f6f8657c506d1ef559e
                              • Opcode Fuzzy Hash: 34b89e81e03f79322a954f944bb058b5e1dbef437b9163566e65f41a20e8425f
                              • Instruction Fuzzy Hash: 2001D672249601DAE611FB67EC62B2E634C9BC27A2F204025FD01DB292DBF49D4887A0
                              Function 0097C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0097C385,?,?,?,?,?,00000004), ref: 0097C6F2
                              • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0097C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0097C708
                              • CloseHandle.KERNEL32(00000000,?,0097C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0097C70F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: File$CloseCreateHandleTime
                              • String ID:
                              • API String ID: 3397143404-0
                              • Opcode ID: dd28be3d33cc38335ea0689d142c2e8b7dea7b75f6e3ccfc57786cc606e9411b
                              • Instruction ID: 1bb4f8f993cf4dba614cf616f32b2778946fbdbbe469e0719ba83ffbba884082
                              • Opcode Fuzzy Hash: dd28be3d33cc38335ea0689d142c2e8b7dea7b75f6e3ccfc57786cc606e9411b
                              • Instruction Fuzzy Hash: 70E08632145214B7D7251B58AC09FCE7B58AB05B70F144210FB14790E1A7B125119798
                              Function 0097BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 0097BB72
                                • Part of subcall function 00951C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00957A85), ref: 00951CB1
                                • Part of subcall function 00951C9D: GetLastError.KERNEL32(00000000,?,00957A85), ref: 00951CC3
                              • _free.LIBCMT ref: 0097BB83
                              • _free.LIBCMT ref: 0097BB95
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 776569668-0
                              • Opcode ID: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
                              • Instruction ID: 76d196db597997ce6e124c081c85d2fe8ff94d8cea242e1c99b2d7317564c937
                              • Opcode Fuzzy Hash: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
                              • Instruction Fuzzy Hash: E7E012A664174186DA24A57AAE48FB313CC4F85352714081EBC9DE7146CF24F84486A8
                              Function 00932322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009322A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,009324F1), ref: 00932303
                              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 009325A1
                              • CoInitialize.OLE32(00000000), ref: 00932618
                              • CloseHandle.KERNEL32(00000000), ref: 009A503A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Handle$CloseInitializeMessageRegisterWindow
                              • String ID:
                              • API String ID: 3815369404-0
                              • Opcode ID: 855c2e708299d8e0539401c68f61f8a0940a3bb2617bece63b1e5332ffe8102f
                              • Instruction ID: 628ce7e41afee68e762eaee0b3efc0855e6a60b23d9e033004214d0f0f4d84f1
                              • Opcode Fuzzy Hash: 855c2e708299d8e0539401c68f61f8a0940a3bb2617bece63b1e5332ffe8102f
                              • Instruction Fuzzy Hash: 9B71B1B4929385CBC714DF9BA9915B5BBE4FBA8358790422EE12AC7371CB714400EFD4
                              Function 00933A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                              Download Yara Rule
                              APIs
                              • IsThemeActive.UXTHEME ref: 00933A73
                                • Part of subcall function 00951405: __lock.LIBCMT ref: 0095140B
                                • Part of subcall function 00933ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00933AF3
                                • Part of subcall function 00933ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00933B08
                                • Part of subcall function 00933D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00933AA3,?), ref: 00933D45
                                • Part of subcall function 00933D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00933AA3,?), ref: 00933D57
                                • Part of subcall function 00933D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,009F1148,009F1130,?,?,?,?,00933AA3,?), ref: 00933DC8
                                • Part of subcall function 00933D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00933AA3,?), ref: 00933E48
                              • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00933AB3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                              • String ID:
                              • API String ID: 924797094-0
                              • Opcode ID: 1c4d6e3c84e632df0d1d477e358ff908b48069472df49f2c0d6260e6eaff99b8
                              • Instruction ID: 7414c80b4d32a4bf4069599662622d11ba6ffe9adb5f7f61945c5944e3924d66
                              • Opcode Fuzzy Hash: 1c4d6e3c84e632df0d1d477e358ff908b48069472df49f2c0d6260e6eaff99b8
                              • Instruction Fuzzy Hash: 08116A7191C3419BC300EF6AE845A2ABBE8EBD4710F00891EF485872A1DB709584DF92
                              Function 0095E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • ___lock_fhandle.LIBCMT ref: 0095EA29
                              • __close_nolock.LIBCMT ref: 0095EA42
                                • Part of subcall function 00957BDA: __getptd_noexit.LIBCMT ref: 00957BDA
                                • Part of subcall function 00957C0E: __getptd_noexit.LIBCMT ref: 00957C0E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                              • String ID:
                              • API String ID: 1046115767-0
                              • Opcode ID: ecf5a1728edaf070cb6aea6ed1b418fa5573b15f18d8693f0b2ddff4273d3f18
                              • Instruction ID: 7448f9f9ff59d9e643c4813f1c5861c394e67d21e49fb52901edf056e7b3af09
                              • Opcode Fuzzy Hash: ecf5a1728edaf070cb6aea6ed1b418fa5573b15f18d8693f0b2ddff4273d3f18
                              • Instruction Fuzzy Hash: 6B1173728096508AE716FFB6D8413587A616FC2333F264740EC605B2E3C7B58E4897A5
                              Function 0094F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0095395C: __FF_MSGBANNER.LIBCMT ref: 00953973
                                • Part of subcall function 0095395C: __NMSG_WRITE.LIBCMT ref: 0095397A
                                • Part of subcall function 0095395C: RtlAllocateHeap.NTDLL(00FA0000,00000000,00000001,00000001,00000000,?,?,0094F507,?,0000000E), ref: 0095399F
                              • std::exception::exception.LIBCMT ref: 0094F51E
                              • __CxxThrowException@8.LIBCMT ref: 0094F533
                                • Part of subcall function 00956805: RaiseException.KERNEL32(?,?,0000000E,009E6A30,?,?,?,0094F538,0000000E,009E6A30,?,00000001), ref: 00956856
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                              • String ID:
                              • API String ID: 3902256705-0
                              • Opcode ID: b4038abb264fdcfb98ea06c8729ef6c5f5eee5476c39cf5adbdb991b3b968e43
                              • Instruction ID: bd2eeb2c86c89630133cac7442cae6d6b10984194e27456444dfa0817edd5fec
                              • Opcode Fuzzy Hash: b4038abb264fdcfb98ea06c8729ef6c5f5eee5476c39cf5adbdb991b3b968e43
                              • Instruction Fuzzy Hash: 33F0AF3110521EA7DB14FF99D921EEEB7ECAF40364F604439FD08A2191DFB09A4887A5
                              Function 009535E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00957C0E: __getptd_noexit.LIBCMT ref: 00957C0E
                              • __lock_file.LIBCMT ref: 00953629
                                • Part of subcall function 00954E1C: __lock.LIBCMT ref: 00954E3F
                              • __fclose_nolock.LIBCMT ref: 00953634
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                              • String ID:
                              • API String ID: 2800547568-0
                              • Opcode ID: 34ff6a79c7ab93343b6f7eef87e11151c520a1060c64869dda9b48490c210fd7
                              • Instruction ID: 6a53efa84b344c1d1df560472a5d0471374e9293a14d3f12362fb65b7f9569b5
                              • Opcode Fuzzy Hash: 34ff6a79c7ab93343b6f7eef87e11151c520a1060c64869dda9b48490c210fd7
                              • Instruction Fuzzy Hash: CCF09031802204AAD712EB67880776EBBA46F81376F65C50CEC24AB2C1CB7C8B0D9B55
                              Function 00FEE5F5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                              Download Yara Rule
                              APIs
                              • CreateProcessW.KERNELBASE(?,00000000), ref: 00FEEE25
                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00FEEE49
                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00FEEE6B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290917379.0000000000FED000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fed000_RFQ.jbxd
                              Similarity
                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                              • String ID:
                              • API String ID: 2438371351-0
                              • Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                              • Instruction ID: 8cc011fb07b654c15778e0d141c0805f5022ad63d3566d1b1b4df2961126ec6a
                              • Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                              • Instruction Fuzzy Hash: DD12CD24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F85CF5A
                              Function 00952957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                              Download Yara Rule
                              APIs
                              • __flush.LIBCMT ref: 00952A0B
                                • Part of subcall function 00957C0E: __getptd_noexit.LIBCMT ref: 00957C0E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: __flush__getptd_noexit
                              • String ID:
                              • API String ID: 4101623367-0
                              • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                              • Instruction ID: d3a8e9344ce0b87410412158b620f5beb64ac6d58e7334deb2f26bc86f991187
                              • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                              • Instruction Fuzzy Hash: DC4195717007069FDF28CF6BC99156E77AAAF86362F24852DEC55C7280E770DD498B40
                              Function 0094ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID:
                              • API String ID: 544645111-0
                              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                              • Instruction ID: eaac72872ee29b091d17b6d18ee4b1f4b0123d723b0290a0cf2416d5a905961c
                              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                              • Instruction Fuzzy Hash: 3231C274E00105DBD718DF58C490A69FBAAFF49340F648AA5E40ACB2A6DB35EDC1CB90
                              Function 009A9A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ClearVariant
                              • String ID:
                              • API String ID: 1473721057-0
                              • Opcode ID: e671a86324ce86e8a716e3e653f5cbf210d1770887715f5e857b42f661f063d4
                              • Instruction ID: 9c60d7fc086ff74dd435832c3df3109b5a309e415b07aaae0b8b9ad0860118fc
                              • Opcode Fuzzy Hash: e671a86324ce86e8a716e3e653f5cbf210d1770887715f5e857b42f661f063d4
                              • Instruction Fuzzy Hash: 13411C745087518FDB24DF14C484F1ABBE1BF85308F1989ACE99A4B362C776E885CF52
                              Function 009341A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00934214: FreeLibrary.KERNEL32(00000000,?), ref: 00934247
                              • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,009339FE,?,00000001), ref: 009341DB
                                • Part of subcall function 00934291: FreeLibrary.KERNEL32(00000000), ref: 009342C4
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Library$Free$Load
                              • String ID:
                              • API String ID: 2391024519-0
                              • Opcode ID: ec5344e43c1b2c5f8d61e0fee77d3b6f07e806c3ab6df93fb31331d4cbf5b8e3
                              • Instruction ID: cba7e8a085143752a8b1e119f54c2b8cb0eb129548bb8f491cf4ff1cde807795
                              • Opcode Fuzzy Hash: ec5344e43c1b2c5f8d61e0fee77d3b6f07e806c3ab6df93fb31331d4cbf5b8e3
                              • Instruction Fuzzy Hash: FD11A731600306AADF10BF74DD06F9E77A99FC0700F118429F5A6B61C1DA74AA149F60
                              Function 009A9B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ClearVariant
                              • String ID:
                              • API String ID: 1473721057-0
                              • Opcode ID: 026adace8286b2fa45d2e65b585238d7d5cae02a348c9f514eab10b5f6d8e647
                              • Instruction ID: 240ba1ed1a081a65e5028681b7f0e3fa6e1051c8962e4f980702ceb7029d2b88
                              • Opcode Fuzzy Hash: 026adace8286b2fa45d2e65b585238d7d5cae02a348c9f514eab10b5f6d8e647
                              • Instruction Fuzzy Hash: A821F370908701CFDB24DF68C544F2ABBE1BF85304F154968FA9A4B262D731E849CF92
                              Function 0095AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • ___lock_fhandle.LIBCMT ref: 0095AFC0
                                • Part of subcall function 00957BDA: __getptd_noexit.LIBCMT ref: 00957BDA
                                • Part of subcall function 00957C0E: __getptd_noexit.LIBCMT ref: 00957C0E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: __getptd_noexit$___lock_fhandle
                              • String ID:
                              • API String ID: 1144279405-0
                              • Opcode ID: 54056ef2596856897532ce9501a21d4cd39187ff9c961d8081d760cdb38ac83f
                              • Instruction ID: 599d974412a8e087edeb899a8459386968ab387baf356d874dd3c4d1ae50e6c7
                              • Opcode Fuzzy Hash: 54056ef2596856897532ce9501a21d4cd39187ff9c961d8081d760cdb38ac83f
                              • Instruction Fuzzy Hash: 001160728096109BD712EFB6D84276DB6609FC2333F294740EC741B2E2D7B48E489BA1
                              Function 009339DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
                              • Instruction ID: 87303fb27fa66ec5aa40a5b987f42f3514381368789d611426ac3b10c1b5741b
                              • Opcode Fuzzy Hash: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
                              • Instruction Fuzzy Hash: 8A01447150010DAFCF05EFA4C8929FFBB78EF61344F10C069B566A71A5EA30AA49DF60
                              Function 00952AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                              Download Yara Rule
                              APIs
                              • __lock_file.LIBCMT ref: 00952AED
                                • Part of subcall function 00957C0E: __getptd_noexit.LIBCMT ref: 00957C0E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: __getptd_noexit__lock_file
                              • String ID:
                              • API String ID: 2597487223-0
                              • Opcode ID: c8ada2da89ef3f48311210fce18ad7302d13700878553bfa6ec3eaefb7d90de8
                              • Instruction ID: e3171fdfba6f7c494f5fe8ba3995a86e06d29845c47e509741bf08d31bfec1ae
                              • Opcode Fuzzy Hash: c8ada2da89ef3f48311210fce18ad7302d13700878553bfa6ec3eaefb7d90de8
                              • Instruction Fuzzy Hash: 8EF06D31900205AADF22EFB7CC0679F3AA9BF82326F158415BC149B1D1D7788A6ADB51
                              Function 00934252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              • FreeLibrary.KERNEL32(?,?,?,?,?,009339FE,?,00000001), ref: 00934286
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: FreeLibrary
                              • String ID:
                              • API String ID: 3664257935-0
                              • Opcode ID: 53afa0e594a6c5e020d465e3ab4530c1a2da24e793d9891e535d03a57fbf11e9
                              • Instruction ID: edd5cc0e768618c5100e31ea753d4f6a519e62b3a382e230712f369562aa30a2
                              • Opcode Fuzzy Hash: 53afa0e594a6c5e020d465e3ab4530c1a2da24e793d9891e535d03a57fbf11e9
                              • Instruction Fuzzy Hash: 2DF0A070409301CFCB348F64D480813BBE4BF003253218A3EF1E692510C376A840DF40
                              Function 009340A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                              Download Yara Rule
                              APIs
                              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009340C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: LongNamePath
                              • String ID:
                              • API String ID: 82841172-0
                              • Opcode ID: 21e825a909f21e7f416c41d2e0ff8f81b44703fff85f0ee6febcf7deaa04c8ed
                              • Instruction ID: 9ee3049a95212cef2cb6df9bbcb7b0f54ceecb667795ae8b47e5ff17f1cba766
                              • Opcode Fuzzy Hash: 21e825a909f21e7f416c41d2e0ff8f81b44703fff85f0ee6febcf7deaa04c8ed
                              • Instruction Fuzzy Hash: 7DE0C2366042246BC711E658CC46FEA77ADDFC87B0F0941B5FA09E7244EA64A9819A90
                              Function 00FEF5F8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNELBASE(000001F4), ref: 00FEF609
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290917379.0000000000FED000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fed000_RFQ.jbxd
                              Similarity
                              • API ID: Sleep
                              • String ID:
                              • API String ID: 3472027048-0
                              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                              • Instruction ID: cb5e14128f7912f0613a9ef011ec4cf7f4bdeb714353deadd890d00ccfc08d15
                              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                              • Instruction Fuzzy Hash: 8FE0E67494010DDFDB00DFB4D54969D7BF4EF04301F104161FD01D2280D6309D509A62

                              Non-executed Functions

                              Function 0099AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0099B1CD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID: %d/%02d/%02d
                              • API String ID: 3850602802-328681919
                              • Opcode ID: 34e0874dda975e688faf7b003cee6534cc82924d86a4058fbdeb2b69315aa54b
                              • Instruction ID: 66e84816f23262fce3577929ecda68bb2275bd881f4e42cfc7a57798d0943d4f
                              • Opcode Fuzzy Hash: 34e0874dda975e688faf7b003cee6534cc82924d86a4058fbdeb2b69315aa54b
                              • Instruction Fuzzy Hash: 6312CF71604209ABEF248F68DD59FAE7BB8FF85320F104629F915DB2D0EB788941CB51
                              Function 0094EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                              Download Yara Rule
                              APIs
                              • GetForegroundWindow.USER32(00000000,00000000), ref: 0094EB4A
                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009A3AEA
                              • IsIconic.USER32(000000FF), ref: 009A3AF3
                              • ShowWindow.USER32(000000FF,00000009), ref: 009A3B00
                              • SetForegroundWindow.USER32(000000FF), ref: 009A3B0A
                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 009A3B20
                              • GetCurrentThreadId.KERNEL32 ref: 009A3B27
                              • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 009A3B33
                              • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 009A3B44
                              • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 009A3B4C
                              • AttachThreadInput.USER32(00000000,?,00000001), ref: 009A3B54
                              • SetForegroundWindow.USER32(000000FF), ref: 009A3B57
                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 009A3B6C
                              • keybd_event.USER32(00000012,00000000), ref: 009A3B77
                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 009A3B81
                              • keybd_event.USER32(00000012,00000000), ref: 009A3B86
                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 009A3B8F
                              • keybd_event.USER32(00000012,00000000), ref: 009A3B94
                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 009A3B9E
                              • keybd_event.USER32(00000012,00000000), ref: 009A3BA3
                              • SetForegroundWindow.USER32(000000FF), ref: 009A3BA6
                              • AttachThreadInput.USER32(000000FF,?,00000000), ref: 009A3BCD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                              • String ID: Shell_TrayWnd
                              • API String ID: 4125248594-2988720461
                              • Opcode ID: 33446e60ec7232894d768c61af42923a55ccde4cd143391bd01c9b36a10dc804
                              • Instruction ID: acbca34896fe0f72f09e8b9ee1aeb2cc2ab04f50588af87f37caffabf902bfa0
                              • Opcode Fuzzy Hash: 33446e60ec7232894d768c61af42923a55ccde4cd143391bd01c9b36a10dc804
                              • Instruction Fuzzy Hash: 4F31A671A54318BBEB305B759D49F7F7E6CEB44B60F108125FA05EA1D0EAB05D00AEB0
                              Function 0096ACC5 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0096B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0096B180
                                • Part of subcall function 0096B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0096B1AD
                                • Part of subcall function 0096B134: GetLastError.KERNEL32 ref: 0096B1BA
                              • _memset.LIBCMT ref: 0096AD08
                              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0096AD5A
                              • CloseHandle.KERNEL32(?), ref: 0096AD6B
                              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0096AD82
                              • GetProcessWindowStation.USER32 ref: 0096AD9B
                              • SetProcessWindowStation.USER32(00000000), ref: 0096ADA5
                              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0096ADBF
                                • Part of subcall function 0096AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0096ACC0), ref: 0096AB99
                                • Part of subcall function 0096AB84: CloseHandle.KERNEL32(?,?,0096ACC0), ref: 0096ABAB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                              • String ID: $default$winsta0
                              • API String ID: 2063423040-1027155976
                              • Opcode ID: c817913981b3fb306d065ace9be18616324facb4d808e1bdee46ba4861cb5517
                              • Instruction ID: 12dc2c20edd671e3e89c8bb25bf5655938c29a16f4cbdbb3f190ddfb4681b7f7
                              • Opcode Fuzzy Hash: c817913981b3fb306d065ace9be18616324facb4d808e1bdee46ba4861cb5517
                              • Instruction Fuzzy Hash: 51816E71801209AFDF129FA4DD49AEE7BBCEF08314F048119F914B61A1E7368E55DF62
                              Function 009760DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00976EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00975FA6,?), ref: 00976ED8
                                • Part of subcall function 00976EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00975FA6,?), ref: 00976EF1
                                • Part of subcall function 0097725E: __wsplitpath.LIBCMT ref: 0097727B
                                • Part of subcall function 0097725E: __wsplitpath.LIBCMT ref: 0097728E
                                • Part of subcall function 009772CB: GetFileAttributesW.KERNEL32(?,00976019), ref: 009772CC
                              • _wcscat.LIBCMT ref: 00976149
                              • _wcscat.LIBCMT ref: 00976167
                              • __wsplitpath.LIBCMT ref: 0097618E
                              • FindFirstFileW.KERNEL32(?,?), ref: 009761A4
                              • _wcscpy.LIBCMT ref: 00976209
                              • _wcscat.LIBCMT ref: 0097621C
                              • _wcscat.LIBCMT ref: 0097622F
                              • lstrcmpiW.KERNEL32(?,?), ref: 0097625D
                              • DeleteFileW.KERNEL32(?), ref: 0097626E
                              • MoveFileW.KERNEL32(?,?), ref: 00976289
                              • MoveFileW.KERNEL32(?,?), ref: 00976298
                              • CopyFileW.KERNEL32(?,?,00000000), ref: 009762AD
                              • DeleteFileW.KERNEL32(?), ref: 009762BE
                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 009762E1
                              • FindClose.KERNEL32(00000000), ref: 009762FD
                              • FindClose.KERNEL32(00000000), ref: 0097630B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                              • String ID: \*.*
                              • API String ID: 1917200108-1173974218
                              • Opcode ID: 1266841762c444b04786acd6af61ad2582b91d95cbc495faf056ae187c2c8ff9
                              • Instruction ID: c72d304206f3bd06e1695cb22cd837cdb7223e34fba2beb9874eb86ea383fd16
                              • Opcode Fuzzy Hash: 1266841762c444b04786acd6af61ad2582b91d95cbc495faf056ae187c2c8ff9
                              • Instruction Fuzzy Hash: 18514F7280911C6ACB21EB91CC44EEF77BCAF45310F0545E6E599E2142EB3697498FA4
                              Function 00986B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                              Download Yara Rule
                              APIs
                              • OpenClipboard.USER32(009CDC00), ref: 00986B36
                              • IsClipboardFormatAvailable.USER32(0000000D), ref: 00986B44
                              • GetClipboardData.USER32(0000000D), ref: 00986B4C
                              • CloseClipboard.USER32 ref: 00986B58
                              • GlobalLock.KERNEL32(00000000), ref: 00986B74
                              • CloseClipboard.USER32 ref: 00986B7E
                              • GlobalUnlock.KERNEL32(00000000), ref: 00986B93
                              • IsClipboardFormatAvailable.USER32(00000001), ref: 00986BA0
                              • GetClipboardData.USER32(00000001), ref: 00986BA8
                              • GlobalLock.KERNEL32(00000000), ref: 00986BB5
                              • GlobalUnlock.KERNEL32(00000000), ref: 00986BE9
                              • CloseClipboard.USER32 ref: 00986CF6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                              • String ID:
                              • API String ID: 3222323430-0
                              • Opcode ID: d7f27831598aecee47c43eb8a0a2b7f6edb8ce11ae4df0f38daa7f2dc4d8942f
                              • Instruction ID: 93951063f7742b76d82e79db33b05357430ccb35b2e9d150efa734d1bdf233ce
                              • Opcode Fuzzy Hash: d7f27831598aecee47c43eb8a0a2b7f6edb8ce11ae4df0f38daa7f2dc4d8942f
                              • Instruction Fuzzy Hash: CA51A271209201ABD300FF64DE56F6E77A8EF88B10F004529F696DA2E1EF70D905DB62
                              Function 0097F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(?,?), ref: 0097F62B
                              • FindClose.KERNEL32(00000000), ref: 0097F67F
                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0097F6A4
                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0097F6BB
                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0097F6E2
                              • __swprintf.LIBCMT ref: 0097F72E
                              • __swprintf.LIBCMT ref: 0097F767
                              • __swprintf.LIBCMT ref: 0097F7BB
                                • Part of subcall function 0095172B: __woutput_l.LIBCMT ref: 00951784
                              • __swprintf.LIBCMT ref: 0097F809
                              • __swprintf.LIBCMT ref: 0097F858
                              • __swprintf.LIBCMT ref: 0097F8A7
                              • __swprintf.LIBCMT ref: 0097F8F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                              • API String ID: 835046349-2428617273
                              • Opcode ID: a6bedf44f30c3f43e224b5736d984f250109227237e08d341eab117ddb34048d
                              • Instruction ID: 4d719333902527c3c3bdc8ffb1bcec6bdf7a64ae8afbf4ca33741d7df919f3fb
                              • Opcode Fuzzy Hash: a6bedf44f30c3f43e224b5736d984f250109227237e08d341eab117ddb34048d
                              • Instruction Fuzzy Hash: AAA12FB2408344ABC314EBA5C895EAFB7ECBFD8704F40492EF59593191EB34D949CB62
                              Function 00981B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00981B50
                              • _wcscmp.LIBCMT ref: 00981B65
                              • _wcscmp.LIBCMT ref: 00981B7C
                              • GetFileAttributesW.KERNEL32(?), ref: 00981B8E
                              • SetFileAttributesW.KERNEL32(?,?), ref: 00981BA8
                              • FindNextFileW.KERNEL32(00000000,?), ref: 00981BC0
                              • FindClose.KERNEL32(00000000), ref: 00981BCB
                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00981BE7
                              • _wcscmp.LIBCMT ref: 00981C0E
                              • _wcscmp.LIBCMT ref: 00981C25
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00981C37
                              • SetCurrentDirectoryW.KERNEL32(009E39FC), ref: 00981C55
                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00981C5F
                              • FindClose.KERNEL32(00000000), ref: 00981C6C
                              • FindClose.KERNEL32(00000000), ref: 00981C7C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                              • String ID: *.*
                              • API String ID: 1803514871-438819550
                              • Opcode ID: 1f9eb40be3488a1ddc7a96a83329d950c1795653c39ff30920cb8c5bc71579d0
                              • Instruction ID: 79346d9864a12873f5973704c3879c3fa14f6ec076473fa292c075316ed4d1b4
                              • Opcode Fuzzy Hash: 1f9eb40be3488a1ddc7a96a83329d950c1795653c39ff30920cb8c5bc71579d0
                              • Instruction Fuzzy Hash: 0A31F33250521AABCF14EFA5DC48BEE77ACAF45324F0042A5F911E3190EB70DE868B64
                              Function 00981C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00981CAB
                              • _wcscmp.LIBCMT ref: 00981CC0
                              • _wcscmp.LIBCMT ref: 00981CD7
                                • Part of subcall function 00976BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00976BEF
                              • FindNextFileW.KERNEL32(00000000,?), ref: 00981D06
                              • FindClose.KERNEL32(00000000), ref: 00981D11
                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00981D2D
                              • _wcscmp.LIBCMT ref: 00981D54
                              • _wcscmp.LIBCMT ref: 00981D6B
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00981D7D
                              • SetCurrentDirectoryW.KERNEL32(009E39FC), ref: 00981D9B
                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00981DA5
                              • FindClose.KERNEL32(00000000), ref: 00981DB2
                              • FindClose.KERNEL32(00000000), ref: 00981DC2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                              • String ID: *.*
                              • API String ID: 1824444939-438819550
                              • Opcode ID: f90a99e05ddd4a0f2b936a3002d9800a31accfc3e26a02ca896b9e038a4edb1d
                              • Instruction ID: 39eb689a55ae54bd566bf2b53c025d37f988d6a74f30de6475e63f2ff0a49ac0
                              • Opcode Fuzzy Hash: f90a99e05ddd4a0f2b936a3002d9800a31accfc3e26a02ca896b9e038a4edb1d
                              • Instruction Fuzzy Hash: 7E31163250561A6ACF14FFA4DC48FEE37ACAF45324F104691F800A32D1EB70DE468B54
                              Function 00937D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: _memset
                              • String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
                              • API String ID: 2102423945-2023335898
                              • Opcode ID: af1d90b2410e6d0cd8a13056598a9470e00d3d736510726c9279f88b87d7d7f3
                              • Instruction ID: ca33be7b34b8a6b931fca96b4b3fda2f03a4a070f9d25d0470d500beb15a8b37
                              • Opcode Fuzzy Hash: af1d90b2410e6d0cd8a13056598a9470e00d3d736510726c9279f88b87d7d7f3
                              • Instruction Fuzzy Hash: A882BF71D04219DBCF24CF98C8907AEB7B5FF89310F2585A9D859AB291E7349D81CF90
                              Function 0098091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetLocalTime.KERNEL32(?), ref: 009809DF
                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 009809EF
                              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 009809FB
                              • __wsplitpath.LIBCMT ref: 00980A59
                              • _wcscat.LIBCMT ref: 00980A71
                              • _wcscat.LIBCMT ref: 00980A83
                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00980A98
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00980AAC
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00980ADE
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00980AFF
                              • _wcscpy.LIBCMT ref: 00980B0B
                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00980B4A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                              • String ID: *.*
                              • API String ID: 3566783562-438819550
                              • Opcode ID: 6f4b43c3899cd23ca60702c6f3c82390bd4e35371de0e8f7dc0b472e54b79f2d
                              • Instruction ID: 0ce30476de1f8dc157163d7ce01b5e893a53b74e485c9bf12504ac64ac4e9ac0
                              • Opcode Fuzzy Hash: 6f4b43c3899cd23ca60702c6f3c82390bd4e35371de0e8f7dc0b472e54b79f2d
                              • Instruction Fuzzy Hash: D7613A725083059FD710EF60C885A9EB3E8FFC9314F04895AF99987251EB35E949CB92
                              Function 0096A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0096ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0096ABD7
                                • Part of subcall function 0096ABBB: GetLastError.KERNEL32(?,0096A69F,?,?,?), ref: 0096ABE1
                                • Part of subcall function 0096ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0096A69F,?,?,?), ref: 0096ABF0
                                • Part of subcall function 0096ABBB: HeapAlloc.KERNEL32(00000000,?,0096A69F,?,?,?), ref: 0096ABF7
                                • Part of subcall function 0096ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0096AC0E
                                • Part of subcall function 0096AC56: GetProcessHeap.KERNEL32(00000008,0096A6B5,00000000,00000000,?,0096A6B5,?), ref: 0096AC62
                                • Part of subcall function 0096AC56: HeapAlloc.KERNEL32(00000000,?,0096A6B5,?), ref: 0096AC69
                                • Part of subcall function 0096AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0096A6B5,?), ref: 0096AC7A
                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0096A6D0
                              • _memset.LIBCMT ref: 0096A6E5
                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0096A704
                              • GetLengthSid.ADVAPI32(?), ref: 0096A715
                              • GetAce.ADVAPI32(?,00000000,?), ref: 0096A752
                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0096A76E
                              • GetLengthSid.ADVAPI32(?), ref: 0096A78B
                              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0096A79A
                              • HeapAlloc.KERNEL32(00000000), ref: 0096A7A1
                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0096A7C2
                              • CopySid.ADVAPI32(00000000), ref: 0096A7C9
                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0096A7FA
                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0096A820
                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0096A834
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                              • String ID:
                              • API String ID: 3996160137-0
                              • Opcode ID: 64ab21d442007bc24dabff539f53f8d0a3eb0cdf09ecb556cb5f17fcddabb822
                              • Instruction ID: 93d24c0fdd752ad1f65cd43377cb91f4c432c4a5a68dcd50f3b3844115619b5e
                              • Opcode Fuzzy Hash: 64ab21d442007bc24dabff539f53f8d0a3eb0cdf09ecb556cb5f17fcddabb822
                              • Instruction Fuzzy Hash: 2B515B7190020AAFDF04DFA5DD85AEEBBB9FF04310F048129F911A72A0EB359A05DF61
                              Function 00936F07 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID:
                              • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                              • API String ID: 0-4052911093
                              • Opcode ID: e7bbc7deed6f33e2c0d2a9c4419e219fc0ae52ae15c22d1ab24b86a5d21dbb74
                              • Instruction ID: b99fe2c044c422d64ae388d5ae3e17313549166feff81e7ece6eba3f8df921fb
                              • Opcode Fuzzy Hash: e7bbc7deed6f33e2c0d2a9c4419e219fc0ae52ae15c22d1ab24b86a5d21dbb74
                              • Instruction Fuzzy Hash: C7728FB1E042199BDB24CF99D9807EEB7B5FF48320F14856AE815EB280DB349E41DF90
                              Function 009763F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00976EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00975FA6,?), ref: 00976ED8
                                • Part of subcall function 009772CB: GetFileAttributesW.KERNEL32(?,00976019), ref: 009772CC
                              • _wcscat.LIBCMT ref: 00976441
                              • __wsplitpath.LIBCMT ref: 0097645F
                              • FindFirstFileW.KERNEL32(?,?), ref: 00976474
                              • _wcscpy.LIBCMT ref: 009764A3
                              • _wcscat.LIBCMT ref: 009764B8
                              • _wcscat.LIBCMT ref: 009764CA
                              • DeleteFileW.KERNEL32(?), ref: 009764DA
                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 009764EB
                              • FindClose.KERNEL32(00000000), ref: 00976506
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                              • String ID: \*.*
                              • API String ID: 2643075503-1173974218
                              • Opcode ID: 054cfc867a5a1e57eddf97e272e1a92b07fc49670526a7e93c4a7928797c1948
                              • Instruction ID: 1a2e0b998ce7ea3d34f379c01aa4960ba9e5ebcc972ce31e8adb1c800860c533
                              • Opcode Fuzzy Hash: 054cfc867a5a1e57eddf97e272e1a92b07fc49670526a7e93c4a7928797c1948
                              • Instruction Fuzzy Hash: 3931A2B340C3849AC321DBA4C885ADBB7DCAF96310F044A2AF9D8C3141EB35D50D87A7
                              Function 009931BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00993C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00992BB5,?,?), ref: 00993C1D
                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0099328E
                                • Part of subcall function 0093936C: __swprintf.LIBCMT ref: 009393AB
                                • Part of subcall function 0093936C: __itow.LIBCMT ref: 009393DF
                              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0099332D
                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 009933C5
                              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00993604
                              • RegCloseKey.ADVAPI32(00000000), ref: 00993611
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                              • String ID:
                              • API String ID: 1240663315-0
                              • Opcode ID: fda9d341fa57324073911391b1b08db5dfa16f0143fdf9e23ede1eb82ccf4878
                              • Instruction ID: 8548c2311a9d17157dba674ad241602311596a52ab908ef812ba39bd026126e2
                              • Opcode Fuzzy Hash: fda9d341fa57324073911391b1b08db5dfa16f0143fdf9e23ede1eb82ccf4878
                              • Instruction Fuzzy Hash: B0E14A71604200AFCB14DF69C995E2ABBE9EF89714F04C96DF44ADB2A1DB30E905CF52
                              Function 00972B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyboardState.USER32(?), ref: 00972B5F
                              • GetAsyncKeyState.USER32(000000A0), ref: 00972BE0
                              • GetKeyState.USER32(000000A0), ref: 00972BFB
                              • GetAsyncKeyState.USER32(000000A1), ref: 00972C15
                              • GetKeyState.USER32(000000A1), ref: 00972C2A
                              • GetAsyncKeyState.USER32(00000011), ref: 00972C42
                              • GetKeyState.USER32(00000011), ref: 00972C54
                              • GetAsyncKeyState.USER32(00000012), ref: 00972C6C
                              • GetKeyState.USER32(00000012), ref: 00972C7E
                              • GetAsyncKeyState.USER32(0000005B), ref: 00972C96
                              • GetKeyState.USER32(0000005B), ref: 00972CA8
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: State$Async$Keyboard
                              • String ID:
                              • API String ID: 541375521-0
                              • Opcode ID: 2c55c7c1d3333f6788b3b7844c6996ae100814b20f19cab60031757c34a13d32
                              • Instruction ID: 88d2960f0d6b15af28721628e58e0bab464f6809cadbf0663f9573fb8aa195cf
                              • Opcode Fuzzy Hash: 2c55c7c1d3333f6788b3b7844c6996ae100814b20f19cab60031757c34a13d32
                              • Instruction Fuzzy Hash: 3841E9315287C96DFF369B6489047B9BFA8AF32314F0CC099D5CA562C1EBD499C4C7A2
                              Function 00986D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                              • String ID:
                              • API String ID: 1737998785-0
                              • Opcode ID: 2e6c05d4d7a7224e0d65490e30a1a6d51686c1d49f79d9c5ba1e4474267877ee
                              • Instruction ID: 5245d02466a24a08ec40ea885c2ef3227dea9906b97974ec351bc75f7371fb5f
                              • Opcode Fuzzy Hash: 2e6c05d4d7a7224e0d65490e30a1a6d51686c1d49f79d9c5ba1e4474267877ee
                              • Instruction Fuzzy Hash: 44219A31315210EFEB11AF65DE49F2D77A8FF84721F04841AF94ADB2A1EB34E9009B90
                              Function 0098C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00969ABF: CLSIDFromProgID.OLE32 ref: 00969ADC
                                • Part of subcall function 00969ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00969AF7
                                • Part of subcall function 00969ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00969B05
                                • Part of subcall function 00969ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00969B15
                              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0098C235
                              • _memset.LIBCMT ref: 0098C242
                              • _memset.LIBCMT ref: 0098C360
                              • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0098C38C
                              • CoTaskMemFree.OLE32(?), ref: 0098C397
                              Strings
                              • NULL Pointer assignment, xrefs: 0098C3E5
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                              • String ID: NULL Pointer assignment
                              • API String ID: 1300414916-2785691316
                              • Opcode ID: 138f4fea57c0a60a75c416bdc33d96bc5d041f4eff233464cc763d442afa0bd8
                              • Instruction ID: e20ffaa452a67300ca98f510d46de44d1a4b97fb1313a310d2701d5f4af05246
                              • Opcode Fuzzy Hash: 138f4fea57c0a60a75c416bdc33d96bc5d041f4eff233464cc763d442afa0bd8
                              • Instruction Fuzzy Hash: 4E913DB1D00218ABDB10EFA4DC95FEEBBB8EF44710F10816AF515A7291EB705A45CFA0
                              Function 00981F94 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119filesleepCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00981FE1
                              • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00982011
                              • _wcscmp.LIBCMT ref: 00982025
                              • _wcscmp.LIBCMT ref: 00982040
                              • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 009820DE
                              • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 009820F4
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Find$File_wcscmp$CloseFirstNextSleep
                              • String ID: *.*
                              • API String ID: 3356411064-438819550
                              • Opcode ID: 4c048ca896792aeafeb4a12aea7c020ccb7d4f1035150de8c6a8acc338106f9a
                              • Instruction ID: 8ac2e974d97dc98ba954edd8f3d79a66a37becca199f18e5d9f86e81e04ca7f2
                              • Opcode Fuzzy Hash: 4c048ca896792aeafeb4a12aea7c020ccb7d4f1035150de8c6a8acc338106f9a
                              • Instruction Fuzzy Hash: 2241897190520AAFCF14EFA4C849BEEBBB8FF45314F10455AE915A7291EB309A84CF90
                              Function 009779D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0096B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0096B180
                                • Part of subcall function 0096B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0096B1AD
                                • Part of subcall function 0096B134: GetLastError.KERNEL32 ref: 0096B1BA
                              • ExitWindowsEx.USER32(?,00000000), ref: 00977A0F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                              • String ID: $@$SeShutdownPrivilege
                              • API String ID: 2234035333-194228
                              • Opcode ID: eac4dd8aaac4954d4027ac4c775d992a8e004e7d08e3233af37144ca77869002
                              • Instruction ID: f282d7d2493c62f8041c0e3a3797b9f4ff38813ab0ca20358a9e360e9b7855bd
                              • Opcode Fuzzy Hash: eac4dd8aaac4954d4027ac4c775d992a8e004e7d08e3233af37144ca77869002
                              • Instruction Fuzzy Hash: 2901A7736692126AFB2C66F8DC5ABBFB25C9B00750F148924B957E20D2E5A55E0081B0
                              Function 00988C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                              Download Yara Rule
                              APIs
                              • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00988CA8
                              • WSAGetLastError.WSOCK32(00000000), ref: 00988CB7
                              • bind.WSOCK32(00000000,?,00000010), ref: 00988CD3
                              • listen.WSOCK32(00000000,00000005), ref: 00988CE2
                              • WSAGetLastError.WSOCK32(00000000), ref: 00988CFC
                              • closesocket.WSOCK32(00000000,00000000), ref: 00988D10
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ErrorLast$bindclosesocketlistensocket
                              • String ID:
                              • API String ID: 1279440585-0
                              • Opcode ID: 7e867eb4c974558e88c40ef0634007e4f563665380dbac258ace2086eed95bf3
                              • Instruction ID: f982aea551d2243afcd9cdbc123f14612b95654a23c8769543a62caa59592da3
                              • Opcode Fuzzy Hash: 7e867eb4c974558e88c40ef0634007e4f563665380dbac258ace2086eed95bf3
                              • Instruction Fuzzy Hash: 1A21F371600201AFCB10FF28CD85B6EB7A9EF88320F108158F956A73D2CB70AD019B61
                              Function 00976532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00976554
                              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00976564
                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 00976583
                              • __wsplitpath.LIBCMT ref: 009765A7
                              • _wcscat.LIBCMT ref: 009765BA
                              • CloseHandle.KERNEL32(00000000,?,00000000), ref: 009765F9
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                              • String ID:
                              • API String ID: 1605983538-0
                              • Opcode ID: 4de20dcd3a16911c18cbe65724bb541010b3a2836474997a184e774b7b6aadce
                              • Instruction ID: eb5069e87578673e99cd1130fd70acac11400d1afd6563bc92f036d6e37c1e74
                              • Opcode Fuzzy Hash: 4de20dcd3a16911c18cbe65724bb541010b3a2836474997a184e774b7b6aadce
                              • Instruction Fuzzy Hash: 2621A472904218ABDB10EBA4CD88FEEB7BCAB49310F5044E5F909E7141EB759F85DB60
                              Function 0098923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0098A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0098A84E
                              • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00989296
                              • WSAGetLastError.WSOCK32(00000000,00000000), ref: 009892B9
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ErrorLastinet_addrsocket
                              • String ID:
                              • API String ID: 4170576061-0
                              • Opcode ID: 47b35fa45ee8ff8b35b0bca5547acb4737c3f4da34cfdac1e093377c8d912469
                              • Instruction ID: 4a8690ae8dd477628bc42a5295578de4f1e28b925d991cd0d7b40e1e0a8afad5
                              • Opcode Fuzzy Hash: 47b35fa45ee8ff8b35b0bca5547acb4737c3f4da34cfdac1e093377c8d912469
                              • Instruction Fuzzy Hash: 3841BF71600604AFDB14BF68C882F7E77EDEF84724F148548F956AB392DA749E018BA1
                              Function 0097EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(?,?), ref: 0097EB8A
                              • _wcscmp.LIBCMT ref: 0097EBBA
                              • _wcscmp.LIBCMT ref: 0097EBCF
                              • FindNextFileW.KERNEL32(00000000,?), ref: 0097EBE0
                              • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0097EC0E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Find$File_wcscmp$CloseFirstNext
                              • String ID:
                              • API String ID: 2387731787-0
                              • Opcode ID: ccde0ac1e9bcff41336721a5773c8f104cc8f31dbc83367b09f05bab603ce1e9
                              • Instruction ID: 6c5db2f52be87bf785004d2ba0bfdc749a0d0898e05fbed1d044c000c61cbfa9
                              • Opcode Fuzzy Hash: ccde0ac1e9bcff41336721a5773c8f104cc8f31dbc83367b09f05bab603ce1e9
                              • Instruction Fuzzy Hash: 1D41B0756047029FC708DF28C491E99B7E8FF89324F14859DF95A8B3A1DB31A944CB91
                              Function 00998111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Window$EnabledForegroundIconicVisibleZoomed
                              • String ID:
                              • API String ID: 292994002-0
                              • Opcode ID: 7c3ad9b048553f70bed72e82f61addc4160370a5390cbeab21babd392bd89329
                              • Instruction ID: caac45d32423c0e33fa362caa9b18f65d0ada78a15191a4e79eb570dca2fa0d4
                              • Opcode Fuzzy Hash: 7c3ad9b048553f70bed72e82f61addc4160370a5390cbeab21babd392bd89329
                              • Instruction Fuzzy Hash: E911B2317091156FEB311F2ADC44F6FB79DEF85761B04042DF849D7281DF34A90286A4
                              Function 00939B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID:
                              • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                              • API String ID: 0-1546025612
                              • Opcode ID: cfcd1240021b735516ba8c4bab76907567f685bf7488782fee32865184a5c7dc
                              • Instruction ID: a88e93455b397819ac4531da217868bf87299c9988827c24b2ae1b98e3e52514
                              • Opcode Fuzzy Hash: cfcd1240021b735516ba8c4bab76907567f685bf7488782fee32865184a5c7dc
                              • Instruction Fuzzy Hash: E992A0B1E0421ACBDF24CF58C9807FDB7B5BB54324F1485AAE856AB280D7B49D81CF91
                              Function 0094E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(kernel32.dll,?,0094E014,771B0AE0,0094DEF1,009CDC38,?,?), ref: 0094E02C
                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0094E03E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: GetNativeSystemInfo$kernel32.dll
                              • API String ID: 2574300362-192647395
                              • Opcode ID: d2016fde64aa3b3eecf6473e1f5a7bad7227c7ce636e658b9979f31eeb93b8ad
                              • Instruction ID: 367cf2cdcf98b3b7e388ba8208a904c39f7040aa954cf01bd70115e3a1d3d8db
                              • Opcode Fuzzy Hash: d2016fde64aa3b3eecf6473e1f5a7bad7227c7ce636e658b9979f31eeb93b8ad
                              • Instruction Fuzzy Hash: 30D0A73041C722DFC7364F65ED08A2277DCBF04314F18442DE491D2150EBF4CC808650
                              Function 009713CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 009713DC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: lstrlen
                              • String ID: ($|
                              • API String ID: 1659193697-1631851259
                              • Opcode ID: 73da8198924ee6abcd144b11fc25ecb34998a7e52dc0f8af1474a4955f0d3596
                              • Instruction ID: ea1278a19521bf7a731ed1cc0ca5e3e1e7c9e356b8dbefb3e08aee45fa1ce4ec
                              • Opcode Fuzzy Hash: 73da8198924ee6abcd144b11fc25ecb34998a7e52dc0f8af1474a4955f0d3596
                              • Instruction Fuzzy Hash: 8B321475A007059FC728CF69C481AAAB7F4FF48320B15C56EE59ADB3A1E770E941CB44
                              Function 0094B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094B34E: GetWindowLongW.USER32(?,000000EB), ref: 0094B35F
                              • DefDlgProcW.USER32(?,?,?,?,?), ref: 0094B22F
                                • Part of subcall function 0094B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0094B5A5
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Proc$LongWindow
                              • String ID:
                              • API String ID: 2749884682-0
                              • Opcode ID: cfbba513c5b0dedc37d53896fb24010cbdc9a6049330b639281628841f8f887f
                              • Instruction ID: dea60bd5c38aafd112063c4e312c6ab3502c777c07ae3307677cde6343528874
                              • Opcode Fuzzy Hash: cfbba513c5b0dedc37d53896fb24010cbdc9a6049330b639281628841f8f887f
                              • Instruction Fuzzy Hash: BBA18770118105BADF38AF2E5C98FBF399CEBAB354B144919F412D21A5DB69DC00E3B2
                              Function 00984EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                              Download Yara Rule
                              APIs
                              • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,009843BF,00000000), ref: 00984FA6
                              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00984FD2
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Internet$AvailableDataFileQueryRead
                              • String ID:
                              • API String ID: 599397726-0
                              • Opcode ID: 540c80229ffc7355e47d86f2f7d464d43991a47042488c1630b0dab9b33a8d43
                              • Instruction ID: a19694b3bc963b04a175054517a3ce83fe92c9118d4d318cba7f855fb2375079
                              • Opcode Fuzzy Hash: 540c80229ffc7355e47d86f2f7d464d43991a47042488c1630b0dab9b33a8d43
                              • Instruction Fuzzy Hash: 8841E47150420ABFEB21EE80CC85FBF77ACEF80364F10406EF605A6281EA759E45D7A0
                              Function 0097E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                              Download Yara Rule
                              APIs
                              • SetErrorMode.KERNEL32(00000001), ref: 0097E20D
                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0097E267
                              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0097E2B4
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ErrorMode$DiskFreeSpace
                              • String ID:
                              • API String ID: 1682464887-0
                              • Opcode ID: b6ba2e942db2c7cd82bb7a8e2604e1b9da820e50b94ba074672a88faa082b0d4
                              • Instruction ID: cf62f138e05b1425528c29d0017595280cc02c701ce2b28b3aaed78d627d6e70
                              • Opcode Fuzzy Hash: b6ba2e942db2c7cd82bb7a8e2604e1b9da820e50b94ba074672a88faa082b0d4
                              • Instruction Fuzzy Hash: AE216D75A10218EFCB04EFA5D885EADFBB8FF88310F0484A9E945AB251DB319905CB50
                              Function 0096B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094F4EA: std::exception::exception.LIBCMT ref: 0094F51E
                                • Part of subcall function 0094F4EA: __CxxThrowException@8.LIBCMT ref: 0094F533
                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0096B180
                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0096B1AD
                              • GetLastError.KERNEL32 ref: 0096B1BA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                              • String ID:
                              • API String ID: 1922334811-0
                              • Opcode ID: 6225cd46d171417f9839485d26e2b485e9d0d881b87f591281d8562637cadf72
                              • Instruction ID: 02116bdc0036712459970ea4a1d7bd7b5987cf04538bc4123c07ae4a9c11d34b
                              • Opcode Fuzzy Hash: 6225cd46d171417f9839485d26e2b485e9d0d881b87f591281d8562637cadf72
                              • Instruction Fuzzy Hash: 9011BCB2518205BFE718AF64DC96E2BB7BCEB44320B21852EE05693250EB70FC418A60
                              Function 00976685 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 009766AF
                              • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,0000000C,?,00000000), ref: 009766EC
                              • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 009766F5
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: CloseControlCreateDeviceFileHandle
                              • String ID:
                              • API String ID: 33631002-0
                              • Opcode ID: ebbd1e379d173a0970e229df303b7e877fef47e4857411efd528c7394cef25de
                              • Instruction ID: 07a18689b03063e6aebde8dc258ff569d51d049f1dbed17ba1115ad9d6ebb065
                              • Opcode Fuzzy Hash: ebbd1e379d173a0970e229df303b7e877fef47e4857411efd528c7394cef25de
                              • Instruction Fuzzy Hash: 7211A5B2915228BEE7108BA8DC45FAF77BCEB04764F004656F905E7191D2749E0487A5
                              Function 009771FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                              Download Yara Rule
                              APIs
                              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00977223
                              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0097723A
                              • FreeSid.ADVAPI32(?), ref: 0097724A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: AllocateCheckFreeInitializeMembershipToken
                              • String ID:
                              • API String ID: 3429775523-0
                              • Opcode ID: c388ee02337fe7953939a1cc04db11ceccd53448e6194226e668c919c5e2dede
                              • Instruction ID: 6a0eef3b0b30bebfa8506a06c961d97a46737f3e0ad26b564444792a63242b00
                              • Opcode Fuzzy Hash: c388ee02337fe7953939a1cc04db11ceccd53448e6194226e668c919c5e2dede
                              • Instruction Fuzzy Hash: 46F01D76A19209BFDF04DFE4DD89AEEBBBCEF08211F104569A602E2191E2709A449B10
                              Function 0097F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(?,?), ref: 0097F599
                              • FindClose.KERNEL32(00000000), ref: 0097F5C9
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Find$CloseFileFirst
                              • String ID:
                              • API String ID: 2295610775-0
                              • Opcode ID: a09b9bc1c7d3a927f0c7d6c474df028a35054d77d551a630c1b1ffc35de9df1a
                              • Instruction ID: 4df5d87af1f81585129c2640d28f5c85876e3b82ec79860d48b8b3f4cfef6b47
                              • Opcode Fuzzy Hash: a09b9bc1c7d3a927f0c7d6c474df028a35054d77d551a630c1b1ffc35de9df1a
                              • Instruction Fuzzy Hash: 3711C4726042009FD704EF28D885A2EB3E8FF84325F00895EF8A9D7291DB30BD008B91
                              Function 0097CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0098BE6A,?,?,00000000,?), ref: 0097CEA7
                              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0098BE6A,?,?,00000000,?), ref: 0097CEB9
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ErrorFormatLastMessage
                              • String ID:
                              • API String ID: 3479602957-0
                              • Opcode ID: 5fe6e4d88350a004764b9358bf42b6584a8941ec0863a900813d8fe0f753ad2d
                              • Instruction ID: 19097d322f6e49c1cb82a45e17ef520485106517ddb9cda72ee215e28d3da5dd
                              • Opcode Fuzzy Hash: 5fe6e4d88350a004764b9358bf42b6584a8941ec0863a900813d8fe0f753ad2d
                              • Instruction Fuzzy Hash: 31F0A771114229FBDB209FA4DC49FEA776DFF08361F008165F919D6181E7309E44CBA0
                              Function 0097411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00974153
                              • keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 00974166
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: InputSendkeybd_event
                              • String ID:
                              • API String ID: 3536248340-0
                              • Opcode ID: 8793c712814ec9ff7291db1eb86231d6b14a797d9d68a15f3304ffc497bfae1c
                              • Instruction ID: 64dcdb9e73cde0857d010cabfb8cd7d66c429c61bfc4eccd084910c9fe1fde13
                              • Opcode Fuzzy Hash: 8793c712814ec9ff7291db1eb86231d6b14a797d9d68a15f3304ffc497bfae1c
                              • Instruction Fuzzy Hash: 43F0907181434DAFDB059FA0C805BBE7FB4EF10315F008409F96596192D7B9C612DFA0
                              Function 0096AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0096ACC0), ref: 0096AB99
                              • CloseHandle.KERNEL32(?,?,0096ACC0), ref: 0096ABAB
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: AdjustCloseHandlePrivilegesToken
                              • String ID:
                              • API String ID: 81990902-0
                              • Opcode ID: 64537a103396a1e1d70798bcf57da4fc0913bb26c92ee1b1a65fedeacf78d872
                              • Instruction ID: ab7268b28fffe596fb926b3592781cbcbb133f74270ca52433bfa1e91f964378
                              • Opcode Fuzzy Hash: 64537a103396a1e1d70798bcf57da4fc0913bb26c92ee1b1a65fedeacf78d872
                              • Instruction Fuzzy Hash: EDE08631014511AFE7252F24EC04E7777EDEF043307108529F45980430D7225C90DB50
                              Function 009581AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00956DB3,-0000031A,?,?,00000001), ref: 009581B1
                              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 009581BA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ExceptionFilterUnhandled
                              • String ID:
                              • API String ID: 3192549508-0
                              • Opcode ID: 912c936a1bfe871e89e03c12b922311fe144087bf1e0d72674a2898791229616
                              • Instruction ID: 6e1c4a97f6e59f97b32f78d24ed37bd7f877f0e89ae853c5df092ad97381d991
                              • Opcode Fuzzy Hash: 912c936a1bfe871e89e03c12b922311fe144087bf1e0d72674a2898791229616
                              • Instruction Fuzzy Hash: A8B09231059608ABDB002BA1ED09B587FA8EB0866AF044120F60D44062AB735510AB92
                              Function 009377B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: _memmove
                              • String ID:
                              • API String ID: 4104443479-0
                              • Opcode ID: c3e2c17a6e80aabd69e4ceb3fbdb8d8b7f572c5a8f4f587a81c3092eb0004678
                              • Instruction ID: 967ad5aaf3249f82d891dc338e9926d611183151c395c8275e304da27927d40d
                              • Opcode Fuzzy Hash: c3e2c17a6e80aabd69e4ceb3fbdb8d8b7f572c5a8f4f587a81c3092eb0004678
                              • Instruction Fuzzy Hash: F6A24BB0E04219CFDB24CF98C5906ADB7B5FF49324F2581A9E859AB390D7349E81DF90
                              Function 00943B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Exception@8Throwstd::exception::exception
                              • String ID: @
                              • API String ID: 3728558374-2766056989
                              • Opcode ID: 2e9ebcc8d220b85dbed590d5ff0d63cecf4dafa14a072f3515c81119c476a8b6
                              • Instruction ID: f41bc83873309cd46d0337a04806004a1af8dcbb67e7fcf72a96742e6af2f662
                              • Opcode Fuzzy Hash: 2e9ebcc8d220b85dbed590d5ff0d63cecf4dafa14a072f3515c81119c476a8b6
                              • Instruction Fuzzy Hash: 7F72BE71E04209AFDF14DFA4C881FAEB7B9EF89300F14C459E915AB291D734AE45CB91
                              Function 0095D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 87115979c6ccce1297230eb5dee45f4d4dd43507d43e8c52f52417e29f5dad47
                              • Instruction ID: 919ace74e467a6d3014958c8f93baf24ddfa569ae483522012dd81b105605d0b
                              • Opcode Fuzzy Hash: 87115979c6ccce1297230eb5dee45f4d4dd43507d43e8c52f52417e29f5dad47
                              • Instruction Fuzzy Hash: 23320321D2AF014DD7239635C872336A29CAFB73D5F15D727E81AB59AAEF29C4C35200
                              Function 009396C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: __itow__swprintf
                              • String ID:
                              • API String ID: 674341424-0
                              • Opcode ID: e102ef0e6103e8a144262e3d0251f0e9a500ffeeed71926750a4af732552e5f9
                              • Instruction ID: ade15ad3ca0e871ca7c31793cc6517a2216b90c09f766d7e949e5710f4564bd8
                              • Opcode Fuzzy Hash: e102ef0e6103e8a144262e3d0251f0e9a500ffeeed71926750a4af732552e5f9
                              • Instruction Fuzzy Hash: 2C2266B16083019FD724DF28C891B6BB7E8BF85310F10491DF99A9B291DBB5E944CF92
                              Function 0096038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e1f0d934b98babd19f0dab715d4ee2c9e04237d43345c0a363fdbb3458c052c5
                              • Instruction ID: 35fa49e4d54bb7134774d926d7be5d8eec8862e6aef6c59da214d4ec46ef997c
                              • Opcode Fuzzy Hash: e1f0d934b98babd19f0dab715d4ee2c9e04237d43345c0a363fdbb3458c052c5
                              • Instruction Fuzzy Hash: 25B1DF20D3AF414DD32396398871336B65CAFBB2D5B92D71BFC1AB4D62EB2295C35180
                              Function 0097B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                              Download Yara Rule
                              APIs
                              • __time64.LIBCMT ref: 0097B6DF
                                • Part of subcall function 0095344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0097BDC3,00000000,?,?,?,?,0097BF70,00000000,?), ref: 00953453
                                • Part of subcall function 0095344A: __aulldiv.LIBCMT ref: 00953473
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Time$FileSystem__aulldiv__time64
                              • String ID:
                              • API String ID: 2893107130-0
                              • Opcode ID: d2656040ba5dfcdc816842dcdb6f6426ca84b053b06584ef90b341e67e6a88f0
                              • Instruction ID: c05a278b42bbadb09537d1b0364a54604a50ee776c394682d2630cf8e07e2adb
                              • Opcode Fuzzy Hash: d2656040ba5dfcdc816842dcdb6f6426ca84b053b06584ef90b341e67e6a88f0
                              • Instruction Fuzzy Hash: B72172726345108BC729CF28C491B62B7E5EB95320B64CE6DE4E9CF2C0CB78BA05DB54
                              Function 00986AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • BlockInput.USER32(00000001), ref: 00986ACA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: BlockInput
                              • String ID:
                              • API String ID: 3456056419-0
                              • Opcode ID: 8b92a1bd2afc0307dba0315abd5e1cc6f1ca3d723c8aa99ce2bf2bf9bc32aac2
                              • Instruction ID: 4ef5e3bb5732bef13f4c60b5a303984b1bc46f1625b0660d40ef133de84cbc2f
                              • Opcode Fuzzy Hash: 8b92a1bd2afc0307dba0315abd5e1cc6f1ca3d723c8aa99ce2bf2bf9bc32aac2
                              • Instruction Fuzzy Hash: 6CE04835210204AFC700EF59D404E56B7ECAFB4751F04C456F945DB351DAB4F8048BA0
                              Function 009774BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                              Download Yara Rule
                              APIs
                              • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 009774DE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: mouse_event
                              • String ID:
                              • API String ID: 2434400541-0
                              • Opcode ID: d9d2fef0e3fb52489f0f596747a90fa76998d2fe073863647098165878b2fdf5
                              • Instruction ID: 97db2fba5a4c336231417a1c588ae795e29d3f8e390d556515d30047872be211
                              • Opcode Fuzzy Hash: d9d2fef0e3fb52489f0f596747a90fa76998d2fe073863647098165878b2fdf5
                              • Instruction Fuzzy Hash: 97D05EA312C70538EC3807A48C0FF76890EF3007C4F80D6C9B28AC90E1B8C45801A032
                              Function 0096B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                              Download Yara Rule
                              APIs
                              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0096AD3E), ref: 0096B124
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: LogonUser
                              • String ID:
                              • API String ID: 1244722697-0
                              • Opcode ID: bba930517657330b89276801f28906bbc36312c0ac93d0c608ca0728ea7333da
                              • Instruction ID: ad62024a9d114a0f32e455b9e5c2738b5bf624f462f8e7c474e2b516fa9501b0
                              • Opcode Fuzzy Hash: bba930517657330b89276801f28906bbc36312c0ac93d0c608ca0728ea7333da
                              • Instruction Fuzzy Hash: A7D05E320A460EAEDF025FA4DC02EAE3F6AEB04700F408110FA11C50A0C671D531AB50
                              Function 009AB340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: NameUser
                              • String ID:
                              • API String ID: 2645101109-0
                              • Opcode ID: cf032de00ac7ae97890d2804c3786e368262e23b907e11c52ee42148f61a4424
                              • Instruction ID: 26d7bfb8cbba76c3c39a9fde7d1fd59a41e14f0a44c71c642d4ca2d4d8f6805c
                              • Opcode Fuzzy Hash: cf032de00ac7ae97890d2804c3786e368262e23b907e11c52ee42148f61a4424
                              • Instruction Fuzzy Hash: 70C04CB1405109DFD751DFC0CA449EEB7BCAB05311F104191A145F1110D7749B459B72
                              Function 00958189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                              Download Yara Rule
                              APIs
                              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0095818F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ExceptionFilterUnhandled
                              • String ID:
                              • API String ID: 3192549508-0
                              • Opcode ID: 609c6767f468fbec80ad035a90c78a230977e95634e7b712bb084c26d30b738e
                              • Instruction ID: 4317bc574bd72cdecbb4f6f0a91544d73793eac304064be348716ed8465b56f2
                              • Opcode Fuzzy Hash: 609c6767f468fbec80ad035a90c78a230977e95634e7b712bb084c26d30b738e
                              • Instruction Fuzzy Hash: E3A0113000820CAB8F002B82EC088883FACEA002A8B000020F80C00022AB23AA20AA82
                              Function 0093E3B0 Relevance: .5, Instructions: 540COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 85a01cc208f2beea2a96850bb8a3af7db1dd6c9ecf1919ad80ace4150db7d414
                              • Instruction ID: 82e669404e4ebfb25179e2b8f8c6055bff423b5b7da91822eddbed06b9c7d5ad
                              • Opcode Fuzzy Hash: 85a01cc208f2beea2a96850bb8a3af7db1dd6c9ecf1919ad80ace4150db7d414
                              • Instruction Fuzzy Hash: 7E22CB70E0420ADFDB24DF58C491BAAB7B4FF58304F148469E98A9B391E735AD81CF91
                              Function 009393F0 Relevance: .5, Instructions: 531COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3a3c0e09a2508f544423193d8c47e5a7f97056ad09f0c2f3f32019398e3704df
                              • Instruction ID: e52348e8738c98075972768fa52bee9ee5514b1d9651ac80899ebbfccdeceb1f
                              • Opcode Fuzzy Hash: 3a3c0e09a2508f544423193d8c47e5a7f97056ad09f0c2f3f32019398e3704df
                              • Instruction Fuzzy Hash: 9E126C70A00609EFDF04DFA9D995AAEB7F9FF88300F108569E806E7250EB75AD10CB50
                              Function 0093AF50 Relevance: .5, Instructions: 514COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Exception@8Throwstd::exception::exception
                              • String ID:
                              • API String ID: 3728558374-0
                              • Opcode ID: 0e35e696a3d6496650c6a31f8860d1452b264ee29f0627fe80983064de72056f
                              • Instruction ID: a44d35141a5f4849d20351c9b19a018e77c20bf8a6547118126d6f8e733fa248
                              • Opcode Fuzzy Hash: 0e35e696a3d6496650c6a31f8860d1452b264ee29f0627fe80983064de72056f
                              • Instruction Fuzzy Hash: 53028070A00209DBDF18DF68D991AAEB7B9FF85300F108469E806DB295EB35DE15CF91
                              Function 009502A4 Relevance: .3, Instructions: 345COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                              • Instruction ID: 6df879a16433ae711900fec9119f07404877a8f77be01ec317a3fca9791e61b6
                              • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                              • Instruction Fuzzy Hash: 77C173322055930AEF2D863A847493FBAA55EE17B371A076DD8B2CB5D5FF20C528D720
                              Function 009506D9 Relevance: .3, Instructions: 341COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                              • Instruction ID: 32d399d098c032d2b3359462352cdaa4bf4954ee185165bf12a2cd9101d7ca63
                              • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                              • Instruction Fuzzy Hash: 70C1A53220559309EF2D863AC43493FBAA55AE27B331A076DD8B2CB5D5EF20D528D720
                              Function 0094FE6F Relevance: .3, Instructions: 331COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                              • Instruction ID: eec1479449d115923e7f0ea1831db4bbda533ab9db90803c1898490f28acd46e
                              • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                              • Instruction Fuzzy Hash: 25C196322095930AEF2D863AC43493FFAA55AA27B271A077DD8B3CB5D5EF10C568D710
                              Function 0094FA57 Relevance: .3, Instructions: 323COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                              • Instruction ID: a45e17e969f3015647ad1c99991ed09fadd3656587cb5d7dccf38df2e893addf
                              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                              • Instruction Fuzzy Hash: 15C1943220549309EF2D4639C474D3FBBA59AA2BB631A077DD8B3CB5D5EF20C564D620
                              Function 0098A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                              Download Yara Rule
                              APIs
                              • DeleteObject.GDI32(00000000), ref: 0098A2FE
                              • DeleteObject.GDI32(00000000), ref: 0098A310
                              • DestroyWindow.USER32 ref: 0098A31E
                              • GetDesktopWindow.USER32 ref: 0098A338
                              • GetWindowRect.USER32(00000000), ref: 0098A33F
                              • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0098A480
                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0098A490
                              • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0098A4D8
                              • GetClientRect.USER32(00000000,?), ref: 0098A4E4
                              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0098A51E
                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0098A540
                              • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0098A553
                              • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0098A55E
                              • GlobalLock.KERNEL32(00000000), ref: 0098A567
                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0098A576
                              • GlobalUnlock.KERNEL32(00000000), ref: 0098A57F
                              • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0098A586
                              • GlobalFree.KERNEL32(00000000), ref: 0098A591
                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0098A5A3
                              • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,009BD9BC,00000000), ref: 0098A5B9
                              • GlobalFree.KERNEL32(00000000), ref: 0098A5C9
                              • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0098A5EF
                              • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0098A60E
                              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0098A630
                              • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0098A81D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                              • String ID: $AutoIt v3$DISPLAY$static
                              • API String ID: 2211948467-2373415609
                              • Opcode ID: e46db296244367500e90aac40b6d51d131eff570c861acec96e5056f7a31b7d2
                              • Instruction ID: db53404384b847ed1ca9b06a157e0e58b471cac22e4dc0d4a93ae1897674da6b
                              • Opcode Fuzzy Hash: e46db296244367500e90aac40b6d51d131eff570c861acec96e5056f7a31b7d2
                              • Instruction Fuzzy Hash: CE029D71910209EFDB14DFA4CD89EAE7BB9FB48310F048219F915AB2A0DB70AD41DF60
                              Function 0099D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                              Download Yara Rule
                              APIs
                              • SetTextColor.GDI32(?,00000000), ref: 0099D2DB
                              • GetSysColorBrush.USER32(0000000F), ref: 0099D30C
                              • GetSysColor.USER32(0000000F), ref: 0099D318
                              • SetBkColor.GDI32(?,000000FF), ref: 0099D332
                              • SelectObject.GDI32(?,00000000), ref: 0099D341
                              • InflateRect.USER32(?,000000FF,000000FF), ref: 0099D36C
                              • GetSysColor.USER32(00000010), ref: 0099D374
                              • CreateSolidBrush.GDI32(00000000), ref: 0099D37B
                              • FrameRect.USER32(?,?,00000000), ref: 0099D38A
                              • DeleteObject.GDI32(00000000), ref: 0099D391
                              • InflateRect.USER32(?,000000FE,000000FE), ref: 0099D3DC
                              • FillRect.USER32(?,?,00000000), ref: 0099D40E
                              • GetWindowLongW.USER32(?,000000F0), ref: 0099D439
                                • Part of subcall function 0099D575: GetSysColor.USER32(00000012), ref: 0099D5AE
                                • Part of subcall function 0099D575: SetTextColor.GDI32(?,?), ref: 0099D5B2
                                • Part of subcall function 0099D575: GetSysColorBrush.USER32(0000000F), ref: 0099D5C8
                                • Part of subcall function 0099D575: GetSysColor.USER32(0000000F), ref: 0099D5D3
                                • Part of subcall function 0099D575: GetSysColor.USER32(00000011), ref: 0099D5F0
                                • Part of subcall function 0099D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0099D5FE
                                • Part of subcall function 0099D575: SelectObject.GDI32(?,00000000), ref: 0099D60F
                                • Part of subcall function 0099D575: SetBkColor.GDI32(?,00000000), ref: 0099D618
                                • Part of subcall function 0099D575: SelectObject.GDI32(?,?), ref: 0099D625
                                • Part of subcall function 0099D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0099D644
                                • Part of subcall function 0099D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0099D65B
                                • Part of subcall function 0099D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0099D670
                                • Part of subcall function 0099D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0099D698
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                              • String ID:
                              • API String ID: 3521893082-0
                              • Opcode ID: 7bcfc9ed324210b171e406be602bd980f6c4f6faaf5874afd4b15bc5f916df61
                              • Instruction ID: a82c2721aa58de0863ceb3a1783f0fa4a7e782655da88fe9deb95d51dc7e1c96
                              • Opcode Fuzzy Hash: 7bcfc9ed324210b171e406be602bd980f6c4f6faaf5874afd4b15bc5f916df61
                              • Instruction Fuzzy Hash: 27918C7100E301BFDB109F68DD48A6ABBA9FF89335F100B19F962961E0E771D944DB92
                              Function 0094B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
                              Download Yara Rule
                              APIs
                              • DestroyWindow.USER32 ref: 0094B98B
                              • DeleteObject.GDI32(00000000), ref: 0094B9CD
                              • DeleteObject.GDI32(00000000), ref: 0094B9D8
                              • DestroyIcon.USER32(00000000), ref: 0094B9E3
                              • DestroyWindow.USER32(00000000), ref: 0094B9EE
                              • SendMessageW.USER32(?,00001308,?,00000000), ref: 009AD2AA
                              • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 009AD2E3
                              • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 009AD711
                                • Part of subcall function 0094B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0094B759,?,00000000,?,?,?,?,0094B72B,00000000,?), ref: 0094BA58
                              • SendMessageW.USER32 ref: 009AD758
                              • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 009AD76F
                              • ImageList_Destroy.COMCTL32(00000000), ref: 009AD785
                              • ImageList_Destroy.COMCTL32(00000000), ref: 009AD790
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                              • String ID: 0
                              • API String ID: 464785882-4108050209
                              • Opcode ID: be3401156d8da48a3690a2b5c11d43c2e7edc9698d0025afa50b9ca62cb3f170
                              • Instruction ID: 248fbcbb8ebab304fabd753db8c1962e219d83634dc8ca59e7559513353aeef0
                              • Opcode Fuzzy Hash: be3401156d8da48a3690a2b5c11d43c2e7edc9698d0025afa50b9ca62cb3f170
                              • Instruction Fuzzy Hash: 6A129E70506201DFDB24CF24C984BA9B7E9FF5A318F144569F98ACBA62CB31EC41DB91
                              Function 0097DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                              Download Yara Rule
                              APIs
                              • SetErrorMode.KERNEL32(00000001), ref: 0097DBD6
                              • GetDriveTypeW.KERNEL32(?,009CDC54,?,\\.\,009CDC00), ref: 0097DCC3
                              • SetErrorMode.KERNEL32(00000000,009CDC54,?,\\.\,009CDC00), ref: 0097DE29
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ErrorMode$DriveType
                              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                              • API String ID: 2907320926-4222207086
                              • Opcode ID: e0313c6d4314af506ba9e90ff7d225118392a3a44d58fa3cb5785850887c9659
                              • Instruction ID: f4b7116062ebdc51c37672bf4caed7dae24634de22803de184b86f1939a37600
                              • Opcode Fuzzy Hash: e0313c6d4314af506ba9e90ff7d225118392a3a44d58fa3cb5785850887c9659
                              • Instruction Fuzzy Hash: A051E232209742AB8321DF11CA86A39B7B0FFD4308F28D919F46B9B6D1DB60DD45DB42
                              Function 0093CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: __wcsnicmp
                              • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                              • API String ID: 1038674560-86951937
                              • Opcode ID: 4eb66d206c40410c4965687dd573ecceaf03c223a606cb5d16a4ec185fe81eaf
                              • Instruction ID: fbac96408e4324fa3e7dc9fa63d98e14e6d44fc4788367eb03608ce60dbd53c8
                              • Opcode Fuzzy Hash: 4eb66d206c40410c4965687dd573ecceaf03c223a606cb5d16a4ec185fe81eaf
                              • Instruction Fuzzy Hash: 8C81F7B1640605BBCB25AB64DC82FBB777CAF96304F044439F906BA1C2EB60D945CBD1
                              Function 0099C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                              Download Yara Rule
                              APIs
                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0099C788
                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0099C83E
                              • SendMessageW.USER32(?,00001102,00000002,?), ref: 0099C859
                              • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0099CB15
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: MessageSend$Window
                              • String ID: 0
                              • API String ID: 2326795674-4108050209
                              • Opcode ID: cce04c225cc6d8cc180cec63abb7823e6f982b604ac28b181eac40d277935c04
                              • Instruction ID: ccd03cfee3b5aa9e7e4858a5c42c5b7cb1678e0b481d5be1ffc49ed0299c7972
                              • Opcode Fuzzy Hash: cce04c225cc6d8cc180cec63abb7823e6f982b604ac28b181eac40d277935c04
                              • Instruction Fuzzy Hash: 5DF1E6B1509301AFEB218F2CCC45BAABBE8FF49354F080A2DF599D62A1D774D940DB91
                              Function 0099638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                              Download Yara Rule
                              APIs
                              • CharUpperBuffW.USER32(?,?,009CDC00), ref: 00996449
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: BuffCharUpper
                              • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                              • API String ID: 3964851224-45149045
                              • Opcode ID: 9326e718152622be80ac3d73c4928f2bc93a79b2aefce75beaaf656ee6409d68
                              • Instruction ID: b3cd57f538e19f2877273effd4b31347fbe3882d7b1f49091ce2bc4c89c0033e
                              • Opcode Fuzzy Hash: 9326e718152622be80ac3d73c4928f2bc93a79b2aefce75beaaf656ee6409d68
                              • Instruction Fuzzy Hash: 42C17D306043458BCF14EF58C591FAE77E5BFD5344F044869F8869B2A2EB25ED4ACB82
                              Function 0099D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetSysColor.USER32(00000012), ref: 0099D5AE
                              • SetTextColor.GDI32(?,?), ref: 0099D5B2
                              • GetSysColorBrush.USER32(0000000F), ref: 0099D5C8
                              • GetSysColor.USER32(0000000F), ref: 0099D5D3
                              • CreateSolidBrush.GDI32(?), ref: 0099D5D8
                              • GetSysColor.USER32(00000011), ref: 0099D5F0
                              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0099D5FE
                              • SelectObject.GDI32(?,00000000), ref: 0099D60F
                              • SetBkColor.GDI32(?,00000000), ref: 0099D618
                              • SelectObject.GDI32(?,?), ref: 0099D625
                              • InflateRect.USER32(?,000000FF,000000FF), ref: 0099D644
                              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0099D65B
                              • GetWindowLongW.USER32(00000000,000000F0), ref: 0099D670
                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0099D698
                              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0099D6BF
                              • InflateRect.USER32(?,000000FD,000000FD), ref: 0099D6DD
                              • DrawFocusRect.USER32(?,?), ref: 0099D6E8
                              • GetSysColor.USER32(00000011), ref: 0099D6F6
                              • SetTextColor.GDI32(?,00000000), ref: 0099D6FE
                              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0099D712
                              • SelectObject.GDI32(?,0099D2A5), ref: 0099D729
                              • DeleteObject.GDI32(?), ref: 0099D734
                              • SelectObject.GDI32(?,?), ref: 0099D73A
                              • DeleteObject.GDI32(?), ref: 0099D73F
                              • SetTextColor.GDI32(?,?), ref: 0099D745
                              • SetBkColor.GDI32(?,?), ref: 0099D74F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                              • String ID:
                              • API String ID: 1996641542-0
                              • Opcode ID: ab2b140d7e2d80b10a751f2a05a4db0e1aaaab6ae64c0502ae9ca02d5bfc9dc7
                              • Instruction ID: 706148e1707226d80a3ede39b9b6f130f9768d321c64c1ee60653f83326ab215
                              • Opcode Fuzzy Hash: ab2b140d7e2d80b10a751f2a05a4db0e1aaaab6ae64c0502ae9ca02d5bfc9dc7
                              • Instruction Fuzzy Hash: 3B515B71916208BFDF109FA8DD88EAE7B79EF08320F114615F915AB2A0E7759A40DF90
                              Function 0099B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0099B7B0
                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0099B7C1
                              • CharNextW.USER32(0000014E), ref: 0099B7F0
                              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0099B831
                              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0099B847
                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0099B858
                              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0099B875
                              • SetWindowTextW.USER32(?,0000014E), ref: 0099B8C7
                              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0099B8DD
                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 0099B90E
                              • _memset.LIBCMT ref: 0099B933
                              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0099B97C
                              • _memset.LIBCMT ref: 0099B9DB
                              • SendMessageW.USER32 ref: 0099BA05
                              • SendMessageW.USER32(?,00001074,?,00000001), ref: 0099BA5D
                              • SendMessageW.USER32(?,0000133D,?,?), ref: 0099BB0A
                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0099BB2C
                              • GetMenuItemInfoW.USER32(?), ref: 0099BB76
                              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0099BBA3
                              • DrawMenuBar.USER32(?), ref: 0099BBB2
                              • SetWindowTextW.USER32(?,0000014E), ref: 0099BBDA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                              • String ID: 0
                              • API String ID: 1073566785-4108050209
                              • Opcode ID: 8616dd4f7258ced584af5abe9907b422b76fa8fc51244cbe8312d7850dc39f61
                              • Instruction ID: 518b88f912ab8e517078dbee28792cebd6ad28aef6b5ed5b75bb51882359f7d8
                              • Opcode Fuzzy Hash: 8616dd4f7258ced584af5abe9907b422b76fa8fc51244cbe8312d7850dc39f61
                              • Instruction Fuzzy Hash: D5E19071900218EBDF20DFA9DD84EEE7B7CEF45724F108159FA19AA190D7788A41DF60
                              Function 0099764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetCursorPos.USER32(?), ref: 0099778A
                              • GetDesktopWindow.USER32 ref: 0099779F
                              • GetWindowRect.USER32(00000000), ref: 009977A6
                              • GetWindowLongW.USER32(?,000000F0), ref: 00997808
                              • DestroyWindow.USER32(?), ref: 00997834
                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0099785D
                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0099787B
                              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 009978A1
                              • SendMessageW.USER32(?,00000421,?,?), ref: 009978B6
                              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 009978C9
                              • IsWindowVisible.USER32(?), ref: 009978E9
                              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00997904
                              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00997918
                              • GetWindowRect.USER32(?,?), ref: 00997930
                              • MonitorFromPoint.USER32(?,?,00000002), ref: 00997956
                              • GetMonitorInfoW.USER32 ref: 00997970
                              • CopyRect.USER32(?,?), ref: 00997987
                              • SendMessageW.USER32(?,00000412,00000000), ref: 009979F2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                              • String ID: ($0$tooltips_class32
                              • API String ID: 698492251-4156429822
                              • Opcode ID: 726cf1af94de2b0aba6d785d04f74dec089d6119c33e58cdca9bdd8677ff4c5d
                              • Instruction ID: a917c9f9b3748eafa439e040b38198580287e3b45f3a45fb27d0d0d0062a42fa
                              • Opcode Fuzzy Hash: 726cf1af94de2b0aba6d785d04f74dec089d6119c33e58cdca9bdd8677ff4c5d
                              • Instruction Fuzzy Hash: 06B17071618301AFDB04DFA9D985B5AFBE5FF88310F00891DF5999B291DB70E805CB91
                              Function 00976CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                              Download Yara Rule
                              APIs
                              • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00976CFB
                              • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00976D21
                              • _wcscpy.LIBCMT ref: 00976D4F
                              • _wcscmp.LIBCMT ref: 00976D5A
                              • _wcscat.LIBCMT ref: 00976D70
                              • _wcsstr.LIBCMT ref: 00976D7B
                              • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00976D97
                              • _wcscat.LIBCMT ref: 00976DE0
                              • _wcscat.LIBCMT ref: 00976DE7
                              • _wcsncpy.LIBCMT ref: 00976E12
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                              • API String ID: 699586101-1459072770
                              • Opcode ID: e22e3a40adbf89c1860ad8133326f8b1c745e368f731653e3ddcad5cd603fff1
                              • Instruction ID: 054c18a2467734c46d49963ac09c15778abe179735ccae9e3f66063e279566c8
                              • Opcode Fuzzy Hash: e22e3a40adbf89c1860ad8133326f8b1c745e368f731653e3ddcad5cd603fff1
                              • Instruction Fuzzy Hash: 4341D172A00201BBEB11AB65CC47FBF776CEFC5714F044069FD05A2182FB759A05A7A2
                              Function 0094A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0094A939
                              • GetSystemMetrics.USER32(00000007), ref: 0094A941
                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0094A96C
                              • GetSystemMetrics.USER32(00000008), ref: 0094A974
                              • GetSystemMetrics.USER32(00000004), ref: 0094A999
                              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0094A9B6
                              • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0094A9C6
                              • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0094A9F9
                              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0094AA0D
                              • GetClientRect.USER32(00000000,000000FF), ref: 0094AA2B
                              • GetStockObject.GDI32(00000011), ref: 0094AA47
                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 0094AA52
                                • Part of subcall function 0094B63C: GetCursorPos.USER32(000000FF), ref: 0094B64F
                                • Part of subcall function 0094B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0094B66C
                                • Part of subcall function 0094B63C: GetAsyncKeyState.USER32(00000001), ref: 0094B691
                                • Part of subcall function 0094B63C: GetAsyncKeyState.USER32(00000002), ref: 0094B69F
                              • SetTimer.USER32(00000000,00000000,00000028,0094AB87), ref: 0094AA79
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                              • String ID: AutoIt v3 GUI
                              • API String ID: 1458621304-248962490
                              • Opcode ID: f0fd5ffd4329fa58713b3f2a9f0ce29c327f167cbe370113080335634e27da6b
                              • Instruction ID: 075b82a7dd8261ec3c0cdeea6ecbd05eeaa7b72ecc5290883f43da6c1eed2757
                              • Opcode Fuzzy Hash: f0fd5ffd4329fa58713b3f2a9f0ce29c327f167cbe370113080335634e27da6b
                              • Instruction Fuzzy Hash: 28B18A71A4520ADFDB14DFA8CD45FAE7BB8FB48324F104229FA16E6290DB74D840DB91
                              Function 00932EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Window$Foreground
                              • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                              • API String ID: 62970417-1919597938
                              • Opcode ID: c22391f4fc27297cafccd3439a62f80880c7185e5279e36c9678bd9115b96a33
                              • Instruction ID: fa8134d0ab91be3bde1c64169a9de9e23fedbab00235c0f59908ae1e5952cae0
                              • Opcode Fuzzy Hash: c22391f4fc27297cafccd3439a62f80880c7185e5279e36c9678bd9115b96a33
                              • Instruction Fuzzy Hash: 13D1C730508742ABCB18EF64C481BAABBB4FF96344F104A1DF496575A1DB30E99ACFD1
                              Function 00993639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00993735
                              • RegCreateKeyExW.ADVAPI32(?,?,00000000,009CDC00,00000000,?,00000000,?,?), ref: 009937A3
                              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 009937EB
                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00993874
                              • RegCloseKey.ADVAPI32(?), ref: 00993B94
                              • RegCloseKey.ADVAPI32(00000000), ref: 00993BA1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Close$ConnectCreateRegistryValue
                              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                              • API String ID: 536824911-966354055
                              • Opcode ID: 61f886be4601c6a29a566ed106382515519e4c03f01168f9deeb1c8db5c60167
                              • Instruction ID: aef7c311688e415ea8165e16b245d0c8b867fb37b713125035db86ed2a5776f4
                              • Opcode Fuzzy Hash: 61f886be4601c6a29a566ed106382515519e4c03f01168f9deeb1c8db5c60167
                              • Instruction Fuzzy Hash: AD0239756046019FCB14EF19C995B2AB7E9FF89720F04895DF98A9B3A1DB30ED01CB81
                              Function 00996BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                              Download Yara Rule
                              APIs
                              • CharUpperBuffW.USER32(?,?), ref: 00996C56
                              • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00996D16
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: BuffCharMessageSendUpper
                              • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                              • API String ID: 3974292440-719923060
                              • Opcode ID: f1b7a1808af450ee338179da5bef8eb2ac40d0d8415098cf51d2d94dc0a26380
                              • Instruction ID: 4b682762f0306512f2ee8171fcc969535e4a363af700950062232a9f3d38e23d
                              • Opcode Fuzzy Hash: f1b7a1808af450ee338179da5bef8eb2ac40d0d8415098cf51d2d94dc0a26380
                              • Instruction Fuzzy Hash: 48A15D706043459BCB14EF28C991F7AB3A5BF84314F14496DB8A6AB3D2EB34ED05CB51
                              Function 0096CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetClassNameW.USER32(?,?,00000100), ref: 0096CF91
                              • __swprintf.LIBCMT ref: 0096D032
                              • _wcscmp.LIBCMT ref: 0096D045
                              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0096D09A
                              • _wcscmp.LIBCMT ref: 0096D0D6
                              • GetClassNameW.USER32(?,?,00000400), ref: 0096D10D
                              • GetDlgCtrlID.USER32(?), ref: 0096D15F
                              • GetWindowRect.USER32(?,?), ref: 0096D195
                              • GetParent.USER32(?), ref: 0096D1B3
                              • ScreenToClient.USER32(00000000), ref: 0096D1BA
                              • GetClassNameW.USER32(?,?,00000100), ref: 0096D234
                              • _wcscmp.LIBCMT ref: 0096D248
                              • GetWindowTextW.USER32(?,?,00000400), ref: 0096D26E
                              • _wcscmp.LIBCMT ref: 0096D282
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                              • String ID: %s%u
                              • API String ID: 3119225716-679674701
                              • Opcode ID: b1f0e9fd0f2b07e1e8909050b7b49f3bb0a201892f85a0d11df7cfd7b93ddb27
                              • Instruction ID: 1698914177d6fa032a690505f999e1cb136afca7e3dd1ba514b7b810cc53f47d
                              • Opcode Fuzzy Hash: b1f0e9fd0f2b07e1e8909050b7b49f3bb0a201892f85a0d11df7cfd7b93ddb27
                              • Instruction Fuzzy Hash: 5EA1C171A09306AFD715DF64C894FAAB7ACFF44354F008619F9B9D2190EB30EA45CB91
                              Function 0096D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                              Download Yara Rule
                              APIs
                              • GetClassNameW.USER32(00000008,?,00000400), ref: 0096D8EB
                              • _wcscmp.LIBCMT ref: 0096D8FC
                              • GetWindowTextW.USER32(00000001,?,00000400), ref: 0096D924
                              • CharUpperBuffW.USER32(?,00000000), ref: 0096D941
                              • _wcscmp.LIBCMT ref: 0096D95F
                              • _wcsstr.LIBCMT ref: 0096D970
                              • GetClassNameW.USER32(00000018,?,00000400), ref: 0096D9A8
                              • _wcscmp.LIBCMT ref: 0096D9B8
                              • GetWindowTextW.USER32(00000002,?,00000400), ref: 0096D9DF
                              • GetClassNameW.USER32(00000018,?,00000400), ref: 0096DA28
                              • _wcscmp.LIBCMT ref: 0096DA38
                              • GetClassNameW.USER32(00000010,?,00000400), ref: 0096DA60
                              • GetWindowRect.USER32(00000004,?), ref: 0096DAC9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                              • String ID: @$ThumbnailClass
                              • API String ID: 1788623398-1539354611
                              • Opcode ID: 134278f05b7a686746e03ef9987af12821d11d36008afcbbe5a246d591091ed8
                              • Instruction ID: 1a730723dafbd176da94e78cdcaf29013bac00320afe243104b7e7deec4c2c5d
                              • Opcode Fuzzy Hash: 134278f05b7a686746e03ef9987af12821d11d36008afcbbe5a246d591091ed8
                              • Instruction Fuzzy Hash: 1881D2316093059BDB05CF60C985FAA7BECFF84314F04846AFD999A096EB30DD45CBA1
                              Function 0096D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: __wcsnicmp
                              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                              • API String ID: 1038674560-1810252412
                              • Opcode ID: 1bd5d7b93e70bab2b22dd3b34c74c0d84ba11639b8237192b03ae11e1e3977bd
                              • Instruction ID: c9260bbdfebcb91754556a35f02b35799efe9540768b4ea4ac5cc351bca341ef
                              • Opcode Fuzzy Hash: 1bd5d7b93e70bab2b22dd3b34c74c0d84ba11639b8237192b03ae11e1e3977bd
                              • Instruction Fuzzy Hash: B231BE71A44249AADB15EF62DE43FEDB3BC9FA1744F300069F851B20D1EB51AF08CA52
                              Function 0096EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • LoadIconW.USER32(00000063), ref: 0096EAB0
                              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0096EAC2
                              • SetWindowTextW.USER32(?,?), ref: 0096EAD9
                              • GetDlgItem.USER32(?,000003EA), ref: 0096EAEE
                              • SetWindowTextW.USER32(00000000,?), ref: 0096EAF4
                              • GetDlgItem.USER32(?,000003E9), ref: 0096EB04
                              • SetWindowTextW.USER32(00000000,?), ref: 0096EB0A
                              • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0096EB2B
                              • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0096EB45
                              • GetWindowRect.USER32(?,?), ref: 0096EB4E
                              • SetWindowTextW.USER32(?,?), ref: 0096EBB9
                              • GetDesktopWindow.USER32 ref: 0096EBBF
                              • GetWindowRect.USER32(00000000), ref: 0096EBC6
                              • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0096EC12
                              • GetClientRect.USER32(?,?), ref: 0096EC1F
                              • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0096EC44
                              • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0096EC6F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                              • String ID:
                              • API String ID: 3869813825-0
                              • Opcode ID: ee5d2902d51990238620e2ba315e6af5fe627267a0eb5012fd1f971f273bed30
                              • Instruction ID: e06f2ea48da3ba19751740ac7cee858779ad8eadecaff1730520e517a2c1e3e1
                              • Opcode Fuzzy Hash: ee5d2902d51990238620e2ba315e6af5fe627267a0eb5012fd1f971f273bed30
                              • Instruction Fuzzy Hash: 67514C75900709EFDB20DFA9CE89F6EBBF9FF04714F004A28E586A25A0D774A944DB50
                              Function 009879B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                              Download Yara Rule
                              APIs
                              • LoadCursorW.USER32(00000000,00007F8A), ref: 009879C6
                              • LoadCursorW.USER32(00000000,00007F00), ref: 009879D1
                              • LoadCursorW.USER32(00000000,00007F03), ref: 009879DC
                              • LoadCursorW.USER32(00000000,00007F8B), ref: 009879E7
                              • LoadCursorW.USER32(00000000,00007F01), ref: 009879F2
                              • LoadCursorW.USER32(00000000,00007F81), ref: 009879FD
                              • LoadCursorW.USER32(00000000,00007F88), ref: 00987A08
                              • LoadCursorW.USER32(00000000,00007F80), ref: 00987A13
                              • LoadCursorW.USER32(00000000,00007F86), ref: 00987A1E
                              • LoadCursorW.USER32(00000000,00007F83), ref: 00987A29
                              • LoadCursorW.USER32(00000000,00007F85), ref: 00987A34
                              • LoadCursorW.USER32(00000000,00007F82), ref: 00987A3F
                              • LoadCursorW.USER32(00000000,00007F84), ref: 00987A4A
                              • LoadCursorW.USER32(00000000,00007F04), ref: 00987A55
                              • LoadCursorW.USER32(00000000,00007F02), ref: 00987A60
                              • LoadCursorW.USER32(00000000,00007F89), ref: 00987A6B
                              • GetCursorInfo.USER32(?), ref: 00987A7B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Cursor$Load$Info
                              • String ID:
                              • API String ID: 2577412497-0
                              • Opcode ID: f6b947b7362d1f70153ade2d3d137b173bb4a47d782a6d3d2490f297769f645b
                              • Instruction ID: 035f0be8a079cfccc333f8b4e33d34820b190362ea31300d549ed6cccbe1e046
                              • Opcode Fuzzy Hash: f6b947b7362d1f70153ade2d3d137b173bb4a47d782a6d3d2490f297769f645b
                              • Instruction Fuzzy Hash: 2B3103B1D4831A6ADB109FF68C8999FFFECFF04750F50452AA50DE7280DA78A5008FA1
                              Function 0093C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0093C8B7,?,00002000,?,?,00000000,?,0093419E,?,?,?,009CDC00), ref: 0094E984
                                • Part of subcall function 0093660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009353B1,?,?,009361FF,?,00000000,00000001,00000000), ref: 0093662F
                              • __wsplitpath.LIBCMT ref: 0093C93E
                                • Part of subcall function 00951DFC: __wsplitpath_helper.LIBCMT ref: 00951E3C
                              • _wcscpy.LIBCMT ref: 0093C953
                              • _wcscat.LIBCMT ref: 0093C968
                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0093C978
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0093CABE
                                • Part of subcall function 0093B337: _wcscpy.LIBCMT ref: 0093B36F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                              • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                              • API String ID: 2258743419-1018226102
                              • Opcode ID: 383dba18285a75afd320aecc3cff8f5e6c1e8c6781266a681c4ed638ce35f72c
                              • Instruction ID: bcbbe3b7a51c6883b66513ecbdeedea419b77691292e70fceaf251ad2d39f36e
                              • Opcode Fuzzy Hash: 383dba18285a75afd320aecc3cff8f5e6c1e8c6781266a681c4ed638ce35f72c
                              • Instruction Fuzzy Hash: B51270715083419FC724EF24C851AAFBBE9AFD9304F44891EF589A3261DB30DA49CF92
                              Function 0099CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 0099CEFB
                              • DestroyWindow.USER32(?,?), ref: 0099CF73
                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0099CFF4
                              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0099D016
                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0099D025
                              • DestroyWindow.USER32(?), ref: 0099D042
                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00930000,00000000), ref: 0099D075
                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0099D094
                              • GetDesktopWindow.USER32 ref: 0099D0A9
                              • GetWindowRect.USER32(00000000), ref: 0099D0B0
                              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0099D0C2
                              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0099D0DA
                                • Part of subcall function 0094B526: GetWindowLongW.USER32(?,000000EB), ref: 0094B537
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                              • String ID: 0$tooltips_class32
                              • API String ID: 3877571568-3619404913
                              • Opcode ID: ff038ccd33e755027c84363f756c14b0c1e64fd3b43520f746fb5812cec9bd60
                              • Instruction ID: d4b1ad581b7d62b8b443e19d4431589ebafde469ad32c1ab6152bafa66669a7d
                              • Opcode Fuzzy Hash: ff038ccd33e755027c84363f756c14b0c1e64fd3b43520f746fb5812cec9bd60
                              • Instruction Fuzzy Hash: 4E71EEB0155305AFDB20CF28CC85FB67BE9EB88704F04461DF985872A1DB30E942DB62
                              Function 0099F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094B34E: GetWindowLongW.USER32(?,000000EB), ref: 0094B35F
                              • DragQueryPoint.SHELL32(?,?), ref: 0099F37A
                                • Part of subcall function 0099D7DE: ClientToScreen.USER32(?,?), ref: 0099D807
                                • Part of subcall function 0099D7DE: GetWindowRect.USER32(?,?), ref: 0099D87D
                                • Part of subcall function 0099D7DE: PtInRect.USER32(?,?,0099ED5A), ref: 0099D88D
                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0099F3E3
                              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0099F3EE
                              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0099F411
                              • _wcscat.LIBCMT ref: 0099F441
                              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0099F458
                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0099F471
                              • SendMessageW.USER32(?,000000B1,?,?), ref: 0099F488
                              • SendMessageW.USER32(?,000000B1,?,?), ref: 0099F4AA
                              • DragFinish.SHELL32(?), ref: 0099F4B1
                              • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0099F59C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                              • API String ID: 169749273-3440237614
                              • Opcode ID: 891132a535ac436f1391bf99a262b8e8236ac36866429d7d14c6f8a72ada346e
                              • Instruction ID: 1c7dfc41be1d4c6d682b55166f0a289598feb3f3ef093ae53a32678f524ca521
                              • Opcode Fuzzy Hash: 891132a535ac436f1391bf99a262b8e8236ac36866429d7d14c6f8a72ada346e
                              • Instruction Fuzzy Hash: CF6139B1508301AFC711EF64DC85EABBBF8BFC9714F400A2EF595921A1DB709A09CB52
                              Function 0097AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                              Download Yara Rule
                              APIs
                              • VariantInit.OLEAUT32(00000000), ref: 0097AB3D
                              • VariantCopy.OLEAUT32(?,?), ref: 0097AB46
                              • VariantClear.OLEAUT32(?), ref: 0097AB52
                              • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0097AC40
                              • __swprintf.LIBCMT ref: 0097AC70
                              • VarR8FromDec.OLEAUT32(?,?), ref: 0097AC9C
                              • VariantInit.OLEAUT32(?), ref: 0097AD4D
                              • SysFreeString.OLEAUT32(00000016), ref: 0097ADDF
                              • VariantClear.OLEAUT32(?), ref: 0097AE35
                              • VariantClear.OLEAUT32(?), ref: 0097AE44
                              • VariantInit.OLEAUT32(00000000), ref: 0097AE80
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                              • String ID: %4d%02d%02d%02d%02d%02d$Default
                              • API String ID: 3730832054-3931177956
                              • Opcode ID: b153fd490ecbb3a6652a2c6f46e432942ec6180a2432a8472721b69324f79203
                              • Instruction ID: e76a3b9502363ccec4ceb278a3de7aea507f9d4cd3307aaa46ff5b5a3a32b91d
                              • Opcode Fuzzy Hash: b153fd490ecbb3a6652a2c6f46e432942ec6180a2432a8472721b69324f79203
                              • Instruction Fuzzy Hash: 68D1EF72A04606EFCB249F65C885B6EB7BAFF84710F14C855E4099B1D0DB78EC44DBA2
                              Function 0099716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                              Download Yara Rule
                              APIs
                              • CharUpperBuffW.USER32(?,?), ref: 009971FC
                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00997247
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: BuffCharMessageSendUpper
                              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                              • API String ID: 3974292440-4258414348
                              • Opcode ID: e397918c66f11aa35e1f8bf9c912ba490dc3b3732900f393382d27549086ce02
                              • Instruction ID: 15b090e021fa68253bf5682730d17cd3d155deacbc5cb85aa2bba571d4d7d830
                              • Opcode Fuzzy Hash: e397918c66f11aa35e1f8bf9c912ba490dc3b3732900f393382d27549086ce02
                              • Instruction Fuzzy Hash: AA915D746187019BCB14EF64C891B6EB7A5BF94310F004869F8966B3A3DF74ED0ACB91
                              Function 0099E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0099E5AB
                              • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,0099BEAF), ref: 0099E607
                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0099E647
                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0099E68C
                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0099E6C3
                              • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,0099BEAF), ref: 0099E6CF
                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0099E6DF
                              • DestroyIcon.USER32(?,?,?,?,?,0099BEAF), ref: 0099E6EE
                              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0099E70B
                              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0099E717
                                • Part of subcall function 00950FA7: __wcsicmp_l.LIBCMT ref: 00951030
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                              • String ID: .dll$.exe$.icl
                              • API String ID: 1212759294-1154884017
                              • Opcode ID: 1232423377fe0020efc2fab34345676532b0386a16baecd4401ac190631691e2
                              • Instruction ID: c0246c518260737b9ffd0f47abf99e79cbad18a04b6fe012f2e7f30663b6efc4
                              • Opcode Fuzzy Hash: 1232423377fe0020efc2fab34345676532b0386a16baecd4401ac190631691e2
                              • Instruction Fuzzy Hash: 7861BF71500215BAEF24DF68CD86FFE77ACBB18725F104615F915D60D0EBB4A980DBA0
                              Function 0097D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0093936C: __swprintf.LIBCMT ref: 009393AB
                                • Part of subcall function 0093936C: __itow.LIBCMT ref: 009393DF
                              • CharLowerBuffW.USER32(?,?), ref: 0097D292
                              • GetDriveTypeW.KERNEL32 ref: 0097D2DF
                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0097D327
                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0097D35E
                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0097D38C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                              • API String ID: 1148790751-4113822522
                              • Opcode ID: 2a92ea145eeb2a2a4ea5ee1b7ca5fbec2ec2066268ae16c8076f8334d51b968c
                              • Instruction ID: e584ae27b95a3f5c14b24fe2d37453ed02eae276ac975fdaf27967cf3fbf2b21
                              • Opcode Fuzzy Hash: 2a92ea145eeb2a2a4ea5ee1b7ca5fbec2ec2066268ae16c8076f8334d51b968c
                              • Instruction Fuzzy Hash: F15128B1504205AFC700EF11C981A6AB7F8FF98718F00896DF89AA7251DB31EE06CF52
                              Function 009726BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,009A3973,00000016,0000138C,00000016,?,00000016,009CDDB4,00000000,?), ref: 009726F1
                              • LoadStringW.USER32(00000000,?,009A3973,00000016), ref: 009726FA
                              • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,009A3973,00000016,0000138C,00000016,?,00000016,009CDDB4,00000000,?,00000016), ref: 0097271C
                              • LoadStringW.USER32(00000000,?,009A3973,00000016), ref: 0097271F
                              • __swprintf.LIBCMT ref: 0097276F
                              • __swprintf.LIBCMT ref: 00972780
                              • _wprintf.LIBCMT ref: 00972829
                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00972840
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                              • API String ID: 618562835-2268648507
                              • Opcode ID: 4c550794dba1c37f6949067724b0411c8f93a874c8b04df9aa0fcd9d09d24f2f
                              • Instruction ID: 3f2bdc1877bb2845fb9adbba9e4d7b3bac2e70ca1f6cb7b7c85c157e5349b4f6
                              • Opcode Fuzzy Hash: 4c550794dba1c37f6949067724b0411c8f93a874c8b04df9aa0fcd9d09d24f2f
                              • Instruction Fuzzy Hash: AA412D72804219ABCB15FBE0DE86FEEB778AF98344F104065B50676092EA216F09DF61
                              Function 0097D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                              Download Yara Rule
                              APIs
                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0097D0D8
                              • __swprintf.LIBCMT ref: 0097D0FA
                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 0097D137
                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0097D15C
                              • _memset.LIBCMT ref: 0097D17B
                              • _wcsncpy.LIBCMT ref: 0097D1B7
                              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0097D1EC
                              • CloseHandle.KERNEL32(00000000), ref: 0097D1F7
                              • RemoveDirectoryW.KERNEL32(?), ref: 0097D200
                              • CloseHandle.KERNEL32(00000000), ref: 0097D20A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                              • String ID: :$\$\??\%s
                              • API String ID: 2733774712-3457252023
                              • Opcode ID: 00f4a1a8b29f5e14033d5cf025c4856411e14598586b54d303a11590eb883ce1
                              • Instruction ID: 8a8507f3f73fa83bff46e5dffd65ff2ced0c426d1d7ca3025876877017cd58d1
                              • Opcode Fuzzy Hash: 00f4a1a8b29f5e14033d5cf025c4856411e14598586b54d303a11590eb883ce1
                              • Instruction Fuzzy Hash: 3231EFB291410AABDB20DFA0CC48FEB37BCEF89710F1081B6F919D21A1E77096458B24
                              Function 0099E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0099BEF4,?,?), ref: 0099E754
                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0099BEF4,?,?,00000000,?), ref: 0099E76B
                              • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0099BEF4,?,?,00000000,?), ref: 0099E776
                              • CloseHandle.KERNEL32(00000000,?,?,?,?,0099BEF4,?,?,00000000,?), ref: 0099E783
                              • GlobalLock.KERNEL32(00000000), ref: 0099E78C
                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0099BEF4,?,?,00000000,?), ref: 0099E79B
                              • GlobalUnlock.KERNEL32(00000000), ref: 0099E7A4
                              • CloseHandle.KERNEL32(00000000,?,?,?,?,0099BEF4,?,?,00000000,?), ref: 0099E7AB
                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0099BEF4,?,?,00000000,?), ref: 0099E7BC
                              • OleLoadPicture.OLEAUT32(?,00000000,00000000,009BD9BC,?), ref: 0099E7D5
                              • GlobalFree.KERNEL32(00000000), ref: 0099E7E5
                              • GetObjectW.GDI32(00000000,00000018,?), ref: 0099E809
                              • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0099E834
                              • DeleteObject.GDI32(00000000), ref: 0099E85C
                              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0099E872
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                              • String ID:
                              • API String ID: 3840717409-0
                              • Opcode ID: 026c29cd359138096127db9410a6a61cc75568188ee18acc78cad1380f25e9b0
                              • Instruction ID: 18f2ab32f4b4fada7587efbae8645843e91e9b6abe8ab4937c0e3318ee2e42d8
                              • Opcode Fuzzy Hash: 026c29cd359138096127db9410a6a61cc75568188ee18acc78cad1380f25e9b0
                              • Instruction Fuzzy Hash: 9F415975601204FFDB11DFA9CD88EAE7BB8EB89B25F104158F905D6260E7309900DB20
                              Function 009805F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                              Download Yara Rule
                              APIs
                              • __wsplitpath.LIBCMT ref: 0098076F
                              • _wcscat.LIBCMT ref: 00980787
                              • _wcscat.LIBCMT ref: 00980799
                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009807AE
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 009807C2
                              • GetFileAttributesW.KERNEL32(?), ref: 009807DA
                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 009807F4
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00980806
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                              • String ID: *.*
                              • API String ID: 34673085-438819550
                              • Opcode ID: 65a6360cb75ab34a99f97f9fe6f9c530aa8ccfaa39e178cd3470dd70335853cc
                              • Instruction ID: f841f3515a089237af05dac88ec6c7a43e69bfc18d351efc60674cd255415d3e
                              • Opcode Fuzzy Hash: 65a6360cb75ab34a99f97f9fe6f9c530aa8ccfaa39e178cd3470dd70335853cc
                              • Instruction Fuzzy Hash: 63818F725043019FCBA4EF64C845A6EB7E8BBC8314F148D2EF889D7351E735D9588B92
                              Function 0099EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094B34E: GetWindowLongW.USER32(?,000000EB), ref: 0094B35F
                              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0099EF3B
                              • GetFocus.USER32 ref: 0099EF4B
                              • GetDlgCtrlID.USER32(00000000), ref: 0099EF56
                              • _memset.LIBCMT ref: 0099F081
                              • GetMenuItemInfoW.USER32 ref: 0099F0AC
                              • GetMenuItemCount.USER32(00000000), ref: 0099F0CC
                              • GetMenuItemID.USER32(?,00000000), ref: 0099F0DF
                              • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0099F113
                              • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0099F15B
                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0099F193
                              • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0099F1C8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                              • String ID: 0
                              • API String ID: 1296962147-4108050209
                              • Opcode ID: 86b2eb9d0a232371048abb0fa6d35d8edbaaeb6e749c2bbeba6066b3190f1c40
                              • Instruction ID: 31b5d10f25cff0d9fde84e96c04647f40a009d4f8617358ca9b0d487afc2800d
                              • Opcode Fuzzy Hash: 86b2eb9d0a232371048abb0fa6d35d8edbaaeb6e749c2bbeba6066b3190f1c40
                              • Instruction Fuzzy Hash: 22819D71509305EFDB20CF19C994A6BBBE8FB88314F10492EF998D7291D770D905CBA2
                              Function 0096A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0096ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0096ABD7
                                • Part of subcall function 0096ABBB: GetLastError.KERNEL32(?,0096A69F,?,?,?), ref: 0096ABE1
                                • Part of subcall function 0096ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0096A69F,?,?,?), ref: 0096ABF0
                                • Part of subcall function 0096ABBB: HeapAlloc.KERNEL32(00000000,?,0096A69F,?,?,?), ref: 0096ABF7
                                • Part of subcall function 0096ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0096AC0E
                                • Part of subcall function 0096AC56: GetProcessHeap.KERNEL32(00000008,0096A6B5,00000000,00000000,?,0096A6B5,?), ref: 0096AC62
                                • Part of subcall function 0096AC56: HeapAlloc.KERNEL32(00000000,?,0096A6B5,?), ref: 0096AC69
                                • Part of subcall function 0096AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0096A6B5,?), ref: 0096AC7A
                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0096A8CB
                              • _memset.LIBCMT ref: 0096A8E0
                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0096A8FF
                              • GetLengthSid.ADVAPI32(?), ref: 0096A910
                              • GetAce.ADVAPI32(?,00000000,?), ref: 0096A94D
                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0096A969
                              • GetLengthSid.ADVAPI32(?), ref: 0096A986
                              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0096A995
                              • HeapAlloc.KERNEL32(00000000), ref: 0096A99C
                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0096A9BD
                              • CopySid.ADVAPI32(00000000), ref: 0096A9C4
                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0096A9F5
                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0096AA1B
                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0096AA2F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                              • String ID:
                              • API String ID: 3996160137-0
                              • Opcode ID: 7e9c782e262db57e5e1b5892daf1e362e2c290c48274f4a76a64c856c591d097
                              • Instruction ID: 60dc122ead080456e79fbd33993e6dc03297ed78154131db680999d745bc1e04
                              • Opcode Fuzzy Hash: 7e9c782e262db57e5e1b5892daf1e362e2c290c48274f4a76a64c856c591d097
                              • Instruction Fuzzy Hash: 5E515D7190020AAFDF00DFA4DD85AEEBB7AFF04310F14822AE811E6291D7359A05DF61
                              Function 00989DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetDC.USER32(00000000), ref: 00989E36
                              • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00989E42
                              • CreateCompatibleDC.GDI32(?), ref: 00989E4E
                              • SelectObject.GDI32(00000000,?), ref: 00989E5B
                              • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00989EAF
                              • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00989EEB
                              • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00989F0F
                              • SelectObject.GDI32(00000006,?), ref: 00989F17
                              • DeleteObject.GDI32(?), ref: 00989F20
                              • DeleteDC.GDI32(00000006), ref: 00989F27
                              • ReleaseDC.USER32(00000000,?), ref: 00989F32
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                              • String ID: (
                              • API String ID: 2598888154-3887548279
                              • Opcode ID: aad79fea2e0a0217d798c76b9d5c2c7cbcaf8f075acbd5f44bcc9c8b00db712c
                              • Instruction ID: df2df72ef8b98f471306a509a279765d167993311485a6929560d840d63f7fbb
                              • Opcode Fuzzy Hash: aad79fea2e0a0217d798c76b9d5c2c7cbcaf8f075acbd5f44bcc9c8b00db712c
                              • Instruction Fuzzy Hash: 5E514976904309EFCB14DFA8C885EAEBBB9EF48710F14851DF95AA7350D731A841CB90
                              Function 0097CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: LoadString__swprintf_wprintf
                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                              • API String ID: 2889450990-2391861430
                              • Opcode ID: 9ade2e742a98b97bdfefb3e73db5cb2e008b50a5c9c03083fd30714c0c72bb4d
                              • Instruction ID: 82a9fe094057ebada781044b7991afa2bc6107b427097cc86f2b68bab18a3fb5
                              • Opcode Fuzzy Hash: 9ade2e742a98b97bdfefb3e73db5cb2e008b50a5c9c03083fd30714c0c72bb4d
                              • Instruction Fuzzy Hash: 97514AB2900509BBCB15EBE0CD46FEEB778AF88344F108169B505721A2EB316F59DF61
                              Function 0097CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: LoadString__swprintf_wprintf
                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                              • API String ID: 2889450990-3420473620
                              • Opcode ID: aaa6ed5ef89546a0e8af065dd784f475a7ef0833ff9f2c8283120dad91ab4521
                              • Instruction ID: 0b543116a9a2716576a46222cf639ed8e049d25e495308f653fc98030b837fe8
                              • Opcode Fuzzy Hash: aaa6ed5ef89546a0e8af065dd784f475a7ef0833ff9f2c8283120dad91ab4521
                              • Instruction Fuzzy Hash: 07519F72900509BACB15EBE0DD46FEEB778AF48344F104065B50972092EB316F59DF61
                              Function 009755BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 009755D7
                              • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00975664
                              • GetMenuItemCount.USER32(009F1708), ref: 009756ED
                              • DeleteMenu.USER32(009F1708,00000005,00000000,000000F5,?,?), ref: 0097577D
                              • DeleteMenu.USER32(009F1708,00000004,00000000), ref: 00975785
                              • DeleteMenu.USER32(009F1708,00000006,00000000), ref: 0097578D
                              • DeleteMenu.USER32(009F1708,00000003,00000000), ref: 00975795
                              • GetMenuItemCount.USER32(009F1708), ref: 0097579D
                              • SetMenuItemInfoW.USER32(009F1708,00000004,00000000,00000030), ref: 009757D3
                              • GetCursorPos.USER32(?), ref: 009757DD
                              • SetForegroundWindow.USER32(00000000), ref: 009757E6
                              • TrackPopupMenuEx.USER32(009F1708,00000000,?,00000000,00000000,00000000), ref: 009757F9
                              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00975805
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                              • String ID:
                              • API String ID: 3993528054-0
                              • Opcode ID: 84e1c3cccda8db0c635f85cfe4b8f362d086346920732c3f1a5583fd72005a58
                              • Instruction ID: 83e394ed173cb656c71e22eb10c42faffded33ac27b53210fdd605080fbafc8b
                              • Opcode Fuzzy Hash: 84e1c3cccda8db0c635f85cfe4b8f362d086346920732c3f1a5583fd72005a58
                              • Instruction Fuzzy Hash: D8711232645A05BFEB649B14CC49FAABF69FF40368F258209F51CAA1D1D7F16C10DB90
                              Function 0096A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 0096A1DC
                              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0096A211
                              • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0096A22D
                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0096A249
                              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0096A273
                              • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0096A29B
                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0096A2A6
                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0096A2AB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                              • API String ID: 1687751970-22481851
                              • Opcode ID: 00ea02b0b2c602e810a2d9c1c5727b6e8d1ab8afeb857067e770a1063e80f7f4
                              • Instruction ID: 475dee9714308b0304e74e7a46b8cf0ac6957a186d9b5e1716711de2f484af91
                              • Opcode Fuzzy Hash: 00ea02b0b2c602e810a2d9c1c5727b6e8d1ab8afeb857067e770a1063e80f7f4
                              • Instruction Fuzzy Hash: 4541E576C15229ABDB21EBA4DC95EEDB7B8FF48310F00412AE911B3161EB709E05DF50
                              Function 00993C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON
                              Download Yara Rule
                              APIs
                              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00992BB5,?,?), ref: 00993C1D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: BuffCharUpper
                              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                              • API String ID: 3964851224-909552448
                              • Opcode ID: 39bb45c770400c8b04947aa7da5f1ea57783f27d6e44340d0267edf9e85ece49
                              • Instruction ID: 54ed3ffac8340c957d28014378e7a503c275c25f696245737a771eb18b57360c
                              • Opcode Fuzzy Hash: 39bb45c770400c8b04947aa7da5f1ea57783f27d6e44340d0267edf9e85ece49
                              • Instruction Fuzzy Hash: FC41403051038A8BDF11EF19D891AFA33A5FF62344F108864FC951B2D6EB709E0ACB50
                              Function 009725B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,009A36F4,00000010,?,Bad directive syntax error,009CDC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 009725D6
                              • LoadStringW.USER32(00000000,?,009A36F4,00000010), ref: 009725DD
                              • _wprintf.LIBCMT ref: 00972610
                              • __swprintf.LIBCMT ref: 00972632
                              • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 009726A1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                              • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                              • API String ID: 1080873982-4153970271
                              • Opcode ID: 713149bcb286fe9d9b5e75322db5c334f40b9a4d75d5a5b2beeda7f4ffd947bc
                              • Instruction ID: 3592850f82411b058d9f7f8ed96e62a378d59a30f096c0d6327bbc57917ddf0b
                              • Opcode Fuzzy Hash: 713149bcb286fe9d9b5e75322db5c334f40b9a4d75d5a5b2beeda7f4ffd947bc
                              • Instruction Fuzzy Hash: D4215C7281021AAFCF12EB90CC4AFEE7B79BF58308F044456F515660A2EB71AA18DF50
                              Function 00977AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                              Download Yara Rule
                              APIs
                              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00977B42
                              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00977B58
                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00977B69
                              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00977B7B
                              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00977B8C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: SendString
                              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                              • API String ID: 890592661-1007645807
                              • Opcode ID: 55e52ba3aab7a9125882e376461497a42fa7381e05a28848f405b1dd83fc2ec3
                              • Instruction ID: 955202c296af5fdadcd72eb748e2667ef7b4aebe72e03ef54444ec1b23d7ec5f
                              • Opcode Fuzzy Hash: 55e52ba3aab7a9125882e376461497a42fa7381e05a28848f405b1dd83fc2ec3
                              • Instruction Fuzzy Hash: BC1194E165029979D721B7A2CC4AEFFBBBCEBD1B14F0045197415A30D1EE705E45CAB0
                              Function 0097778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • timeGetTime.WINMM ref: 00977794
                                • Part of subcall function 0094DC38: timeGetTime.WINMM(?,75A4B400,009A58AB), ref: 0094DC3C
                              • Sleep.KERNEL32(0000000A), ref: 009777C0
                              • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 009777E4
                              • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00977806
                              • SetActiveWindow.USER32 ref: 00977825
                              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00977833
                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00977852
                              • Sleep.KERNEL32(000000FA), ref: 0097785D
                              • IsWindow.USER32 ref: 00977869
                              • EndDialog.USER32(00000000), ref: 0097787A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                              • String ID: BUTTON
                              • API String ID: 1194449130-3405671355
                              • Opcode ID: 21dbe8a329d462ca801bb1170ed0c4adde6525025ba53066804b4348590d7fa8
                              • Instruction ID: f8e09825f3adc011e38fbeb4f5746ba08657b49f145b014ef678c5016b98ca2a
                              • Opcode Fuzzy Hash: 21dbe8a329d462ca801bb1170ed0c4adde6525025ba53066804b4348590d7fa8
                              • Instruction Fuzzy Hash: 7C215EB222D205BFE7159BA0EC89B7A7F69FB44358F408124F51982166EBA94D00EA25
                              Function 009802EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0093936C: __swprintf.LIBCMT ref: 009393AB
                                • Part of subcall function 0093936C: __itow.LIBCMT ref: 009393DF
                              • CoInitialize.OLE32(00000000), ref: 0098034B
                              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 009803DE
                              • SHGetDesktopFolder.SHELL32(?), ref: 009803F2
                              • CoCreateInstance.OLE32(009BDA8C,00000000,00000001,009E3CF8,?), ref: 0098043E
                              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 009804AD
                              • CoTaskMemFree.OLE32(?,?), ref: 00980505
                              • _memset.LIBCMT ref: 00980542
                              • SHBrowseForFolderW.SHELL32(?), ref: 0098057E
                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 009805A1
                              • CoTaskMemFree.OLE32(00000000), ref: 009805A8
                              • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 009805DF
                              • CoUninitialize.OLE32(00000001,00000000), ref: 009805E1
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                              • String ID:
                              • API String ID: 1246142700-0
                              • Opcode ID: aa0a5e0369a2d303dcf5ee810baff56561761577fc34f8a96f2d8d0a0ed3b2af
                              • Instruction ID: 3be617254ba92ca40e5992a33fb43d609b9adc2ea2d2fae09b24d7eb8ed025d1
                              • Opcode Fuzzy Hash: aa0a5e0369a2d303dcf5ee810baff56561761577fc34f8a96f2d8d0a0ed3b2af
                              • Instruction Fuzzy Hash: 7BB1C975A00109AFDB04DFA5C889EAEBBB9EF88314F148469F809EB251D770EE45CF50
                              Function 00972E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyboardState.USER32(?), ref: 00972ED6
                              • SetKeyboardState.USER32(?), ref: 00972F41
                              • GetAsyncKeyState.USER32(000000A0), ref: 00972F61
                              • GetKeyState.USER32(000000A0), ref: 00972F78
                              • GetAsyncKeyState.USER32(000000A1), ref: 00972FA7
                              • GetKeyState.USER32(000000A1), ref: 00972FB8
                              • GetAsyncKeyState.USER32(00000011), ref: 00972FE4
                              • GetKeyState.USER32(00000011), ref: 00972FF2
                              • GetAsyncKeyState.USER32(00000012), ref: 0097301B
                              • GetKeyState.USER32(00000012), ref: 00973029
                              • GetAsyncKeyState.USER32(0000005B), ref: 00973052
                              • GetKeyState.USER32(0000005B), ref: 00973060
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: State$Async$Keyboard
                              • String ID:
                              • API String ID: 541375521-0
                              • Opcode ID: 26cdcbb48fba21c6198f3ef5326d6dd36516d84c579dfc5e975e39cfd756d2ba
                              • Instruction ID: 9de88c4b594ca6ba85e1325b2e88eff00617611a6836e28b3c6a83df7b4f4737
                              • Opcode Fuzzy Hash: 26cdcbb48fba21c6198f3ef5326d6dd36516d84c579dfc5e975e39cfd756d2ba
                              • Instruction Fuzzy Hash: 5E51EA2291878469FB35EBB48811BEABFF85F11340F08C59DD5CA561C2DB549B8CC762
                              Function 0096ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                              Download Yara Rule
                              APIs
                              • GetDlgItem.USER32(?,00000001), ref: 0096ED1E
                              • GetWindowRect.USER32(00000000,?), ref: 0096ED30
                              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0096ED8E
                              • GetDlgItem.USER32(?,00000002), ref: 0096ED99
                              • GetWindowRect.USER32(00000000,?), ref: 0096EDAB
                              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0096EE01
                              • GetDlgItem.USER32(?,000003E9), ref: 0096EE0F
                              • GetWindowRect.USER32(00000000,?), ref: 0096EE20
                              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0096EE63
                              • GetDlgItem.USER32(?,000003EA), ref: 0096EE71
                              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0096EE8E
                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0096EE9B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Window$ItemMoveRect$Invalidate
                              • String ID:
                              • API String ID: 3096461208-0
                              • Opcode ID: 7cc38d97496cf5b8a285dfd9682b2ce9898486a67da9331d5fbc044bda7a2983
                              • Instruction ID: 52595ba95ffbcfdc2c6a867e424ee67bf6be12d0360ab1427bf21749bf0e616b
                              • Opcode Fuzzy Hash: 7cc38d97496cf5b8a285dfd9682b2ce9898486a67da9331d5fbc044bda7a2983
                              • Instruction Fuzzy Hash: 7C511F75B10205EFDB18CF69DD95AAEBBBAEB88710F148229F519D7290E7709D048B10
                              Function 0094B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0094B759,?,00000000,?,?,?,?,0094B72B,00000000,?), ref: 0094BA58
                              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0094B72B), ref: 0094B7F6
                              • KillTimer.USER32(00000000,?,00000000,?,?,?,?,0094B72B,00000000,?,?,0094B2EF,?,?), ref: 0094B88D
                              • DestroyAcceleratorTable.USER32(00000000), ref: 009AD8A6
                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0094B72B,00000000,?,?,0094B2EF,?,?), ref: 009AD8D7
                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0094B72B,00000000,?,?,0094B2EF,?,?), ref: 009AD8EE
                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0094B72B,00000000,?,?,0094B2EF,?,?), ref: 009AD90A
                              • DeleteObject.GDI32(00000000), ref: 009AD91C
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                              • String ID:
                              • API String ID: 641708696-0
                              • Opcode ID: 9ca1f84a1d9e03448bca3caa1c49b2ba152853fef81bc37efa1055aa71bf66ea
                              • Instruction ID: af4882c0c6e0ac8e9c5ff3a25be7300c49b12ee0cde2e8d1816494e46c54a917
                              • Opcode Fuzzy Hash: 9ca1f84a1d9e03448bca3caa1c49b2ba152853fef81bc37efa1055aa71bf66ea
                              • Instruction Fuzzy Hash: 25618A3052A601DFDB359F19D988B36B7F9FF96325F24051DE04686A70C774E890EB80
                              Function 0094B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094B526: GetWindowLongW.USER32(?,000000EB), ref: 0094B537
                              • GetSysColor.USER32(0000000F), ref: 0094B438
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ColorLongWindow
                              • String ID:
                              • API String ID: 259745315-0
                              • Opcode ID: 6c6cc39a197375435e3889bb7feb318d464180334c1e61258dd5fc162b1b359e
                              • Instruction ID: ba59616d3d86539df81493ae2685820eb261572523259d9dcc7c9840366ff7ce
                              • Opcode Fuzzy Hash: 6c6cc39a197375435e3889bb7feb318d464180334c1e61258dd5fc162b1b359e
                              • Instruction Fuzzy Hash: 5441CF34009100AFDB245F28D889FB93B6AAB06731F184761FD668A1F6D730CD42EB61
                              Function 0097690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                              • String ID:
                              • API String ID: 136442275-0
                              • Opcode ID: c9bdab394e75247884217d607a877c8802f1185043b65c8be8200bab3a2517b2
                              • Instruction ID: ea75489078552ac5a074a30fe856133818ef2aed738c0c8c082c53bb6f86705e
                              • Opcode Fuzzy Hash: c9bdab394e75247884217d607a877c8802f1185043b65c8be8200bab3a2517b2
                              • Instruction Fuzzy Hash: F9410E7784521CAECF65DB95CC45EDA73BCEBC4310F0041E6BA99A2051EB30ABE98F50
                              Function 0097D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                              Download Yara Rule
                              APIs
                              • CharLowerBuffW.USER32(009CDC00,009CDC00,009CDC00), ref: 0097D7CE
                              • GetDriveTypeW.KERNEL32(?,009E3A70,00000061), ref: 0097D898
                              • _wcscpy.LIBCMT ref: 0097D8C2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: BuffCharDriveLowerType_wcscpy
                              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                              • API String ID: 2820617543-1000479233
                              • Opcode ID: f6d99bd72d8319ef7adfc7b0df755df784824363ccbc208b97c019c46c7f4461
                              • Instruction ID: 39ce7a01097eed7c0e36b72094b7d13c75d2b6d2b70bb997b62d8fe37636cfa7
                              • Opcode Fuzzy Hash: f6d99bd72d8319ef7adfc7b0df755df784824363ccbc208b97c019c46c7f4461
                              • Instruction Fuzzy Hash: D7517C72509340AFC710EF14D892BAAB7B5EFC4314F10C92DF99A572A2DB31EE45CA42
                              Function 0093936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                              Download Yara Rule
                              APIs
                              • __swprintf.LIBCMT ref: 009393AB
                              • __itow.LIBCMT ref: 009393DF
                                • Part of subcall function 00951557: _xtow@16.LIBCMT ref: 00951578
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: __itow__swprintf_xtow@16
                              • String ID: %.15g$0x%p$False$True
                              • API String ID: 1502193981-2263619337
                              • Opcode ID: 1e7f7d0e8eb1a84e4178486227bfac4fc411f56629d62faed7f819f230b61540
                              • Instruction ID: 3d18fdf44be8ad0397819758fd9f2fa2e6fe0ca654c74c63cf1cf5960a2a739e
                              • Opcode Fuzzy Hash: 1e7f7d0e8eb1a84e4178486227bfac4fc411f56629d62faed7f819f230b61540
                              • Instruction Fuzzy Hash: DF41E571504205ABDB24EB74D946FAAB3F8EFC9310F20486AF58ED71C1EAB19941CF51
                              Function 0099A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                              Download Yara Rule
                              APIs
                              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0099A259
                              • CreateCompatibleDC.GDI32(00000000), ref: 0099A260
                              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0099A273
                              • SelectObject.GDI32(00000000,00000000), ref: 0099A27B
                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 0099A286
                              • DeleteDC.GDI32(00000000), ref: 0099A28F
                              • GetWindowLongW.USER32(?,000000EC), ref: 0099A299
                              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0099A2AD
                              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0099A2B9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                              • String ID: static
                              • API String ID: 2559357485-2160076837
                              • Opcode ID: 3ac4a6d049c27ff3e299f135aea95991e9d5f6b12a3e4aa44624c2e30aed5844
                              • Instruction ID: a32ab02510097df5553f3a55bc4d7bc88d1fcfa6ff9000e856e86f136bd1cecb
                              • Opcode Fuzzy Hash: 3ac4a6d049c27ff3e299f135aea95991e9d5f6b12a3e4aa44624c2e30aed5844
                              • Instruction Fuzzy Hash: 2D31BE31105115ABDF219FA8DD49FEE3B6DFF0A320F100314FA29A20A0D736D811EBA0
                              Function 00976F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                              • String ID: 0.0.0.0
                              • API String ID: 2620052-3771769585
                              • Opcode ID: 96bbd865e449d583936ac4532bc02d329bf8449b6489aedde582984acf0e8dc8
                              • Instruction ID: b5694e009b6ff210dda7ce8d8d780bd998960dccb06ac1a5a23ce2efead1ca89
                              • Opcode Fuzzy Hash: 96bbd865e449d583936ac4532bc02d329bf8449b6489aedde582984acf0e8dc8
                              • Instruction Fuzzy Hash: 1C110672908215ABCB24AB71EC4AFEA77BCEF80721F0441A5F449A6081FF70DE859B50
                              Function 0095500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 00955047
                                • Part of subcall function 00957C0E: __getptd_noexit.LIBCMT ref: 00957C0E
                              • __gmtime64_s.LIBCMT ref: 009550E0
                              • __gmtime64_s.LIBCMT ref: 00955116
                              • __gmtime64_s.LIBCMT ref: 00955133
                              • __allrem.LIBCMT ref: 00955189
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009551A5
                              • __allrem.LIBCMT ref: 009551BC
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009551DA
                              • __allrem.LIBCMT ref: 009551F1
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0095520F
                              • __invoke_watson.LIBCMT ref: 00955280
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                              • String ID:
                              • API String ID: 384356119-0
                              • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                              • Instruction ID: 51567eca8364fca1e66612eba56570508b55d669ea1eed63c420d9ec83927b78
                              • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                              • Instruction Fuzzy Hash: 3171F672A00F16ABD714DF7ACC61B5AB3A8AF40765F164229FC14D76C2E770D9448BD0
                              Function 00974DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 00974DF8
                              • GetMenuItemInfoW.USER32(009F1708,000000FF,00000000,00000030), ref: 00974E59
                              • SetMenuItemInfoW.USER32(009F1708,00000004,00000000,00000030), ref: 00974E8F
                              • Sleep.KERNEL32(000001F4), ref: 00974EA1
                              • GetMenuItemCount.USER32(?), ref: 00974EE5
                              • GetMenuItemID.USER32(?,00000000), ref: 00974F01
                              • GetMenuItemID.USER32(?,-00000001), ref: 00974F2B
                              • GetMenuItemID.USER32(?,?), ref: 00974F70
                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00974FB6
                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00974FCA
                              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00974FEB
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                              • String ID:
                              • API String ID: 4176008265-0
                              • Opcode ID: 8bba573f4547ad6989181587a68c774b83457a4f2845bebec430f37b7ead40fe
                              • Instruction ID: e11acab268cc8a6bb3c3c727ccd9a2bc8f99d06c5fac69015c8d7210bdde3e02
                              • Opcode Fuzzy Hash: 8bba573f4547ad6989181587a68c774b83457a4f2845bebec430f37b7ead40fe
                              • Instruction Fuzzy Hash: BD61C072904249EFDB20CFA4DD88ABE7BBCFB45314F148559F809A3252E771AD04DB21
                              Function 00999C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00999C98
                              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00999C9B
                              • GetWindowLongW.USER32(?,000000F0), ref: 00999CBF
                              • _memset.LIBCMT ref: 00999CD0
                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00999CE2
                              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00999D5A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: MessageSend$LongWindow_memset
                              • String ID:
                              • API String ID: 830647256-0
                              • Opcode ID: f4464e82e1ee10688dc0c58490bd339f00088c9cbbdb4630fc48ac4dca5c2611
                              • Instruction ID: 0fc65339c9323d787e1289d53f7fdc539061b9adc85d24a84809f15b6b5fe2be
                              • Opcode Fuzzy Hash: f4464e82e1ee10688dc0c58490bd339f00088c9cbbdb4630fc48ac4dca5c2611
                              • Instruction Fuzzy Hash: C2616975900208EFDB10DFA8CC81EEEB7B8EF49714F14415AFA05E7291D774A941DBA0
                              Function 009694E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                              Download Yara Rule
                              APIs
                              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 009694FE
                              • SafeArrayAllocData.OLEAUT32(?), ref: 00969549
                              • VariantInit.OLEAUT32(?), ref: 0096955B
                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 0096957B
                              • VariantCopy.OLEAUT32(?,?), ref: 009695BE
                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 009695D2
                              • VariantClear.OLEAUT32(?), ref: 009695E7
                              • SafeArrayDestroyData.OLEAUT32(?), ref: 009695F4
                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009695FD
                              • VariantClear.OLEAUT32(?), ref: 0096960F
                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0096961A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                              • String ID:
                              • API String ID: 2706829360-0
                              • Opcode ID: b9eb5ada295cd5cbdc52f91e0a4e42243c22083b3d1b1ffa4b3db8f7b738cc85
                              • Instruction ID: 04789eb50b501d7d8b47d64a98410ac3c73e6e11dc2301e78c5d03ac4c05a6f3
                              • Opcode Fuzzy Hash: b9eb5ada295cd5cbdc52f91e0a4e42243c22083b3d1b1ffa4b3db8f7b738cc85
                              • Instruction Fuzzy Hash: 64415D71915219AFCB01EFA4D8849DEBF7DFF48354F008469F902A3261EB31AA45DBA1
                              Function 0098ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0093936C: __swprintf.LIBCMT ref: 009393AB
                                • Part of subcall function 0093936C: __itow.LIBCMT ref: 009393DF
                              • CoInitialize.OLE32 ref: 0098ADF6
                              • CoUninitialize.OLE32 ref: 0098AE01
                              • CoCreateInstance.OLE32(?,00000000,00000017,009BD8FC,?), ref: 0098AE61
                              • IIDFromString.OLE32(?,?), ref: 0098AED4
                              • VariantInit.OLEAUT32(?), ref: 0098AF6E
                              • VariantClear.OLEAUT32(?), ref: 0098AFCF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                              • API String ID: 834269672-1287834457
                              • Opcode ID: 50ded3d9dda1fe9877ae90ec8dff9c03385d270b940d43019f19b78bce43abcc
                              • Instruction ID: 244b632d41c51e26e26d87b71b9cf1d9caf41d44a96b48100900baa3dcf852ba
                              • Opcode Fuzzy Hash: 50ded3d9dda1fe9877ae90ec8dff9c03385d270b940d43019f19b78bce43abcc
                              • Instruction Fuzzy Hash: 38619E712083019FE711EF54C888B6ABBE8AF89714F10491EF9859B392D774ED44CB93
                              Function 00988107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                              Download Yara Rule
                              APIs
                              • WSAStartup.WSOCK32(00000101,?), ref: 00988168
                              • inet_addr.WSOCK32(?,?,?), ref: 009881AD
                              • gethostbyname.WSOCK32(?), ref: 009881B9
                              • IcmpCreateFile.IPHLPAPI ref: 009881C7
                              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00988237
                              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0098824D
                              • IcmpCloseHandle.IPHLPAPI(00000000), ref: 009882C2
                              • WSACleanup.WSOCK32 ref: 009882C8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                              • String ID: Ping
                              • API String ID: 1028309954-2246546115
                              • Opcode ID: a9a47512a92b0bf5aedfe878eac6a0cfb0ac3c24518757d1874c87430c7b5e02
                              • Instruction ID: d110df062aed83e9624afdef666a27bfb5a74fb52a4599f5deb2f8c13f04449f
                              • Opcode Fuzzy Hash: a9a47512a92b0bf5aedfe878eac6a0cfb0ac3c24518757d1874c87430c7b5e02
                              • Instruction Fuzzy Hash: 1451A031604600AFD710AF24CD89B2BB7E8AF88360F048969F965DB3A0DF34E901DB51
                              Function 00999E43 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 00999E5B
                              • CreateMenu.USER32 ref: 00999E76
                              • SetMenu.USER32(?,00000000), ref: 00999E85
                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00999F12
                              • IsMenu.USER32(?), ref: 00999F28
                              • CreatePopupMenu.USER32 ref: 00999F32
                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00999F63
                              • DrawMenuBar.USER32 ref: 00999F71
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                              • String ID: 0
                              • API String ID: 176399719-4108050209
                              • Opcode ID: 5e1b62bcf6035608a585c2f1e6159977fc0696865657146d718aa966f45fa557
                              • Instruction ID: 6ed0db86be574117cc411527c5b98d1b44dbf7e9a6679c7dce9ba83064e2cdc4
                              • Opcode Fuzzy Hash: 5e1b62bcf6035608a585c2f1e6159977fc0696865657146d718aa966f45fa557
                              • Instruction Fuzzy Hash: C3415578A11209EFDF20DFA9D944BAABBB9FF48314F144128F946A7360D770AD10DB90
                              Function 0097E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                              Download Yara Rule
                              APIs
                              • SetErrorMode.KERNEL32(00000001), ref: 0097E396
                              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0097E40C
                              • GetLastError.KERNEL32 ref: 0097E416
                              • SetErrorMode.KERNEL32(00000000,READY), ref: 0097E483
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Error$Mode$DiskFreeLastSpace
                              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                              • API String ID: 4194297153-14809454
                              • Opcode ID: 54f8d095258e45a8165cdbf07229f97759bae4aed54640cb003cd0980dbd048a
                              • Instruction ID: 022ddc72b43f17c912787474c44cc40434aacc525f5321a9bc9b6e1839d922ea
                              • Opcode Fuzzy Hash: 54f8d095258e45a8165cdbf07229f97759bae4aed54640cb003cd0980dbd048a
                              • Instruction Fuzzy Hash: 41317436A002099FDB01DF64C949BBDB7B8EF89714F14C495E509EB2A1D774DE01CB51
                              Function 0096B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0096B98C
                              • GetDlgCtrlID.USER32 ref: 0096B997
                              • GetParent.USER32 ref: 0096B9B3
                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 0096B9B6
                              • GetDlgCtrlID.USER32(?), ref: 0096B9BF
                              • GetParent.USER32(?), ref: 0096B9DB
                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 0096B9DE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: MessageSend$CtrlParent
                              • String ID: ComboBox$ListBox
                              • API String ID: 1383977212-1403004172
                              • Opcode ID: 65dfbb973f9bad1fd040b79cc3eb7b760a426975ef0ad7db183a07a2ec57c69c
                              • Instruction ID: 363037e10dbd07457f234f8ca23982d7ee3952b6f0389925f7f54626def8cf28
                              • Opcode Fuzzy Hash: 65dfbb973f9bad1fd040b79cc3eb7b760a426975ef0ad7db183a07a2ec57c69c
                              • Instruction Fuzzy Hash: EA21C8B4A00104BFDB05ABA4CC95EFEB779EF85314F100115F551A32D1EB745855DF20
                              Function 0096B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0096BA73
                              • GetDlgCtrlID.USER32 ref: 0096BA7E
                              • GetParent.USER32 ref: 0096BA9A
                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 0096BA9D
                              • GetDlgCtrlID.USER32(?), ref: 0096BAA6
                              • GetParent.USER32(?), ref: 0096BAC2
                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 0096BAC5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: MessageSend$CtrlParent
                              • String ID: ComboBox$ListBox
                              • API String ID: 1383977212-1403004172
                              • Opcode ID: a7acfc412aeef7134fe1c12a6b04543bba45411456ab526ccf4c7b008ba16629
                              • Instruction ID: 7ad7dff7f5aa1b8125def1ef8e132b276898c3e4c35a975f57bed63233f159fc
                              • Opcode Fuzzy Hash: a7acfc412aeef7134fe1c12a6b04543bba45411456ab526ccf4c7b008ba16629
                              • Instruction Fuzzy Hash: D021C2B4A00108BFDB01ABA4CC85FFEBBB9EF85300F100119F951A3191EB795959EF20
                              Function 0096BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetParent.USER32 ref: 0096BAE3
                              • GetClassNameW.USER32(00000000,?,00000100), ref: 0096BAF8
                              • _wcscmp.LIBCMT ref: 0096BB0A
                              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0096BB85
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ClassMessageNameParentSend_wcscmp
                              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                              • API String ID: 1704125052-3381328864
                              • Opcode ID: b4b48ade2e932b970ed5a63009e9d01f89a85a1542bd7302717fa531148fc443
                              • Instruction ID: d9779a4234b559f0b36bcc23e6080c1bd02935c56759a70cf36cb18440223a2f
                              • Opcode Fuzzy Hash: b4b48ade2e932b970ed5a63009e9d01f89a85a1542bd7302717fa531148fc443
                              • Instruction Fuzzy Hash: 9A11297664C343F9FA25A732EC07EA6379D9B91324B200036FD04E40D5FFA5AC915614
                              Function 0098B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                              Download Yara Rule
                              APIs
                              • VariantInit.OLEAUT32(?), ref: 0098B2D5
                              • CoInitialize.OLE32(00000000), ref: 0098B302
                              • CoUninitialize.OLE32 ref: 0098B30C
                              • GetRunningObjectTable.OLE32(00000000,?), ref: 0098B40C
                              • SetErrorMode.KERNEL32(00000001,00000029), ref: 0098B539
                              • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0098B56D
                              • CoGetObject.OLE32(?,00000000,009BD91C,?), ref: 0098B590
                              • SetErrorMode.KERNEL32(00000000), ref: 0098B5A3
                              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0098B623
                              • VariantClear.OLEAUT32(009BD91C), ref: 0098B633
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                              • String ID:
                              • API String ID: 2395222682-0
                              • Opcode ID: 0b9407d07b2b9c180b683327cde4cc61ff4042ef2a29b10a525d8936a5f2afeb
                              • Instruction ID: e43ea6279f420c02d1ac93c6e260c6b3cfb747a93f00cba1d768387cab8230c4
                              • Opcode Fuzzy Hash: 0b9407d07b2b9c180b683327cde4cc61ff4042ef2a29b10a525d8936a5f2afeb
                              • Instruction Fuzzy Hash: 70C1F1B1608305AFC700EF68C885A6BB7E9BF89318F04495DF58A9B361DB71ED05CB52
                              Function 0095ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                              Download Yara Rule
                              APIs
                              • __lock.LIBCMT ref: 0095ACC1
                                • Part of subcall function 00957CF4: __mtinitlocknum.LIBCMT ref: 00957D06
                                • Part of subcall function 00957CF4: EnterCriticalSection.KERNEL32(00000000,?,00957ADD,0000000D), ref: 00957D1F
                              • __calloc_crt.LIBCMT ref: 0095ACD2
                                • Part of subcall function 00956986: __calloc_impl.LIBCMT ref: 00956995
                                • Part of subcall function 00956986: Sleep.KERNEL32(00000000,000003BC,0094F507,?,0000000E), ref: 009569AC
                              • @_EH4_CallFilterFunc@8.LIBCMT ref: 0095ACED
                              • GetStartupInfoW.KERNEL32(?,009E6E28,00000064,00955E91,009E6C70,00000014), ref: 0095AD46
                              • __calloc_crt.LIBCMT ref: 0095AD91
                              • GetFileType.KERNEL32(00000001), ref: 0095ADD8
                              • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0095AE11
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                              • String ID:
                              • API String ID: 1426640281-0
                              • Opcode ID: 05a6aa0c41f457b731c62194f11028e5c13c359680c42719f72ed27bbd37f606
                              • Instruction ID: 845738a917e055e0d3b5ac4b32c7090d36ab46d4156bef1138bdeacd288e7f1d
                              • Opcode Fuzzy Hash: 05a6aa0c41f457b731c62194f11028e5c13c359680c42719f72ed27bbd37f606
                              • Instruction Fuzzy Hash: 558146709053458FCB14CF69C8416ADBBF4AF49336B24435DD8A6AB3D1D334980BCB5A
                              Function 009767E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON
                              Download Yara Rule
                              APIs
                              • __swprintf.LIBCMT ref: 009767FD
                              • __swprintf.LIBCMT ref: 0097680A
                                • Part of subcall function 0095172B: __woutput_l.LIBCMT ref: 00951784
                              • FindResourceW.KERNEL32(?,?,0000000E), ref: 00976834
                              • LoadResource.KERNEL32(?,00000000), ref: 00976840
                              • LockResource.KERNEL32(00000000), ref: 0097684D
                              • FindResourceW.KERNEL32(?,?,00000003), ref: 0097686D
                              • LoadResource.KERNEL32(?,00000000), ref: 0097687F
                              • SizeofResource.KERNEL32(?,00000000), ref: 0097688E
                              • LockResource.KERNEL32(?), ref: 0097689A
                              • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 009768F9
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                              • String ID:
                              • API String ID: 1433390588-0
                              • Opcode ID: 93e710fff215bb38522a1e42af67e7b3d63d0258d0c39dbfa67c59494e3f4b02
                              • Instruction ID: 83463da66028ecd1fa1e085e45db56c9df9685a990678beefb25aa18b6402eb0
                              • Opcode Fuzzy Hash: 93e710fff215bb38522a1e42af67e7b3d63d0258d0c39dbfa67c59494e3f4b02
                              • Instruction Fuzzy Hash: CF31CD72A0525AABCB109FA1DD48AFA7BACFF08340B008525F916E2140E734D911EBA1
                              Function 00974025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThreadId.KERNEL32 ref: 00974047
                              • GetForegroundWindow.USER32(00000000,?,?,?,?,?,009730A5,?,00000001), ref: 0097405B
                              • GetWindowThreadProcessId.USER32(00000000), ref: 00974062
                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009730A5,?,00000001), ref: 00974071
                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00974083
                              • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,009730A5,?,00000001), ref: 0097409C
                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009730A5,?,00000001), ref: 009740AE
                              • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,009730A5,?,00000001), ref: 009740F3
                              • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,009730A5,?,00000001), ref: 00974108
                              • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,009730A5,?,00000001), ref: 00974113
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                              • String ID:
                              • API String ID: 2156557900-0
                              • Opcode ID: c095abd8ec26c893ed41570c4b14f8071cd5f78aa60b65b9fa57a5e1d371bac4
                              • Instruction ID: 03671d1d07e20b3c75a313fb1213666e0515cb63a65f12a6c86015e46df6f35e
                              • Opcode Fuzzy Hash: c095abd8ec26c893ed41570c4b14f8071cd5f78aa60b65b9fa57a5e1d371bac4
                              • Instruction Fuzzy Hash: 98319376528204EFDB10EF64DC85B7977ADBB64321F11C119FD08E6291EBB89980DF60
                              Function 009ADD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetSysColor.USER32(00000008), ref: 0094B496
                              • SetTextColor.GDI32(?,000000FF), ref: 0094B4A0
                              • SetBkMode.GDI32(?,00000001), ref: 0094B4B5
                              • GetStockObject.GDI32(00000005), ref: 0094B4BD
                              • GetClientRect.USER32(?), ref: 009ADD63
                              • SendMessageW.USER32(?,00001328,00000000,?), ref: 009ADD7A
                              • GetWindowDC.USER32(?), ref: 009ADD86
                              • GetPixel.GDI32(00000000,?,?), ref: 009ADD95
                              • ReleaseDC.USER32(?,00000000), ref: 009ADDA7
                              • GetSysColor.USER32(00000005), ref: 009ADDC5
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                              • String ID:
                              • API String ID: 3430376129-0
                              • Opcode ID: 3a2f17af49793d969ed39e39dd29776fc6d47309f467d66f88a0615d5b021b4c
                              • Instruction ID: 3a689f33e351292a45e0ea90a172b351129f3ed502b77eec6cb302acebafd526
                              • Opcode Fuzzy Hash: 3a2f17af49793d969ed39e39dd29776fc6d47309f467d66f88a0615d5b021b4c
                              • Instruction Fuzzy Hash: 9B11A931119201EFDB212BA4ED08FE93B65EB05335F108721FA26950F2EB714941EF20
                              Function 0096CB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
                              Download Yara Rule
                              APIs
                              • EnumChildWindows.USER32(?,0096CF50), ref: 0096CE90
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ChildEnumWindows
                              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                              • API String ID: 3555792229-1603158881
                              • Opcode ID: 7b2cbf167de118c8526b95372c5c4de14ca10e1becf24436ba279c119bcb42eb
                              • Instruction ID: f629720c3f9e28c6ca5926f4bf57da6c47c1b42e66ab76e0fba492e24664eb07
                              • Opcode Fuzzy Hash: 7b2cbf167de118c8526b95372c5c4de14ca10e1becf24436ba279c119bcb42eb
                              • Instruction Fuzzy Hash: 6A9192B0A00646ABCB19DF60C481BFAFBB9BF44340F548519E899A7191DF31AD59CBE0
                              Function 00933093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                              Download Yara Rule
                              APIs
                              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 009330DC
                              • CoUninitialize.OLE32(?,00000000), ref: 00933181
                              • UnregisterHotKey.USER32(?), ref: 009332A9
                              • DestroyWindow.USER32(?), ref: 009A5079
                              • FreeLibrary.KERNEL32(?), ref: 009A50F8
                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 009A5125
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                              • String ID: close all
                              • API String ID: 469580280-3243417748
                              • Opcode ID: 6f3ac2ba1907457e0e64d4ef56d0e8392dfcb38c0961e5e469a266d1be1eea49
                              • Instruction ID: 72017c89153b6abb15759da476ac6db068165b1e656a6d1be74aad5397b5a5ce
                              • Opcode Fuzzy Hash: 6f3ac2ba1907457e0e64d4ef56d0e8392dfcb38c0961e5e469a266d1be1eea49
                              • Instruction Fuzzy Hash: A49147747452028FC709EF24C999F69F3B8FF45304F5582A9E40AA7262DB30AE66CF50
                              Function 0094CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                              Download Yara Rule
                              APIs
                              • SetWindowLongW.USER32(?,000000EB), ref: 0094CC15
                                • Part of subcall function 0094CCCD: GetClientRect.USER32(?,?), ref: 0094CCF6
                                • Part of subcall function 0094CCCD: GetWindowRect.USER32(?,?), ref: 0094CD37
                                • Part of subcall function 0094CCCD: ScreenToClient.USER32(?,?), ref: 0094CD5F
                              • GetDC.USER32 ref: 009AD137
                              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 009AD14A
                              • SelectObject.GDI32(00000000,00000000), ref: 009AD158
                              • SelectObject.GDI32(00000000,00000000), ref: 009AD16D
                              • ReleaseDC.USER32(?,00000000), ref: 009AD175
                              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 009AD200
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                              • String ID: U
                              • API String ID: 4009187628-3372436214
                              • Opcode ID: 135cfde30f0b0b8f6e6606313a4d1e747e3fee678dc36f0a37366bcab7e2366a
                              • Instruction ID: e3b6a78b681c5af9b57ba8d7c5b8513da082f68a4b32194c48cfc91aec145722
                              • Opcode Fuzzy Hash: 135cfde30f0b0b8f6e6606313a4d1e747e3fee678dc36f0a37366bcab7e2366a
                              • Instruction Fuzzy Hash: 88711070406204DFCF25CF64C881EBA3BB9FF4A324F144669ED569A6A6D7318C41DFA0
                              Function 0099ECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094B34E: GetWindowLongW.USER32(?,000000EB), ref: 0094B35F
                                • Part of subcall function 0094B63C: GetCursorPos.USER32(000000FF), ref: 0094B64F
                                • Part of subcall function 0094B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0094B66C
                                • Part of subcall function 0094B63C: GetAsyncKeyState.USER32(00000001), ref: 0094B691
                                • Part of subcall function 0094B63C: GetAsyncKeyState.USER32(00000002), ref: 0094B69F
                              • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 0099ED3C
                              • ImageList_EndDrag.COMCTL32 ref: 0099ED42
                              • ReleaseCapture.USER32 ref: 0099ED48
                              • SetWindowTextW.USER32(?,00000000), ref: 0099EDF0
                              • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0099EE03
                              • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0099EEDC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                              • String ID: @GUI_DRAGFILE$@GUI_DROPID
                              • API String ID: 1924731296-2107944366
                              • Opcode ID: 27073557e9629b6c6110b1dc4f2d1b9014c5496631e4a9e5aa0ec761ff03b45c
                              • Instruction ID: 9f4b870b3e233c45a9368e92610a34e0b877f8fa6737df0e2c6f799022fce965
                              • Opcode Fuzzy Hash: 27073557e9629b6c6110b1dc4f2d1b9014c5496631e4a9e5aa0ec761ff03b45c
                              • Instruction Fuzzy Hash: 3B519B70218304AFDB10EF24DC96F6A77E8FB88714F404A2DF595972E1DB70A904DB92
                              Function 009845C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                              Download Yara Rule
                              APIs
                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009845FF
                              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0098462B
                              • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0098466D
                              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00984682
                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0098468F
                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 009846BF
                              • InternetCloseHandle.WININET(00000000), ref: 00984706
                                • Part of subcall function 00985052: GetLastError.KERNEL32(?,?,009843CC,00000000,00000000,00000001), ref: 00985067
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                              • String ID:
                              • API String ID: 1241431887-3916222277
                              • Opcode ID: 372a092241e091f9f4f5963e5f06e1b1f35d772159300ac16d211fda6bfeeff8
                              • Instruction ID: 587ea54a858a6136f44916696fc220ffc5beaaea5ecabc98438d944d62f452ca
                              • Opcode Fuzzy Hash: 372a092241e091f9f4f5963e5f06e1b1f35d772159300ac16d211fda6bfeeff8
                              • Instruction Fuzzy Hash: 334160B1501206BFEB16AF50CC89FFB77ACFF09354F104126FA059A241EBB49D449BA4
                              Function 0098B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,009CDC00), ref: 0098B715
                              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,009CDC00), ref: 0098B749
                              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0098B8C1
                              • SysFreeString.OLEAUT32(?), ref: 0098B8EB
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Free$FileLibraryModuleNamePathQueryStringType
                              • String ID:
                              • API String ID: 560350794-0
                              • Opcode ID: 6f28da8992007a8f43281e98fabc8f6502b18b0843999e4b4b345bdb2acd7f1f
                              • Instruction ID: 0cc665339ef9989cca01b6d003bb104b62f5874e9c423ee3648510f7cb059de0
                              • Opcode Fuzzy Hash: 6f28da8992007a8f43281e98fabc8f6502b18b0843999e4b4b345bdb2acd7f1f
                              • Instruction Fuzzy Hash: 97F14C75A00209EFCF04EF94C888EAEB7B9FF89315F148459F915AB250DB31AE45CB90
                              Function 009924D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 009924F5
                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00992688
                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009926AC
                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009926EC
                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0099270E
                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0099286F
                              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 009928A1
                              • CloseHandle.KERNEL32(?), ref: 009928D0
                              • CloseHandle.KERNEL32(?), ref: 00992947
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                              • String ID:
                              • API String ID: 4090791747-0
                              • Opcode ID: 2b0edff36012906f2ef8913df47e3c05382c70d560988108edbde2ec051107f0
                              • Instruction ID: 40128cac31c8ee4609fe703ddceec2a5352e49ac9f2efeb0752feabb47f6055d
                              • Opcode Fuzzy Hash: 2b0edff36012906f2ef8913df47e3c05382c70d560988108edbde2ec051107f0
                              • Instruction Fuzzy Hash: DDD1AF71604301EFCB14EF29C491B6EBBE5AF85314F14896DF8999B2A2DB31EC44CB52
                              Function 0099B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                              Download Yara Rule
                              APIs
                              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0099B3F4
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: InvalidateRect
                              • String ID:
                              • API String ID: 634782764-0
                              • Opcode ID: 3c4b383c0a5c9d73defe3f9e217446002ae02159d4a54d00e48c310a04a00167
                              • Instruction ID: 33baeab54d1ca28db33dc6323fa266263f092888b28d4fc89246a3554a0982f8
                              • Opcode Fuzzy Hash: 3c4b383c0a5c9d73defe3f9e217446002ae02159d4a54d00e48c310a04a00167
                              • Instruction Fuzzy Hash: 7351A130501208FBEF249F2CEE86BAD3B68AB05324F644515F619D61E2D7B9E940EB51
                              Function 0094A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                              Download Yara Rule
                              APIs
                              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 009ADB1B
                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 009ADB3C
                              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 009ADB51
                              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 009ADB6E
                              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 009ADB95
                              • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0094A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 009ADBA0
                              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 009ADBBD
                              • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0094A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 009ADBC8
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Icon$DestroyExtractImageLoadMessageSend
                              • String ID:
                              • API String ID: 1268354404-0
                              • Opcode ID: a0db869722c3c664c96bbbbaf7a99a754b06ba34bdf5174e17ae7def9d703373
                              • Instruction ID: 8f590040717865ae5d565f077524e5737fcb1fd92a93932dd93ae38dc91cdd13
                              • Opcode Fuzzy Hash: a0db869722c3c664c96bbbbaf7a99a754b06ba34bdf5174e17ae7def9d703373
                              • Instruction Fuzzy Hash: 31518B70A55208EFDB24CF68CC81FAA77B9BB58364F110618F946D7690D7B0AD80DBA0
                              Function 00977555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00976EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00975FA6,?), ref: 00976ED8
                                • Part of subcall function 00976EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00975FA6,?), ref: 00976EF1
                                • Part of subcall function 009772CB: GetFileAttributesW.KERNEL32(?,00976019), ref: 009772CC
                              • lstrcmpiW.KERNEL32(?,?), ref: 009775CA
                              • _wcscmp.LIBCMT ref: 009775E2
                              • MoveFileW.KERNEL32(?,?), ref: 009775FB
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                              • String ID:
                              • API String ID: 793581249-0
                              • Opcode ID: 2e5dde54bce45d1caa04c00a9b5c0622bf0fc2fc111586b6e73846f906490de5
                              • Instruction ID: 7bed8ead649887d06dfb7cd58161ae52d34e2207acea83a49f9d03d559d6ec75
                              • Opcode Fuzzy Hash: 2e5dde54bce45d1caa04c00a9b5c0622bf0fc2fc111586b6e73846f906490de5
                              • Instruction Fuzzy Hash: 3F5143B39092195ADF50EB94D841EDEB3BC9F48310F1045EAFA49E3041EA7497C9CF60
                              Function 0094EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                              Download Yara Rule
                              APIs
                              • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,009ADAD1,00000004,00000000,00000000), ref: 0094EAEB
                              • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,009ADAD1,00000004,00000000,00000000), ref: 0094EB32
                              • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,009ADAD1,00000004,00000000,00000000), ref: 009ADC86
                              • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,009ADAD1,00000004,00000000,00000000), ref: 009ADCF2
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ShowWindow
                              • String ID:
                              • API String ID: 1268545403-0
                              • Opcode ID: a9d70432e102c7476c3db70d4d6241f59e38d65876f30552edd617f7adce5570
                              • Instruction ID: a658591f355d74d46cffbccb189cc23c40a681541360a952d691c30c3503228a
                              • Opcode Fuzzy Hash: a9d70432e102c7476c3db70d4d6241f59e38d65876f30552edd617f7adce5570
                              • Instruction Fuzzy Hash: F941097061A280DBDB354B2A8D8DF7A7AADFF43328F59490DF08782961D674BC40D751
                              Function 0096B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0096AEF1,00000B00,?,?), ref: 0096B26C
                              • HeapAlloc.KERNEL32(00000000,?,0096AEF1,00000B00,?,?), ref: 0096B273
                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0096AEF1,00000B00,?,?), ref: 0096B288
                              • GetCurrentProcess.KERNEL32(?,00000000,?,0096AEF1,00000B00,?,?), ref: 0096B290
                              • DuplicateHandle.KERNEL32(00000000,?,0096AEF1,00000B00,?,?), ref: 0096B293
                              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0096AEF1,00000B00,?,?), ref: 0096B2A3
                              • GetCurrentProcess.KERNEL32(0096AEF1,00000000,?,0096AEF1,00000B00,?,?), ref: 0096B2AB
                              • DuplicateHandle.KERNEL32(00000000,?,0096AEF1,00000B00,?,?), ref: 0096B2AE
                              • CreateThread.KERNEL32(00000000,00000000,0096B2D4,00000000,00000000,00000000), ref: 0096B2C8
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                              • String ID:
                              • API String ID: 1957940570-0
                              • Opcode ID: cf8394bf3a5d0b17ce47992cd49b48a7ac91b1bd239f8a830aff80d2f45dec17
                              • Instruction ID: 3b05219d9b828f634ef90f3c262aa45c8444e91be7cc9b19f924e503ee815838
                              • Opcode Fuzzy Hash: cf8394bf3a5d0b17ce47992cd49b48a7ac91b1bd239f8a830aff80d2f45dec17
                              • Instruction Fuzzy Hash: 350119B5255308BFEB10AFA5DD4DF6B3BACEB88724F008511FA04DB1A1DA709800DB21
                              Function 0098C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID:
                              • String ID: NULL Pointer assignment$Not an Object type
                              • API String ID: 0-572801152
                              • Opcode ID: 9e24ca181b31c71df295121f287660fee55004d5a2d2b181aa459187bf3f829b
                              • Instruction ID: 58587caa5679ec3289389df5e3619f74457602220fc0ccff59cf6cd26892c595
                              • Opcode Fuzzy Hash: 9e24ca181b31c71df295121f287660fee55004d5a2d2b181aa459187bf3f829b
                              • Instruction Fuzzy Hash: D1E1B6B1A00219AFDF14EFA4D885BAE77B9EF48314F148429F905A7381D774AD41CFA0
                              Function 0098BB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Variant$ClearInit$_memset
                              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                              • API String ID: 2862541840-625585964
                              • Opcode ID: 053c011d624a7b38d46199eba8141fb4292ecb6126d1a04f538b89b08e8b1356
                              • Instruction ID: 6eb08172b05181f641a4fb0a3cf9a5a4e46c3597d188b58a86e8e80c9566513f
                              • Opcode Fuzzy Hash: 053c011d624a7b38d46199eba8141fb4292ecb6126d1a04f538b89b08e8b1356
                              • Instruction Fuzzy Hash: D691B071E00219AFDF24EFA5C848FAEBBB8EF85710F148559F515AB280DB749944CFA0
                              Function 00999A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00999B19
                              • SendMessageW.USER32(?,00001036,00000000,?), ref: 00999B2D
                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00999B47
                              • _wcscat.LIBCMT ref: 00999BA2
                              • SendMessageW.USER32(?,00001057,00000000,?), ref: 00999BB9
                              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00999BE7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: MessageSend$Window_wcscat
                              • String ID: SysListView32
                              • API String ID: 307300125-78025650
                              • Opcode ID: 4f0f4bc5880f0bdbfc3a853d3e6b4b81ecbf3075e4577d1a305e253591d8f9d4
                              • Instruction ID: af5c63e3416c601d426bf95fd8611e92cc4ad8b3dcd04cd03401d2fd341efbe1
                              • Opcode Fuzzy Hash: 4f0f4bc5880f0bdbfc3a853d3e6b4b81ecbf3075e4577d1a305e253591d8f9d4
                              • Instruction Fuzzy Hash: 60419E71940308EBDF219FA8DC85BEE77A8EF48350F10452AF989A7291D6759D84CB60
                              Function 0099172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00976532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00976554
                                • Part of subcall function 00976532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00976564
                                • Part of subcall function 00976532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 009765F9
                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0099179A
                              • GetLastError.KERNEL32 ref: 009917AD
                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 009917D9
                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 00991855
                              • GetLastError.KERNEL32(00000000), ref: 00991860
                              • CloseHandle.KERNEL32(00000000), ref: 00991895
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                              • String ID: SeDebugPrivilege
                              • API String ID: 2533919879-2896544425
                              • Opcode ID: 9c65e3cb3cad0027860ade338dba9730c3b1b2ab52ec84016cebfb4496c17701
                              • Instruction ID: dd9fb419e78ba8cc0abb900f97ee1ce3e709b7b6067bbd9cb8d5ff7a0e52532c
                              • Opcode Fuzzy Hash: 9c65e3cb3cad0027860ade338dba9730c3b1b2ab52ec84016cebfb4496c17701
                              • Instruction Fuzzy Hash: D041BD72600202AFDB05EF59C9D5F6DB7A5BF84310F08C098F9069F2D2DB74A9409B91
                              Function 00975819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                              Download Yara Rule
                              APIs
                              • LoadIconW.USER32(00000000,00007F03), ref: 009758B8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: IconLoad
                              • String ID: blank$info$question$stop$warning
                              • API String ID: 2457776203-404129466
                              • Opcode ID: 22f727e80565cc66869ffa35bff4b222335944f588270ad22bb6cf9636298aa2
                              • Instruction ID: cc653a02c9245e0df69afc6604e69bd208fabaef1bdb9022a56d65bf34cf2261
                              • Opcode Fuzzy Hash: 22f727e80565cc66869ffa35bff4b222335944f588270ad22bb6cf9636298aa2
                              • Instruction Fuzzy Hash: 68110D3320D746BBE7415B65DC83EEA339CAF95724B21803AF904E62C1F7E4AE004366
                              Function 0097A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                              Download Yara Rule
                              APIs
                              • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0097A806
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ArraySafeVartype
                              • String ID:
                              • API String ID: 1725837607-0
                              • Opcode ID: 708d30a42926ba879f853f951151c2dd636d9a8f30fb7bf4d74d892d4ce63ae1
                              • Instruction ID: 40e6816e221ea3a3d282f161378b430fdb31018bfcf31ed0c93c34be6253def9
                              • Opcode Fuzzy Hash: 708d30a42926ba879f853f951151c2dd636d9a8f30fb7bf4d74d892d4ce63ae1
                              • Instruction Fuzzy Hash: 69C1B176A0520ADFDB04CF98C481BAEB7F5FF89311F208469E609E7291D734A941CF92
                              Function 00976B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00976B63
                              • LoadStringW.USER32(00000000), ref: 00976B6A
                              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00976B80
                              • LoadStringW.USER32(00000000), ref: 00976B87
                              • _wprintf.LIBCMT ref: 00976BAD
                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00976BCB
                              Strings
                              • %s (%d) : ==> %s: %s %s, xrefs: 00976BA8
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: HandleLoadModuleString$Message_wprintf
                              • String ID: %s (%d) : ==> %s: %s %s
                              • API String ID: 3648134473-3128320259
                              • Opcode ID: 808ff289fd9deb694f97936491606d0a3bcefb1afb65ae5237e8a80704ab900c
                              • Instruction ID: 7ddacd7d0fdbd07ed57426ba7a9b71c0d39221fe42a48ead35d695a1915a560f
                              • Opcode Fuzzy Hash: 808ff289fd9deb694f97936491606d0a3bcefb1afb65ae5237e8a80704ab900c
                              • Instruction Fuzzy Hash: EA011DF6904208BFEB11ABA49E89EF6776CE708304F4045A5B75AE2041EA749E849B71
                              Function 00992B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00993C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00992BB5,?,?), ref: 00993C1D
                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00992BF6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: BuffCharConnectRegistryUpper
                              • String ID:
                              • API String ID: 2595220575-0
                              • Opcode ID: 3191db579518728eb9f869ca398d6b0c6426bb1cbb1752fb4fb6e3d0e3688f76
                              • Instruction ID: c366f346c60b24e2034a396db23059388ac61960ff344f4cb3a9bd876726d5aa
                              • Opcode Fuzzy Hash: 3191db579518728eb9f869ca398d6b0c6426bb1cbb1752fb4fb6e3d0e3688f76
                              • Instruction Fuzzy Hash: A8916971604201AFCB04EF58C891B6EB7E9FF98310F14885DF9969B2A2DB34E945DF42
                              Function 009895BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON
                              Download Yara Rule
                              APIs
                              • select.WSOCK32 ref: 00989691
                              • WSAGetLastError.WSOCK32(00000000), ref: 0098969E
                              • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 009896C8
                              • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 009896E9
                              • WSAGetLastError.WSOCK32(00000000), ref: 009896F8
                              • htons.WSOCK32(?,?,?,00000000,?), ref: 009897AA
                              • inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,009CDC00), ref: 00989765
                                • Part of subcall function 0096D2FF: _strlen.LIBCMT ref: 0096D309
                              • _strlen.LIBCMT ref: 00989800
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ErrorLast_strlen$htonsinet_ntoaselect
                              • String ID:
                              • API String ID: 3480843537-0
                              • Opcode ID: f479e9f538ec54af694959f13db21415efcf0ddbc1b36d114fdea4bce21ba807
                              • Instruction ID: f3bffe8e81c4fd80a9a0a891ae0fdee8e714b8bae7208e8f2b431670975514e5
                              • Opcode Fuzzy Hash: f479e9f538ec54af694959f13db21415efcf0ddbc1b36d114fdea4bce21ba807
                              • Instruction Fuzzy Hash: FF81AB71508201ABC714EF64CC95F6BBBE8EFC9714F144A2DF5569B2A1EB30E904CB92
                              Function 0095A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __mtinitlocknum.LIBCMT ref: 0095A991
                                • Part of subcall function 00957D7C: __FF_MSGBANNER.LIBCMT ref: 00957D91
                                • Part of subcall function 00957D7C: __NMSG_WRITE.LIBCMT ref: 00957D98
                                • Part of subcall function 00957D7C: __malloc_crt.LIBCMT ref: 00957DB8
                              • __lock.LIBCMT ref: 0095A9A4
                              • __lock.LIBCMT ref: 0095A9F0
                              • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,009E6DE0,00000018,00965E7B,?,00000000,00000109), ref: 0095AA0C
                              • EnterCriticalSection.KERNEL32(8000000C,009E6DE0,00000018,00965E7B,?,00000000,00000109), ref: 0095AA29
                              • LeaveCriticalSection.KERNEL32(8000000C), ref: 0095AA39
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                              • String ID:
                              • API String ID: 1422805418-0
                              • Opcode ID: 6f9dbe39bbc8f1f6f22bc368ee888007a7f2c2846e4a941429a7c1dacdd360d0
                              • Instruction ID: ac30a6395adb9630977ffff41a060531e1d290b489aaf5bf23522ee3ce8a38d7
                              • Opcode Fuzzy Hash: 6f9dbe39bbc8f1f6f22bc368ee888007a7f2c2846e4a941429a7c1dacdd360d0
                              • Instruction Fuzzy Hash: 29416B719002059BEB10CF6ADE4076CB7B5AF41336F208319EC25AB2D2E7B49948CB99
                              Function 00998ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                              Download Yara Rule
                              APIs
                              • DeleteObject.GDI32(00000000), ref: 00998EE4
                              • GetDC.USER32(00000000), ref: 00998EEC
                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00998EF7
                              • ReleaseDC.USER32(00000000,00000000), ref: 00998F03
                              • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00998F3F
                              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00998F50
                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0099BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00998F8A
                              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00998FAA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                              • String ID:
                              • API String ID: 3864802216-0
                              • Opcode ID: b872730996fe3bc7b9d1305332d831e1406de38db5ffd57103e20a788f18deab
                              • Instruction ID: 26f6c58b99cc4f8c0d3c20e6f346bc3a524a0dbca66c3afd1ea09b40053b8072
                              • Opcode Fuzzy Hash: b872730996fe3bc7b9d1305332d831e1406de38db5ffd57103e20a788f18deab
                              • Instruction Fuzzy Hash: 20317C72105214BFEF108F54CD8AFAB3BADEB4A721F084169FE089A191D6759841CBB0
                              Function 009816DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0093936C: __swprintf.LIBCMT ref: 009393AB
                                • Part of subcall function 0093936C: __itow.LIBCMT ref: 009393DF
                                • Part of subcall function 0094C6F4: _wcscpy.LIBCMT ref: 0094C717
                              • _wcstok.LIBCMT ref: 0098184E
                              • _wcscpy.LIBCMT ref: 009818DD
                              • _memset.LIBCMT ref: 00981910
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                              • String ID: X
                              • API String ID: 774024439-3081909835
                              • Opcode ID: 5bcbe5bbf80760ff750c989a38e2bd7c8367f47a0337c10d85c091a2c8633807
                              • Instruction ID: ecab4f37b5b16e973b5fccdf74a26fce87e2772d7f98fea24d54278bc7f21f38
                              • Opcode Fuzzy Hash: 5bcbe5bbf80760ff750c989a38e2bd7c8367f47a0337c10d85c091a2c8633807
                              • Instruction Fuzzy Hash: D4C15A716083419FC724EF64C895B9AB7E8AF85350F00492DF89A973A2DB30ED05CF82
                              Function 009A0133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094B34E: GetWindowLongW.USER32(?,000000EB), ref: 0094B35F
                              • GetSystemMetrics.USER32(0000000F), ref: 009A016D
                              • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 009A038D
                              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 009A03AB
                              • InvalidateRect.USER32(?,00000000,00000001,?), ref: 009A03D6
                              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 009A03FF
                              • ShowWindow.USER32(00000003,00000000), ref: 009A0421
                              • DefDlgProcW.USER32(?,00000005,?,?), ref: 009A0440
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
                              • String ID:
                              • API String ID: 3356174886-0
                              • Opcode ID: 39216dee1c20c740e31917c55fa20cea1e54be2e09103da1901f50eeeabbcf6b
                              • Instruction ID: 82f6fadf95968aec58d1eb97ea01fe6d6d6c8e3a83c3d08066be1a40749d25b7
                              • Opcode Fuzzy Hash: 39216dee1c20c740e31917c55fa20cea1e54be2e09103da1901f50eeeabbcf6b
                              • Instruction Fuzzy Hash: 13A1A035600616EFDF18CF68C9897BDBBB5BF89750F048115EC549B250EB34AD50CB90
                              Function 0094AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4bdf4310f5535baf49e2f3bfb85dc140b1472ab04faf77937ef62a90fa992f3d
                              • Instruction ID: 8a35c44bf2cffae8e113319661467cc8a37a2086198d9932ac2fff9b5a3dd79c
                              • Opcode Fuzzy Hash: 4bdf4310f5535baf49e2f3bfb85dc140b1472ab04faf77937ef62a90fa992f3d
                              • Instruction Fuzzy Hash: 96718DB1904109EFDF04CF98CC88EAEBB78FF85314F148289F915AA251C734AA05CFA5
                              Function 00992230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 0099225A
                              • _memset.LIBCMT ref: 00992323
                              • ShellExecuteExW.SHELL32(?), ref: 00992368
                                • Part of subcall function 0093936C: __swprintf.LIBCMT ref: 009393AB
                                • Part of subcall function 0093936C: __itow.LIBCMT ref: 009393DF
                                • Part of subcall function 0094C6F4: _wcscpy.LIBCMT ref: 0094C717
                              • CloseHandle.KERNEL32(00000000), ref: 0099242F
                              • FreeLibrary.KERNEL32(00000000), ref: 0099243E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                              • String ID: @
                              • API String ID: 4082843840-2766056989
                              • Opcode ID: 86e8e275b09bc678996947251f3a5804d0944ef15a6d0cc0745ed128ef4f57ba
                              • Instruction ID: d157bb319469b58e06a0eda51e0fd65ed21ad4a968264225b48de44c9bdf332d
                              • Opcode Fuzzy Hash: 86e8e275b09bc678996947251f3a5804d0944ef15a6d0cc0745ed128ef4f57ba
                              • Instruction Fuzzy Hash: 547160B4900619AFCF05EF98D491AAEB7F5FF88710F108459E855AB391DB34AD40CF90
                              Function 00973DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetParent.USER32(?), ref: 00973DE7
                              • GetKeyboardState.USER32(?), ref: 00973DFC
                              • SetKeyboardState.USER32(?), ref: 00973E5D
                              • PostMessageW.USER32(?,00000101,00000010,?), ref: 00973E8B
                              • PostMessageW.USER32(?,00000101,00000011,?), ref: 00973EAA
                              • PostMessageW.USER32(?,00000101,00000012,?), ref: 00973EF0
                              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00973F13
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: MessagePost$KeyboardState$Parent
                              • String ID:
                              • API String ID: 87235514-0
                              • Opcode ID: 89659a10ec4a7831861cf866e78d6e6f0e54e4ea38a820a6ef4ddb2faea8dcbd
                              • Instruction ID: 1dcf3420df17d20d0acb82a6b006f06a5aa854e2022b3e148f8f988c9db27b68
                              • Opcode Fuzzy Hash: 89659a10ec4a7831861cf866e78d6e6f0e54e4ea38a820a6ef4ddb2faea8dcbd
                              • Instruction Fuzzy Hash: 2751B4A2A187D53EFB3647248C45BB67EA95F46304F08C589F0DD468C3D3999EC4E750
                              Function 00973BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetParent.USER32(00000000), ref: 00973C02
                              • GetKeyboardState.USER32(?), ref: 00973C17
                              • SetKeyboardState.USER32(?), ref: 00973C78
                              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00973CA4
                              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00973CC1
                              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00973D05
                              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00973D26
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: MessagePost$KeyboardState$Parent
                              • String ID:
                              • API String ID: 87235514-0
                              • Opcode ID: 510efe1093b6e9618804de0adc23a894442ac79305b9fd884ae96bc086048c50
                              • Instruction ID: c7739e9e33363720ab8b01f4164348eb0fa45a81206bb60539dce1359b01ddd5
                              • Opcode Fuzzy Hash: 510efe1093b6e9618804de0adc23a894442ac79305b9fd884ae96bc086048c50
                              • Instruction Fuzzy Hash: 6251D3A25086D539FB3687248C46BB6BF9DAB46300F0CC588E4DD568C2D395EE84F760
                              Function 00977DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: _wcsncpy$LocalTime
                              • String ID:
                              • API String ID: 2945705084-0
                              • Opcode ID: 0f524225e97efee249a6c4e6c8be4336a6ee7e23296be0df9d23ba294ff329c0
                              • Instruction ID: 8549afca04604d5b35a6218b828914783020ba06581911911eed7ee300234e2e
                              • Opcode Fuzzy Hash: 0f524225e97efee249a6c4e6c8be4336a6ee7e23296be0df9d23ba294ff329c0
                              • Instruction Fuzzy Hash: 4F419F67D11214B6CB10EBF5CC46ACFB3ACAF85710F548966E918F3121FA34E61887A9
                              Function 00993D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00993DA1
                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00993DCB
                              • FreeLibrary.KERNEL32(00000000), ref: 00993E80
                                • Part of subcall function 00993D72: RegCloseKey.ADVAPI32(?), ref: 00993DE8
                                • Part of subcall function 00993D72: FreeLibrary.KERNEL32(?), ref: 00993E3A
                                • Part of subcall function 00993D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00993E5D
                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00993E25
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: EnumFreeLibrary$CloseDeleteOpen
                              • String ID:
                              • API String ID: 395352322-0
                              • Opcode ID: 4ab58637304ad0eae3dd25ff14026be9630562a9bd4e8396405760e7d0704cc1
                              • Instruction ID: 6fbc7cc27d680552e07ac13fcd3a532158a10bf54b95589ab5982b709e6b698e
                              • Opcode Fuzzy Hash: 4ab58637304ad0eae3dd25ff14026be9630562a9bd4e8396405760e7d0704cc1
                              • Instruction Fuzzy Hash: 3D312BB1915109BFDF159FD8DC89AFFB7BCEF08310F00426AE512A2150E6749F489BA0
                              Function 00998FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00998FE7
                              • GetWindowLongW.USER32(00FBE8F8,000000F0), ref: 0099901A
                              • GetWindowLongW.USER32(00FBE8F8,000000F0), ref: 0099904F
                              • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00999081
                              • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 009990AB
                              • GetWindowLongW.USER32(00000000,000000F0), ref: 009990BC
                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 009990D6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: LongWindow$MessageSend
                              • String ID:
                              • API String ID: 2178440468-0
                              • Opcode ID: 573e4149cc56ef5c1a05f170c12c35b476d3e2c39160cc7f70a05643eaa11114
                              • Instruction ID: 4a017546fcf0aadbaf0b519ece5213febe1f2ac02cd1fd378c16fb9550d6d0a8
                              • Opcode Fuzzy Hash: 573e4149cc56ef5c1a05f170c12c35b476d3e2c39160cc7f70a05643eaa11114
                              • Instruction Fuzzy Hash: A2310535658215DFDF208F5CDC85F6537A9FB4A724F144268F929CB2B1CB72A840EB81
                              Function 009708AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009708F2
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00970918
                              • SysAllocString.OLEAUT32(00000000), ref: 0097091B
                              • SysAllocString.OLEAUT32(?), ref: 00970939
                              • SysFreeString.OLEAUT32(?), ref: 00970942
                              • StringFromGUID2.OLE32(?,?,00000028), ref: 00970967
                              • SysAllocString.OLEAUT32(?), ref: 00970975
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                              • String ID:
                              • API String ID: 3761583154-0
                              • Opcode ID: 90bc11736d465296ca89af8d44aec4c051dcf5db96b35ccdd8dcb8bc0330ef61
                              • Instruction ID: 664b040e1e06a0da1875e50f3518ba2bd0ede5f500876859195eb9859d97b093
                              • Opcode Fuzzy Hash: 90bc11736d465296ca89af8d44aec4c051dcf5db96b35ccdd8dcb8bc0330ef61
                              • Instruction Fuzzy Hash: 36219777605219AF9B109FA8CC88DBB73ACEB49370B00C525F919DB191E674EC458760
                              Function 00972472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: __wcsnicmp
                              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                              • API String ID: 1038674560-2734436370
                              • Opcode ID: f3f2b17a4780a1f5af37165263e275533790efb733f172eb6f43990be81074a3
                              • Instruction ID: c8b855d2186b281af770f2bd194f38d69d8ecc1049c8dc646f19afc6c526d1b6
                              • Opcode Fuzzy Hash: f3f2b17a4780a1f5af37165263e275533790efb733f172eb6f43990be81074a3
                              • Instruction Fuzzy Hash: 1C21377321821177C324EB259C12FBBB3ACEFE5310F54C429F98E97181E7659942C395
                              Function 00970986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009709CB
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009709F1
                              • SysAllocString.OLEAUT32(00000000), ref: 009709F4
                              • SysAllocString.OLEAUT32 ref: 00970A15
                              • SysFreeString.OLEAUT32 ref: 00970A1E
                              • StringFromGUID2.OLE32(?,?,00000028), ref: 00970A38
                              • SysAllocString.OLEAUT32(?), ref: 00970A46
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                              • String ID:
                              • API String ID: 3761583154-0
                              • Opcode ID: 11942f71286733136284d5c3345be96363706cd61858bcf32a756246b7ddb6a6
                              • Instruction ID: 1af74ec2103e04b2e9ff18090a0d3a948d5bc90c86acba571096c70335e1e72c
                              • Opcode Fuzzy Hash: 11942f71286733136284d5c3345be96363706cd61858bcf32a756246b7ddb6a6
                              • Instruction Fuzzy Hash: 97216276215204AF9B149BACDD89DAB77ECEF49360B00C125F90DCB2A1E674EC419764
                              Function 0099A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0094D1BA
                                • Part of subcall function 0094D17C: GetStockObject.GDI32(00000011), ref: 0094D1CE
                                • Part of subcall function 0094D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0094D1D8
                              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0099A32D
                              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0099A33A
                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0099A345
                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0099A354
                              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0099A360
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: MessageSend$CreateObjectStockWindow
                              • String ID: Msctls_Progress32
                              • API String ID: 1025951953-3636473452
                              • Opcode ID: 94be7eb6d75b4c50dafba0d9510914b2d73e4221ae4b469d17d02d36b9fb4f12
                              • Instruction ID: af04cf38d639dae8464d8158d6bc8d84cc6dbd8e4dc10b2800df64239770075d
                              • Opcode Fuzzy Hash: 94be7eb6d75b4c50dafba0d9510914b2d73e4221ae4b469d17d02d36b9fb4f12
                              • Instruction Fuzzy Hash: E71190B1150219BEEF159F65CC86EEB7F6DFF08798F014114BA08A60A0C6729C21DBA4
                              Function 0094CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                              Download Yara Rule
                              APIs
                              • GetClientRect.USER32(?,?), ref: 0094CCF6
                              • GetWindowRect.USER32(?,?), ref: 0094CD37
                              • ScreenToClient.USER32(?,?), ref: 0094CD5F
                              • GetClientRect.USER32(?,?), ref: 0094CE8C
                              • GetWindowRect.USER32(?,?), ref: 0094CEA5
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Rect$Client$Window$Screen
                              • String ID:
                              • API String ID: 1296646539-0
                              • Opcode ID: 2f4973443e2263d9967c070903c72dd4753ad65b62928ead1ba929ac02c7c5ba
                              • Instruction ID: 17dc908cadd3c4abccffd324b5f281d0c28eed670587313ccfc1a0a0dcc491c2
                              • Opcode Fuzzy Hash: 2f4973443e2263d9967c070903c72dd4753ad65b62928ead1ba929ac02c7c5ba
                              • Instruction Fuzzy Hash: A5B13AB990124ADFDB50CFA8C580BEEB7B5FF08310F149529EC59AB250EB34AD50DB64
                              Function 00991BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32 ref: 00991C18
                              • Process32FirstW.KERNEL32(00000000,?), ref: 00991C26
                              • __wsplitpath.LIBCMT ref: 00991C54
                                • Part of subcall function 00951DFC: __wsplitpath_helper.LIBCMT ref: 00951E3C
                              • _wcscat.LIBCMT ref: 00991C69
                              • Process32NextW.KERNEL32(00000000,?), ref: 00991CDF
                              • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00991CF1
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                              • String ID:
                              • API String ID: 1380811348-0
                              • Opcode ID: 220764ca7a40845cd3de47e02c2e596c37e2209a8439a32cec68b7ace32e189d
                              • Instruction ID: 6f47949c24eecbcd22a466368518827a9659125b9efe022b2612c192084c1073
                              • Opcode Fuzzy Hash: 220764ca7a40845cd3de47e02c2e596c37e2209a8439a32cec68b7ace32e189d
                              • Instruction Fuzzy Hash: D0513CB15083419FD724EF24D885FABB7ECEF88754F00491EF58597291EB709904CB92
                              Function 00992FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00993C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00992BB5,?,?), ref: 00993C1D
                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009930AF
                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009930EF
                              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00993112
                              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0099313B
                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0099317E
                              • RegCloseKey.ADVAPI32(00000000), ref: 0099318B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                              • String ID:
                              • API String ID: 3451389628-0
                              • Opcode ID: 4ae6363e36a0f8e09c066d4e4c4e49116229f50457c39eb8ebdc53252eed1876
                              • Instruction ID: 2e82fcaadd88ea8d7cd97123dfa25fb78c37f98a6a7b4adc240e4cb29eb21bbb
                              • Opcode Fuzzy Hash: 4ae6363e36a0f8e09c066d4e4c4e49116229f50457c39eb8ebdc53252eed1876
                              • Instruction Fuzzy Hash: DB514871108300AFCB14EF68C895E6ABBF9FF89310F04891DF556972A1DB71EA05CB52
                              Function 009984DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetMenu.USER32(?), ref: 00998540
                              • GetMenuItemCount.USER32(00000000), ref: 00998577
                              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0099859F
                              • GetMenuItemID.USER32(?,?), ref: 0099860E
                              • GetSubMenu.USER32(?,?), ref: 0099861C
                              • PostMessageW.USER32(?,00000111,?,00000000), ref: 0099866D
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Menu$Item$CountMessagePostString
                              • String ID:
                              • API String ID: 650687236-0
                              • Opcode ID: 65a3d759e62479e75dddf32124edc75320df24ec3490725b0ff4444702d0f132
                              • Instruction ID: e9b302e7cbe1f096007f03c8e8426c9d821ea75d0ea4bde0b0899d4188e1d778
                              • Opcode Fuzzy Hash: 65a3d759e62479e75dddf32124edc75320df24ec3490725b0ff4444702d0f132
                              • Instruction Fuzzy Hash: 53519F71A00215AFCF11EF68C945AAEB7F4EF89310F1144A9F906BB351DB70AE418B91
                              Function 00974AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 00974B10
                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00974B5B
                              • IsMenu.USER32(00000000), ref: 00974B7B
                              • CreatePopupMenu.USER32 ref: 00974BAF
                              • GetMenuItemCount.USER32(000000FF), ref: 00974C0D
                              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00974C3E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                              • String ID:
                              • API String ID: 3311875123-0
                              • Opcode ID: 57abab007bdf0a4251cf513bfae7abc5de0a7d5f6aeec36cec0bb02b018968fe
                              • Instruction ID: 9972a3cc97db4a760bad9d7749694102fcfdfc958a246019a7ff39ddeaec03e9
                              • Opcode Fuzzy Hash: 57abab007bdf0a4251cf513bfae7abc5de0a7d5f6aeec36cec0bb02b018968fe
                              • Instruction Fuzzy Hash: F851C171601209DBDF25CF64C988BEDBBF8AF44314F188159E4599B292E3B09D44CB51
                              Function 00988DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                              Download Yara Rule
                              APIs
                              • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,009CDC00), ref: 00988E7C
                              • WSAGetLastError.WSOCK32(00000000), ref: 00988E89
                              • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00988EAD
                              • #16.WSOCK32(?,?,00000000,00000000), ref: 00988EC5
                              • _strlen.LIBCMT ref: 00988EF7
                              • WSAGetLastError.WSOCK32(00000000), ref: 00988F6A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ErrorLast$_strlenselect
                              • String ID:
                              • API String ID: 2217125717-0
                              • Opcode ID: 18ac66a31989fa1ecedbb25c3cf11138d8a6a6359d573fce0ccf7cb7ef3d817c
                              • Instruction ID: ffcaf560ca9ef1eeb2d2e9609ea948ee523f214681385d58e4201655610263b2
                              • Opcode Fuzzy Hash: 18ac66a31989fa1ecedbb25c3cf11138d8a6a6359d573fce0ccf7cb7ef3d817c
                              • Instruction Fuzzy Hash: 59417071504104ABCB14FBA4DD95FAEB7B9AF88314F504669F51AA7291EF30AE40CB60
                              Function 0094ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094B34E: GetWindowLongW.USER32(?,000000EB), ref: 0094B35F
                              • BeginPaint.USER32(?,?,?), ref: 0094AC2A
                              • GetWindowRect.USER32(?,?), ref: 0094AC8E
                              • ScreenToClient.USER32(?,?), ref: 0094ACAB
                              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0094ACBC
                              • EndPaint.USER32(?,?,?,?,?), ref: 0094AD06
                              • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 009AE673
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                              • String ID:
                              • API String ID: 2592858361-0
                              • Opcode ID: 1093f02f46ceddf56592bd9c1f16ecb105722d129d9dd41e475f564b3a58eba8
                              • Instruction ID: ff37ecbf5d3472f81d31d96d99da380cfdf6fae0c5219479094d44b1ad51d65f
                              • Opcode Fuzzy Hash: 1093f02f46ceddf56592bd9c1f16ecb105722d129d9dd41e475f564b3a58eba8
                              • Instruction Fuzzy Hash: 8441B071109301DFC710DF24CC84FBA7BA8EB59331F040669F9A4872E1D7319845EBA2
                              Function 0099E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                              Download Yara Rule
                              APIs
                              • ShowWindow.USER32(009F1628,00000000,009F1628,00000000,00000000,009F1628,?,009ADC5D,00000000,?,00000000,00000000,00000000,?,009ADAD1,00000004), ref: 0099E40B
                              • EnableWindow.USER32(00000000,00000000), ref: 0099E42F
                              • ShowWindow.USER32(009F1628,00000000), ref: 0099E48F
                              • ShowWindow.USER32(00000000,00000004), ref: 0099E4A1
                              • EnableWindow.USER32(00000000,00000001), ref: 0099E4C5
                              • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0099E4E8
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Window$Show$Enable$MessageSend
                              • String ID:
                              • API String ID: 642888154-0
                              • Opcode ID: 4660e2151cf0e78810aee9623a73fc0b7dbd443655785a768af4c16d17dfdf89
                              • Instruction ID: 9e686f36e9eba7742b10c6178b42f8dd96a885331f159a2377076fe9023a42c1
                              • Opcode Fuzzy Hash: 4660e2151cf0e78810aee9623a73fc0b7dbd443655785a768af4c16d17dfdf89
                              • Instruction Fuzzy Hash: 93416D34605141EFDF22CF28C599B947BE5BF09714F1881A9EA588F2B2C732E842CB61
                              Function 009798BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                              Download Yara Rule
                              APIs
                              • InterlockedExchange.KERNEL32(?,000001F5), ref: 009798D1
                                • Part of subcall function 0094F4EA: std::exception::exception.LIBCMT ref: 0094F51E
                                • Part of subcall function 0094F4EA: __CxxThrowException@8.LIBCMT ref: 0094F533
                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00979908
                              • EnterCriticalSection.KERNEL32(?), ref: 00979924
                              • LeaveCriticalSection.KERNEL32(?), ref: 0097999E
                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 009799B3
                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 009799D2
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                              • String ID:
                              • API String ID: 2537439066-0
                              • Opcode ID: 7b95b2ff87497bead16138e970ded15537ca60a3c4c1d429b25a90c9ea93d0cd
                              • Instruction ID: 2133f195eef4190e1ffb23ced0160e7b3d2e988356e44bb6c69b3e734aed8d23
                              • Opcode Fuzzy Hash: 7b95b2ff87497bead16138e970ded15537ca60a3c4c1d429b25a90c9ea93d0cd
                              • Instruction Fuzzy Hash: AF315032A00105EBDB109FA4DD85E6BB778FF85310B1481B9F904AB256DB70DE10DBA0
                              Function 00989B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                              • GetForegroundWindow.USER32(?,?,?,?,?,?,009877F4,?,?,00000000,00000001), ref: 00989B53
                                • Part of subcall function 00986544: GetWindowRect.USER32(?,?), ref: 00986557
                              • GetDesktopWindow.USER32 ref: 00989B7D
                              • GetWindowRect.USER32(00000000), ref: 00989B84
                              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00989BB6
                                • Part of subcall function 00977A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00977AD0
                              • GetCursorPos.USER32(?), ref: 00989BE2
                              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00989C44
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                              • String ID:
                              • API String ID: 4137160315-0
                              • Opcode ID: 3e2e13449935b4fa85552aa2ab05f28889ccd1bc3f12fa119b5d9f4c0bb65702
                              • Instruction ID: ad5000d0024efab76c4d969cd84418429194851e5834810c69cd47fa10c5c3dd
                              • Opcode Fuzzy Hash: 3e2e13449935b4fa85552aa2ab05f28889ccd1bc3f12fa119b5d9f4c0bb65702
                              • Instruction Fuzzy Hash: 6D31C372108305AFD710DF54D849F9AB7EDFF85314F040A29F589D7281E671EA04CB91
                              Function 0096AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0096AFAE
                              • OpenProcessToken.ADVAPI32(00000000), ref: 0096AFB5
                              • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 0096AFC4
                              • CloseHandle.KERNEL32(00000004), ref: 0096AFCF
                              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0096AFFE
                              • DestroyEnvironmentBlock.USERENV(00000000), ref: 0096B012
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                              • String ID:
                              • API String ID: 1413079979-0
                              • Opcode ID: 21f255dbf1af808771f58e42cb31d36d1e1f8447d774bfe5a0dce07e5d9879a4
                              • Instruction ID: f689628812f32b64cd94d650d433927f5286ce7d5919f9180c4b85f2467c295a
                              • Opcode Fuzzy Hash: 21f255dbf1af808771f58e42cb31d36d1e1f8447d774bfe5a0dce07e5d9879a4
                              • Instruction Fuzzy Hash: DA214CB2105209ABDF029F94EE49BEE7BA9AF44314F044125FA01A2161D37ADD61EB62
                              Function 0099EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0094AFE3
                                • Part of subcall function 0094AF83: SelectObject.GDI32(?,00000000), ref: 0094AFF2
                                • Part of subcall function 0094AF83: BeginPath.GDI32(?), ref: 0094B009
                                • Part of subcall function 0094AF83: SelectObject.GDI32(?,00000000), ref: 0094B033
                              • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0099EC20
                              • LineTo.GDI32(00000000,00000003,?), ref: 0099EC34
                              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0099EC42
                              • LineTo.GDI32(00000000,00000000,?), ref: 0099EC52
                              • EndPath.GDI32(00000000), ref: 0099EC62
                              • StrokePath.GDI32(00000000), ref: 0099EC72
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                              • String ID:
                              • API String ID: 43455801-0
                              • Opcode ID: 7ac8b65cb70fdb719a270948b1477c4ee40ee9d39aa3b4fe58d4ecfdb68e7840
                              • Instruction ID: 788420f74779e24cfdbc4d192db9cc35629f94e5ea3450bf80de5505ab04a4bd
                              • Opcode Fuzzy Hash: 7ac8b65cb70fdb719a270948b1477c4ee40ee9d39aa3b4fe58d4ecfdb68e7840
                              • Instruction Fuzzy Hash: BA110972005149BFEF029F94DD88EEA7F6DEB08360F048112FE4899160E7719D55EBA0
                              Function 0096E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              • GetDC.USER32(00000000), ref: 0096E1C0
                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 0096E1D1
                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0096E1D8
                              • ReleaseDC.USER32(00000000,00000000), ref: 0096E1E0
                              • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0096E1F7
                              • MulDiv.KERNEL32(000009EC,?,?), ref: 0096E209
                                • Part of subcall function 00969AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00969A05,00000000,00000000,?,00969DDB), ref: 0096A53A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: CapsDevice$ExceptionRaiseRelease
                              • String ID:
                              • API String ID: 603618608-0
                              • Opcode ID: 9b4a406174823ac9ba701ac0ae853a26b48c7e79d67755d7f9301f3d004e4ab5
                              • Instruction ID: 8d6c2f7a42c211ffae151312768c2232ac27a9287b1fc1909711d390b5f976b2
                              • Opcode Fuzzy Hash: 9b4a406174823ac9ba701ac0ae853a26b48c7e79d67755d7f9301f3d004e4ab5
                              • Instruction Fuzzy Hash: 40018FB9A04214BFEB109BA68D45B5EBFB8EB48761F004166EE04A7290E6709C00DFA0
                              Function 00957B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                              Download Yara Rule
                              APIs
                              • __init_pointers.LIBCMT ref: 00957B47
                                • Part of subcall function 0095123A: __initp_misc_winsig.LIBCMT ref: 0095125E
                                • Part of subcall function 0095123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00957F51
                                • Part of subcall function 0095123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00957F65
                                • Part of subcall function 0095123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00957F78
                                • Part of subcall function 0095123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00957F8B
                                • Part of subcall function 0095123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00957F9E
                                • Part of subcall function 0095123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00957FB1
                                • Part of subcall function 0095123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00957FC4
                                • Part of subcall function 0095123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00957FD7
                                • Part of subcall function 0095123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00957FEA
                                • Part of subcall function 0095123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00957FFD
                                • Part of subcall function 0095123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00958010
                                • Part of subcall function 0095123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00958023
                                • Part of subcall function 0095123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00958036
                                • Part of subcall function 0095123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00958049
                                • Part of subcall function 0095123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0095805C
                                • Part of subcall function 0095123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0095806F
                              • __mtinitlocks.LIBCMT ref: 00957B4C
                                • Part of subcall function 00957E23: InitializeCriticalSectionAndSpinCount.KERNEL32(009EAC68,00000FA0,?,?,00957B51,00955E77,009E6C70,00000014), ref: 00957E41
                              • __mtterm.LIBCMT ref: 00957B55
                                • Part of subcall function 00957BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00957B5A,00955E77,009E6C70,00000014), ref: 00957D3F
                                • Part of subcall function 00957BBD: _free.LIBCMT ref: 00957D46
                                • Part of subcall function 00957BBD: DeleteCriticalSection.KERNEL32(009EAC68,?,?,00957B5A,00955E77,009E6C70,00000014), ref: 00957D68
                              • __calloc_crt.LIBCMT ref: 00957B7A
                              • GetCurrentThreadId.KERNEL32 ref: 00957BA3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                              • String ID:
                              • API String ID: 2942034483-0
                              • Opcode ID: 084163a0d54881ab45682b45866d47a533d2758e2b6d3e138cfea9582c358f8e
                              • Instruction ID: 22362ed2bafdbfc2815cbd6c35a114f8fdd7554982fad7dc23ee92d009c52cfe
                              • Opcode Fuzzy Hash: 084163a0d54881ab45682b45866d47a533d2758e2b6d3e138cfea9582c358f8e
                              • Instruction Fuzzy Hash: 35F0963211D3621AE624F7F77C4774AA6889F41737B2006A9FC64D50E1FF249A494361
                              Function 009327EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0093281D
                              • MapVirtualKeyW.USER32(00000010,00000000), ref: 00932825
                              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00932830
                              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 0093283B
                              • MapVirtualKeyW.USER32(00000011,00000000), ref: 00932843
                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0093284B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Virtual
                              • String ID:
                              • API String ID: 4278518827-0
                              • Opcode ID: 0bd7141e932ec85cec576bea736d73ff1927da07f38c2e048c4eaef5a7a88575
                              • Instruction ID: b65899c61ca431a8e9ab9d014f8d5a49366e37b1d5827b255de6f8d473f7f85f
                              • Opcode Fuzzy Hash: 0bd7141e932ec85cec576bea736d73ff1927da07f38c2e048c4eaef5a7a88575
                              • Instruction Fuzzy Hash: 510167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00421BA15C47A42C7F5A864CBE5
                              Function 00979AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                              • String ID:
                              • API String ID: 1423608774-0
                              • Opcode ID: f1bee1b1144f4b88f7a1e2d633eac355313e65eb09c3df43ba91da6432a00190
                              • Instruction ID: 9c2ef5e822620b67bf2c4a0b7da320952ce9c6eccecd7c2751b58b9dbd02f217
                              • Opcode Fuzzy Hash: f1bee1b1144f4b88f7a1e2d633eac355313e65eb09c3df43ba91da6432a00190
                              • Instruction Fuzzy Hash: 1E01A437217212ABDB196B64EE49EEB7779FFC8711B044639F507921A0EB749800EB50
                              Function 00977BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00977C07
                              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00977C1D
                              • GetWindowThreadProcessId.USER32(?,?), ref: 00977C2C
                              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00977C3B
                              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00977C45
                              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00977C4C
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                              • String ID:
                              • API String ID: 839392675-0
                              • Opcode ID: 2adb3a99df70eba1c5bfb2d82cf10e621fbdaef9cf24adcb17300c6e1c02c293
                              • Instruction ID: a99d0b37106d5c119cc8f966971743fc4654fe2fa7ba8adb1f69b68a9ea676a9
                              • Opcode Fuzzy Hash: 2adb3a99df70eba1c5bfb2d82cf10e621fbdaef9cf24adcb17300c6e1c02c293
                              • Instruction Fuzzy Hash: B6F0B472116158BFE72517529D0DEEF7F7CDFC6B25F000118FA01D1051E7A01A41E6B5
                              Function 00979A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • InterlockedExchange.KERNEL32(?,?), ref: 00979A33
                              • EnterCriticalSection.KERNEL32(?,?,?,?,009A5DEE,?,?,?,?,?,0093ED63), ref: 00979A44
                              • TerminateThread.KERNEL32(?,000001F6,?,?,?,009A5DEE,?,?,?,?,?,0093ED63), ref: 00979A51
                              • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,009A5DEE,?,?,?,?,?,0093ED63), ref: 00979A5E
                                • Part of subcall function 009793D1: CloseHandle.KERNEL32(?,?,00979A6B,?,?,?,009A5DEE,?,?,?,?,?,0093ED63), ref: 009793DB
                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00979A71
                              • LeaveCriticalSection.KERNEL32(?,?,?,?,009A5DEE,?,?,?,?,?,0093ED63), ref: 00979A78
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                              • String ID:
                              • API String ID: 3495660284-0
                              • Opcode ID: d6e77be561feb63db3a0527db8d4dfa0f678a514d78580c5a58bd47f7b870879
                              • Instruction ID: b9fe4dbe66c8d7c0a19d4d015b78889187d2e523b9204ce1c9662ca9f3bc285f
                              • Opcode Fuzzy Hash: d6e77be561feb63db3a0527db8d4dfa0f678a514d78580c5a58bd47f7b870879
                              • Instruction Fuzzy Hash: 83F0E23715B201ABD7152BA4EE8DEEB3739FF84321B040225F203910A0EB749800EB50
                              Function 00931CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094F4EA: std::exception::exception.LIBCMT ref: 0094F51E
                                • Part of subcall function 0094F4EA: __CxxThrowException@8.LIBCMT ref: 0094F533
                              • __swprintf.LIBCMT ref: 00931EA6
                              Strings
                              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00931D49
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Exception@8Throw__swprintfstd::exception::exception
                              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                              • API String ID: 2125237772-557222456
                              • Opcode ID: c6418ade827046493ff69bfad47a773fb8c6e4325f09ec0cac298c1f49db6481
                              • Instruction ID: 9b46f5511a521a0d72f669911d5b5fb83a8daa7bbe7225c2ef6d57504adca24f
                              • Opcode Fuzzy Hash: c6418ade827046493ff69bfad47a773fb8c6e4325f09ec0cac298c1f49db6481
                              • Instruction Fuzzy Hash: 68912DB15082019FC724EF24C895E6EB7E8AFD5700F04491DF9969B2A1DB71ED44CF92
                              Function 0098AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                              Download Yara Rule
                              APIs
                              • VariantInit.OLEAUT32(?), ref: 0098B006
                              • CharUpperBuffW.USER32(?,?), ref: 0098B115
                              • VariantClear.OLEAUT32(?), ref: 0098B298
                                • Part of subcall function 00979DC5: VariantInit.OLEAUT32(00000000), ref: 00979E05
                                • Part of subcall function 00979DC5: VariantCopy.OLEAUT32(?,?), ref: 00979E0E
                                • Part of subcall function 00979DC5: VariantClear.OLEAUT32(?), ref: 00979E1A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Variant$ClearInit$BuffCharCopyUpper
                              • String ID: AUTOIT.ERROR$Incorrect Parameter format
                              • API String ID: 4237274167-1221869570
                              • Opcode ID: 5f297b421d5bc200c5dbbad6f30aac1101830977e7bded3f08db0c6471584fe1
                              • Instruction ID: 1e0d32be5cf4300c19a03acaa463f5bcabdff28c07bc595e624cd062dc309417
                              • Opcode Fuzzy Hash: 5f297b421d5bc200c5dbbad6f30aac1101830977e7bded3f08db0c6471584fe1
                              • Instruction Fuzzy Hash: A4915D716083019FCB10EF24C495A5AB7F4EFC9704F08496DF89A9B3A1DB31E945CB52
                              Function 00975347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094C6F4: _wcscpy.LIBCMT ref: 0094C717
                              • _memset.LIBCMT ref: 00975438
                              • GetMenuItemInfoW.USER32(?), ref: 00975467
                              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00975513
                              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0097553D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ItemMenu$Info$Default_memset_wcscpy
                              • String ID: 0
                              • API String ID: 4152858687-4108050209
                              • Opcode ID: b7989c61b7e45bbc117aefcc4e3b20e257582c1e109af6997351f6a2d876aef8
                              • Instruction ID: d5da73beb4c79222ebbae7595611e707742f94e1e33e5c49401cafa9edbe4445
                              • Opcode Fuzzy Hash: b7989c61b7e45bbc117aefcc4e3b20e257582c1e109af6997351f6a2d876aef8
                              • Instruction Fuzzy Hash: E05104735187019BD794DB28C84577BB7E9AB85350F058A29F89DD31E0DBE0CD448B92
                              Function 00970213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0097027B
                              • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 009702B1
                              • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 009702C2
                              • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00970344
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ErrorMode$AddressCreateInstanceProc
                              • String ID: DllGetClassObject
                              • API String ID: 753597075-1075368562
                              • Opcode ID: 822df2e5a15cf8d1af7104cd54a993d4e6e04c19f03b3fd718733492cbbfe643
                              • Instruction ID: eb367b126e4a341816390ebc5b3a06b9162063fc1ab9189ead1037241544542b
                              • Opcode Fuzzy Hash: 822df2e5a15cf8d1af7104cd54a993d4e6e04c19f03b3fd718733492cbbfe643
                              • Instruction Fuzzy Hash: 97416D72605204EFDB05CF64C885BAA7BB9EF84314B14C0A9E90D9F206E7B5D944CBA0
                              Function 00975007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 00975075
                              • GetMenuItemInfoW.USER32 ref: 00975091
                              • DeleteMenu.USER32(00000004,00000007,00000000), ref: 009750D7
                              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,009F1708,00000000), ref: 00975120
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Menu$Delete$InfoItem_memset
                              • String ID: 0
                              • API String ID: 1173514356-4108050209
                              • Opcode ID: 856a2f928124812a45198a43df6fd392e4b314b31bc0340013fed9706dcd990c
                              • Instruction ID: a0869f57136fbca62880604825a0f27f84aee224f1cbc7be6671ee7530e7b205
                              • Opcode Fuzzy Hash: 856a2f928124812a45198a43df6fd392e4b314b31bc0340013fed9706dcd990c
                              • Instruction Fuzzy Hash: 1D41D4322097019FD720DF24D885B6AB7E8AF85325F058A1EF95D97291D7B0EC00CB62
                              Function 00990567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                              Download Yara Rule
                              APIs
                              • CharLowerBuffW.USER32(?,?,?,?), ref: 00990587
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: BuffCharLower
                              • String ID: cdecl$none$stdcall$winapi
                              • API String ID: 2358735015-567219261
                              • Opcode ID: d50bf44cfec486d51dc91c15cab688246992c072b6dac6b85bc46b0635447f74
                              • Instruction ID: 837b30e69ae89e32157b1da93f7439bcc4e29e8b48660e5daa0dff402afd6a03
                              • Opcode Fuzzy Hash: d50bf44cfec486d51dc91c15cab688246992c072b6dac6b85bc46b0635447f74
                              • Instruction Fuzzy Hash: CB31A170600616AFCF10EF58C981AEEB3B8FF95314B108A29E876A72D1DB71A915CF50
                              Function 0096B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0096B88E
                              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0096B8A1
                              • SendMessageW.USER32(?,00000189,?,00000000), ref: 0096B8D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID: ComboBox$ListBox
                              • API String ID: 3850602802-1403004172
                              • Opcode ID: 5949ac78be696641f7ad7404068c7d7f3aa09c4e7b3c86808fb3d3580414c6bb
                              • Instruction ID: 69e8573c59bf6cf6b4d6250027f2f23a79898de78409abf87dd21b20e1c95c4f
                              • Opcode Fuzzy Hash: 5949ac78be696641f7ad7404068c7d7f3aa09c4e7b3c86808fb3d3580414c6bb
                              • Instruction Fuzzy Hash: 372105B1A00108BFDB14AB64C886EFE777CDF85354F104129F422E31E0EB744D469B60
                              Function 009843E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                              Download Yara Rule
                              APIs
                              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00984401
                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00984427
                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00984457
                              • InternetCloseHandle.WININET(00000000), ref: 0098449E
                                • Part of subcall function 00985052: GetLastError.KERNEL32(?,?,009843CC,00000000,00000000,00000001), ref: 00985067
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                              • String ID:
                              • API String ID: 1951874230-3916222277
                              • Opcode ID: a7c2962b2c614982833b296aa266218a4336df72d539a585b7254550f7c245ff
                              • Instruction ID: a60a2a9701555ba4ad25174e54b5b9cfc1960d568beb0b2134029b88d600a2f5
                              • Opcode Fuzzy Hash: a7c2962b2c614982833b296aa266218a4336df72d539a585b7254550f7c245ff
                              • Instruction Fuzzy Hash: FA21C2B1500209BFEB11AF64CCC4FBFBAECEF88758F10851AF109E2250EA648D059771
                              Function 009990E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0094D1BA
                                • Part of subcall function 0094D17C: GetStockObject.GDI32(00000011), ref: 0094D1CE
                                • Part of subcall function 0094D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0094D1D8
                              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0099915C
                              • LoadLibraryW.KERNEL32(?), ref: 00999163
                              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00999178
                              • DestroyWindow.USER32(?), ref: 00999180
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                              • String ID: SysAnimate32
                              • API String ID: 4146253029-1011021900
                              • Opcode ID: 4ab514d128dfba11de6df5101bcedd4eb2a68822fd714cf76810aa6c21536709
                              • Instruction ID: 91ff46736800e81184d262bd27539edf3e8eceaf66c565175359ee23c9783a91
                              • Opcode Fuzzy Hash: 4ab514d128dfba11de6df5101bcedd4eb2a68822fd714cf76810aa6c21536709
                              • Instruction Fuzzy Hash: 58218B71218206BBEF204E6D9C89FBA37ADFB9A368F10061DF91492190D732DC51A760
                              Function 00979568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                              Download Yara Rule
                              APIs
                              • GetStdHandle.KERNEL32(0000000C), ref: 00979588
                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009795B9
                              • GetStdHandle.KERNEL32(0000000C), ref: 009795CB
                              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00979605
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: CreateHandle$FilePipe
                              • String ID: nul
                              • API String ID: 4209266947-2873401336
                              • Opcode ID: 3358839f4c02029e6633d95b6986478cbe7eaa8d46c2fb7e60c44b44f6c061f9
                              • Instruction ID: aa7ad50f372790b1e4b1c7dc96496824ad5f527c9731c7ac6d201c4c21ecf6e7
                              • Opcode Fuzzy Hash: 3358839f4c02029e6633d95b6986478cbe7eaa8d46c2fb7e60c44b44f6c061f9
                              • Instruction Fuzzy Hash: F6215172600216ABDB219F29DC45A9A7BA8EF85724F208A19FDA9D72D0D770D940DB10
                              Function 00979634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                              Download Yara Rule
                              APIs
                              • GetStdHandle.KERNEL32(000000F6), ref: 00979653
                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00979683
                              • GetStdHandle.KERNEL32(000000F6), ref: 00979694
                              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 009796CE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: CreateHandle$FilePipe
                              • String ID: nul
                              • API String ID: 4209266947-2873401336
                              • Opcode ID: 16fc6246eb3665f62470612c76bddc87f5992647141dc68d64dc50ba66d0388c
                              • Instruction ID: 7d6827645aeb3e61eff86fd4fbef36139a636d15a088a1afaa8e0415356cd94a
                              • Opcode Fuzzy Hash: 16fc6246eb3665f62470612c76bddc87f5992647141dc68d64dc50ba66d0388c
                              • Instruction Fuzzy Hash: 2A214F72600206ABDB209F699C45E9A77ECEF95734F208B19F9A5E72D0E7709841CB50
                              Function 0097DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                              Download Yara Rule
                              APIs
                              • SetErrorMode.KERNEL32(00000001), ref: 0097DB0A
                              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0097DB5E
                              • __swprintf.LIBCMT ref: 0097DB77
                              • SetErrorMode.KERNEL32(00000000,00000001,00000000,009CDC00), ref: 0097DBB5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ErrorMode$InformationVolume__swprintf
                              • String ID: %lu
                              • API String ID: 3164766367-685833217
                              • Opcode ID: 2ab9785c2fe5e6bd9dc51d419287becce14b8d21af29c8e6aebf073f4046f52f
                              • Instruction ID: fdc41cb609847e51f0402e9a3539503efce7b56b7072f8d72225a0d44a8a66f7
                              • Opcode Fuzzy Hash: 2ab9785c2fe5e6bd9dc51d419287becce14b8d21af29c8e6aebf073f4046f52f
                              • Instruction Fuzzy Hash: A0218375A00108AFCB10EF65C985EAEB7B8EF88714F104069F909E7251DB70EA01DF61
                              Function 0096C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0096C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0096C84A
                                • Part of subcall function 0096C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0096C85D
                                • Part of subcall function 0096C82D: GetCurrentThreadId.KERNEL32 ref: 0096C864
                                • Part of subcall function 0096C82D: AttachThreadInput.USER32(00000000), ref: 0096C86B
                              • GetFocus.USER32 ref: 0096CA05
                                • Part of subcall function 0096C876: GetParent.USER32(?), ref: 0096C884
                              • GetClassNameW.USER32(?,?,00000100), ref: 0096CA4E
                              • EnumChildWindows.USER32(?,0096CAC4), ref: 0096CA76
                              • __swprintf.LIBCMT ref: 0096CA90
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                              • String ID: %s%d
                              • API String ID: 3187004680-1110647743
                              • Opcode ID: 4d62f1e4a9ef927d57ea6291aa3bb312023cfb8316145968bdff22506ae142b5
                              • Instruction ID: 366e3c515019461a8e0d2f56f2bcd63ef0e438c9ea28449e8b54c32eb83a27ca
                              • Opcode Fuzzy Hash: 4d62f1e4a9ef927d57ea6291aa3bb312023cfb8316145968bdff22506ae142b5
                              • Instruction Fuzzy Hash: 0B1184B1600209BBCB11BFA08C85FF9376CAF84714F008066FE58AA182DB749545DB70
                              Function 00991945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                              Download Yara Rule
                              APIs
                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 009919F3
                              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00991A26
                              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00991B49
                              • CloseHandle.KERNEL32(?), ref: 00991BBF
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Process$CloseCountersHandleInfoMemoryOpen
                              • String ID:
                              • API String ID: 2364364464-0
                              • Opcode ID: 1006458a1c70fe4f7432bfb144491c210a818e0b9f5a5e5d41fbb11a1d60a764
                              • Instruction ID: c25570b38afe71ea37c86e74e73a680d0761c868ec996f68bf17b5d79c4da118
                              • Opcode Fuzzy Hash: 1006458a1c70fe4f7432bfb144491c210a818e0b9f5a5e5d41fbb11a1d60a764
                              • Instruction Fuzzy Hash: 06817371A00205ABDF14DF68C886FADBBE5FF48720F148459F905AF382E7B5A941CB90
                              Function 0099E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0099E1D5
                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0099E20D
                              • IsDlgButtonChecked.USER32(?,00000001), ref: 0099E248
                              • GetWindowLongW.USER32(?,000000EC), ref: 0099E269
                              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0099E281
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: MessageSend$ButtonCheckedLongWindow
                              • String ID:
                              • API String ID: 3188977179-0
                              • Opcode ID: 36bb5d6a9cf2f7c425a01b45e783cbdbba0735140b55d60d8a0f3fbb32aaf362
                              • Instruction ID: 1ebeac464a7142f6cf2b6c171c6e6503d1e7ac66c54a159ebeb44d67848291f2
                              • Opcode Fuzzy Hash: 36bb5d6a9cf2f7c425a01b45e783cbdbba0735140b55d60d8a0f3fbb32aaf362
                              • Instruction Fuzzy Hash: 14617C38A08248EFDF35CF5CCC95FBA77BAAB89310F184459F959972A1C771A940CB50
                              Function 00971C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                              Download Yara Rule
                              APIs
                              • VariantInit.OLEAUT32(?), ref: 00971CB4
                              • VariantClear.OLEAUT32(00000013), ref: 00971D26
                              • VariantClear.OLEAUT32(00000000), ref: 00971D81
                              • VariantClear.OLEAUT32(?), ref: 00971DF8
                              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00971E26
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Variant$Clear$ChangeInitType
                              • String ID:
                              • API String ID: 4136290138-0
                              • Opcode ID: f03a46f5a956336b8b1098b4a87ee62aa7f9b2813630b6c2738b8952ae27b60a
                              • Instruction ID: 566282b809ef8205fc063742cdbf70ad2c336978dad324db532a93f987064a51
                              • Opcode Fuzzy Hash: f03a46f5a956336b8b1098b4a87ee62aa7f9b2813630b6c2738b8952ae27b60a
                              • Instruction Fuzzy Hash: 6E5149B5A00209AFDB24CF58C884EAAB7B9FF4C314B158559ED59DB350E730EA51CFA0
                              Function 00990688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0093936C: __swprintf.LIBCMT ref: 009393AB
                                • Part of subcall function 0093936C: __itow.LIBCMT ref: 009393DF
                              • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 009906EE
                              • GetProcAddress.KERNEL32(00000000,?), ref: 0099077D
                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 0099079B
                              • GetProcAddress.KERNEL32(00000000,?), ref: 009907E1
                              • FreeLibrary.KERNEL32(00000000,00000004), ref: 009907FB
                                • Part of subcall function 0094E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0097A574,?,?,00000000,00000008), ref: 0094E675
                                • Part of subcall function 0094E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0097A574,?,?,00000000,00000008), ref: 0094E699
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                              • String ID:
                              • API String ID: 327935632-0
                              • Opcode ID: 6e5e1e073af17325be271bbbb6e46d3b4a669e5e96ea5d8923af53061450c91f
                              • Instruction ID: 4f70edf68e98c3382ae31a210c5d898769aa6d02f02e1c56e1ae9e50a60b9157
                              • Opcode Fuzzy Hash: 6e5e1e073af17325be271bbbb6e46d3b4a669e5e96ea5d8923af53061450c91f
                              • Instruction Fuzzy Hash: 3C512975A00209DFCF04EFA8D895AADB7B9BF88320F048055E915AB351DB34ED45CF50
                              Function 00992E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00993C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00992BB5,?,?), ref: 00993C1D
                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00992EEF
                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00992F2E
                              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00992F75
                              • RegCloseKey.ADVAPI32(?,?), ref: 00992FA1
                              • RegCloseKey.ADVAPI32(00000000), ref: 00992FAE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                              • String ID:
                              • API String ID: 3740051246-0
                              • Opcode ID: 1f2b39c078c486566c0af0f06d7fd1795ce062e277223de8bbb01b6a68cd96c9
                              • Instruction ID: 677308a955e8a090ad07e57b2e396b147a68eb0afc10bd5c4e1f248723b4b0b1
                              • Opcode Fuzzy Hash: 1f2b39c078c486566c0af0f06d7fd1795ce062e277223de8bbb01b6a68cd96c9
                              • Instruction Fuzzy Hash: C4511972209204AFDB04EF58C891F6AB7F9FF88314F04891DF59697291DB70E905DB52
                              Function 0099CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 98cd1755a2cfbafa9d9d92dcdfbe6cadd440172ef3d34beca0c16ea030f5fe00
                              • Instruction ID: 2823d84270e6b757a1f726ecdd0ad3c59f441468559a384ee9e291620d6bc0fe
                              • Opcode Fuzzy Hash: 98cd1755a2cfbafa9d9d92dcdfbe6cadd440172ef3d34beca0c16ea030f5fe00
                              • Instruction Fuzzy Hash: 5F41C3B9905208AFDF20DF6CCC44FA9BB6DEB09320F150265F95AA72E1D734AD41DA90
                              Function 00981206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                              Download Yara Rule
                              APIs
                              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 009812B4
                              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 009812DD
                              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0098131C
                                • Part of subcall function 0093936C: __swprintf.LIBCMT ref: 009393AB
                                • Part of subcall function 0093936C: __itow.LIBCMT ref: 009393DF
                              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00981341
                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00981349
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                              • String ID:
                              • API String ID: 1389676194-0
                              • Opcode ID: d20734554cedc25089457488d744af9f3d3f247070ceb6856f203fc0b4347d1c
                              • Instruction ID: ff02b748827d6a96833e3fedad8081d29e5ce31f6fca6dcc36e7f0b637fcb04a
                              • Opcode Fuzzy Hash: d20734554cedc25089457488d744af9f3d3f247070ceb6856f203fc0b4347d1c
                              • Instruction Fuzzy Hash: 6A41F975A00105DFCB05EF64C991AAEBBF9FF48314B148099E91AAB361DB31ED01DF51
                              Function 0094B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetCursorPos.USER32(000000FF), ref: 0094B64F
                              • ScreenToClient.USER32(00000000,000000FF), ref: 0094B66C
                              • GetAsyncKeyState.USER32(00000001), ref: 0094B691
                              • GetAsyncKeyState.USER32(00000002), ref: 0094B69F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: AsyncState$ClientCursorScreen
                              • String ID:
                              • API String ID: 4210589936-0
                              • Opcode ID: 2a0d2da8562bac29333dbc6eac637b252a37b19bbaf32275204b3f9370d55329
                              • Instruction ID: c2199dfaf895967fa9d026d55d54bee7db6819023575e294079efea514225c49
                              • Opcode Fuzzy Hash: 2a0d2da8562bac29333dbc6eac637b252a37b19bbaf32275204b3f9370d55329
                              • Instruction Fuzzy Hash: D1416D35509119FFDF159F68C844EEABBB8FB46334F104319F82A96290CB34A994DFA1
                              Function 0096B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                              Download Yara Rule
                              APIs
                              • GetWindowRect.USER32(?,?), ref: 0096B369
                              • PostMessageW.USER32(?,00000201,00000001), ref: 0096B413
                              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0096B41B
                              • PostMessageW.USER32(?,00000202,00000000), ref: 0096B429
                              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0096B431
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: MessagePostSleep$RectWindow
                              • String ID:
                              • API String ID: 3382505437-0
                              • Opcode ID: a9a3350cad51837c70aa49e9c24d4994f0419d08e97c6d8e9f9066fb41c97330
                              • Instruction ID: 0108a2bc5ee7a332c3c8ffbef51dabd46ffee45fdba8526c449d4a67c9ccef18
                              • Opcode Fuzzy Hash: a9a3350cad51837c70aa49e9c24d4994f0419d08e97c6d8e9f9066fb41c97330
                              • Instruction Fuzzy Hash: 9831D171905219EBDF04CF68DE4DA9E3BB9EB04325F104229F921EB2D1E7B09954DB90
                              Function 0096DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                              Download Yara Rule
                              APIs
                              • IsWindowVisible.USER32(?), ref: 0096DBD7
                              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0096DBF4
                              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0096DC2C
                              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0096DC52
                              • _wcsstr.LIBCMT ref: 0096DC5C
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                              • String ID:
                              • API String ID: 3902887630-0
                              • Opcode ID: e69adb6b8b6b1a2ad77b39d4a9fb3f39e3d09ec334517719b5ed908e7ed7ac23
                              • Instruction ID: 6213ac79c51759dbd6242419aad71567c9e7badfd65b9b21897b4bcd47ed7aae
                              • Opcode Fuzzy Hash: e69adb6b8b6b1a2ad77b39d4a9fb3f39e3d09ec334517719b5ed908e7ed7ac23
                              • Instruction Fuzzy Hash: DB212672B09208BBEB159F39DD49E7B7BACDF85760F104039F809CA191EAA5CC01D3A0
                              Function 0099DE69 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094B34E: GetWindowLongW.USER32(?,000000EB), ref: 0094B35F
                              • GetWindowLongW.USER32(?,000000F0), ref: 0099DEB0
                              • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0099DED4
                              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0099DEEC
                              • GetSystemMetrics.USER32(00000004), ref: 0099DF14
                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,00983A1E,00000000), ref: 0099DF32
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Window$Long$MetricsSystem
                              • String ID:
                              • API String ID: 2294984445-0
                              • Opcode ID: c9e9bba8288bd201664254086e1cb0d78eaafab56ce2cb67db2f2053359d0d27
                              • Instruction ID: e2d2fb978f4df0854eb89be668c3cd228f587e9b52266581a0ee62cb2179b84e
                              • Opcode Fuzzy Hash: c9e9bba8288bd201664254086e1cb0d78eaafab56ce2cb67db2f2053359d0d27
                              • Instruction Fuzzy Hash: 0A21CF31626212AFCF204FBC9D88B6A77A8FF15374F150724F926CA1E0E7309810DB90
                              Function 0096BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0096BC90
                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0096BCC2
                              • __itow.LIBCMT ref: 0096BCDA
                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0096BD00
                              • __itow.LIBCMT ref: 0096BD11
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: MessageSend$__itow
                              • String ID:
                              • API String ID: 3379773720-0
                              • Opcode ID: b33965063162b5780d42144bbcd6f0972ac4f0cb47c37439876c290f12847cf6
                              • Instruction ID: ac55515a8ac3c1c7555c8d2756707592c63a37732f94b3f88e8fe94233dafca1
                              • Opcode Fuzzy Hash: b33965063162b5780d42144bbcd6f0972ac4f0cb47c37439876c290f12847cf6
                              • Instruction Fuzzy Hash: BF21C975600208BADB10AE698C45FDE7B6CAF99750F000024F945EB1C1FB748D4587A1
                              Function 00976318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009350E6: _wcsncpy.LIBCMT ref: 009350FA
                              • GetFileAttributesW.KERNEL32(?,?,?,?,009760C3), ref: 00976369
                              • GetLastError.KERNEL32(?,?,?,009760C3), ref: 00976374
                              • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,009760C3), ref: 00976388
                              • _wcsrchr.LIBCMT ref: 009763AA
                                • Part of subcall function 00976318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,009760C3), ref: 009763E0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                              • String ID:
                              • API String ID: 3633006590-0
                              • Opcode ID: a469d26db732dfa5ef1e1611cca5f62c0384a2ef31bac651777967da829a6dd6
                              • Instruction ID: 1111b36daf18cccf7ac357fa3d5e539054c373483d40b98509b38970a8943e52
                              • Opcode Fuzzy Hash: a469d26db732dfa5ef1e1611cca5f62c0384a2ef31bac651777967da829a6dd6
                              • Instruction Fuzzy Hash: 39212732515A158BDB15EB78AC52FFA33ACEF06760F108466F44DD31C0EB60D984DB51
                              Function 00988B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0098A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0098A84E
                              • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00988BD3
                              • WSAGetLastError.WSOCK32(00000000), ref: 00988BE2
                              • connect.WSOCK32(00000000,?,00000010), ref: 00988BFE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ErrorLastconnectinet_addrsocket
                              • String ID:
                              • API String ID: 3701255441-0
                              • Opcode ID: 18543cfbd88ce1615877247a2c244ebf0d257c0b4d30adc8f4243d27c859a5b4
                              • Instruction ID: 8f5a892499463a167cf64df2b51ab0fb65e868bd0ab77e28e58136de4bf3fd1f
                              • Opcode Fuzzy Hash: 18543cfbd88ce1615877247a2c244ebf0d257c0b4d30adc8f4243d27c859a5b4
                              • Instruction Fuzzy Hash: 0421AE712002149FCB10AF28C985F7E77ADAF88720F048559F956AB392DF74AC018B61
                              Function 00988420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                              Download Yara Rule
                              APIs
                              • IsWindow.USER32(00000000), ref: 00988441
                              • GetForegroundWindow.USER32 ref: 00988458
                              • GetDC.USER32(00000000), ref: 00988494
                              • GetPixel.GDI32(00000000,?,00000003), ref: 009884A0
                              • ReleaseDC.USER32(00000000,00000003), ref: 009884DB
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Window$ForegroundPixelRelease
                              • String ID:
                              • API String ID: 4156661090-0
                              • Opcode ID: f1461245f646c3384e1031b91767f206b50782e002b643c31ba59ae5fb333cf4
                              • Instruction ID: cda68384e60325af3087f1c5085667a084638e081e887fb74f3e32681ce00739
                              • Opcode Fuzzy Hash: f1461245f646c3384e1031b91767f206b50782e002b643c31ba59ae5fb333cf4
                              • Instruction Fuzzy Hash: EC218176A01204AFD710EFA4D989BAEBBE5EF88311F048479F85997351DB70AD00DB60
                              Function 0094AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                              Download Yara Rule
                              APIs
                              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0094AFE3
                              • SelectObject.GDI32(?,00000000), ref: 0094AFF2
                              • BeginPath.GDI32(?), ref: 0094B009
                              • SelectObject.GDI32(?,00000000), ref: 0094B033
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ObjectSelect$BeginCreatePath
                              • String ID:
                              • API String ID: 3225163088-0
                              • Opcode ID: a318d01fbfeb5214aabde9a0cf833789c6f75535f79ae058ceb4664f8cbafc9b
                              • Instruction ID: d0ba9dcf28ca801b3baee80bfffeba2a4b438c7138a846b54ce15d066048fbf2
                              • Opcode Fuzzy Hash: a318d01fbfeb5214aabde9a0cf833789c6f75535f79ae058ceb4664f8cbafc9b
                              • Instruction Fuzzy Hash: 9C2183B0829305EFDB10DF55EC44BAA7B6CB711366F14431AE421E21A0D3718845EFD1
                              Function 0095217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                              Download Yara Rule
                              APIs
                              • __calloc_crt.LIBCMT ref: 009521A9
                              • CreateThread.KERNEL32(?,?,009522DF,00000000,?,?), ref: 009521ED
                              • GetLastError.KERNEL32 ref: 009521F7
                              • _free.LIBCMT ref: 00952200
                              • __dosmaperr.LIBCMT ref: 0095220B
                                • Part of subcall function 00957C0E: __getptd_noexit.LIBCMT ref: 00957C0E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                              • String ID:
                              • API String ID: 2664167353-0
                              • Opcode ID: aef0da00d5ea6d3227416b430961f62febbbcf803224d303e5530db05043a54c
                              • Instruction ID: bbd24e0143815f77e8ec2579e0561f8052b28c569951c09e88db56559628e736
                              • Opcode Fuzzy Hash: aef0da00d5ea6d3227416b430961f62febbbcf803224d303e5530db05043a54c
                              • Instruction Fuzzy Hash: 3F1108361097466F9B15EFA7EC42E6B7798EF82771F100529FD2486141EB31D81987A0
                              Function 0096ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0096ABD7
                              • GetLastError.KERNEL32(?,0096A69F,?,?,?), ref: 0096ABE1
                              • GetProcessHeap.KERNEL32(00000008,?,?,0096A69F,?,?,?), ref: 0096ABF0
                              • HeapAlloc.KERNEL32(00000000,?,0096A69F,?,?,?), ref: 0096ABF7
                              • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0096AC0E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                              • String ID:
                              • API String ID: 842720411-0
                              • Opcode ID: df39be9d3d2bde073fa1603c61da3c6b51ae9066ec0327e14d88a540f682ee32
                              • Instruction ID: e3fc627ffb31e5d9da2b8395b3af49f6a05489c46a85cc75dd2e6e8fb7ef9cd1
                              • Opcode Fuzzy Hash: df39be9d3d2bde073fa1603c61da3c6b51ae9066ec0327e14d88a540f682ee32
                              • Instruction Fuzzy Hash: B601AF70215204BFDB144FA9DD48DAB3BACFF8A3647100529F845D3260EA75CC40DF60
                              Function 00969ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                              Download Yara Rule
                              APIs
                              • CLSIDFromProgID.OLE32 ref: 00969ADC
                              • ProgIDFromCLSID.OLE32(?,00000000), ref: 00969AF7
                              • lstrcmpiW.KERNEL32(?,00000000), ref: 00969B05
                              • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00969B15
                              • CLSIDFromString.OLE32(?,?), ref: 00969B21
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: From$Prog$FreeStringTasklstrcmpi
                              • String ID:
                              • API String ID: 3897988419-0
                              • Opcode ID: 321399adb41e4f0faf55e3a508ae931beb9e9ed9aadeecc326c5ff20255c0f14
                              • Instruction ID: abda3803be73ed4fd743aca2a525e21d0d5730b6ec57d7b72379444cb3d7c987
                              • Opcode Fuzzy Hash: 321399adb41e4f0faf55e3a508ae931beb9e9ed9aadeecc326c5ff20255c0f14
                              • Instruction Fuzzy Hash: 7A01D176611209BFDB104F68EE44BAABBFDEF483A2F148024FD05D2210E770DD00ABA0
                              Function 00977A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                              Download Yara Rule
                              APIs
                              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00977A74
                              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00977A82
                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00977A8A
                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00977A94
                              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00977AD0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: PerformanceQuery$CounterSleep$Frequency
                              • String ID:
                              • API String ID: 2833360925-0
                              • Opcode ID: cd60518e1467b2f0c32d72eab8e3918e54d9c4176939946f716b22ccbb734dfe
                              • Instruction ID: be12b8bc6b910d2249ff8568b56ad7de07f852f4752d170450dfcd3fba814ffc
                              • Opcode Fuzzy Hash: cd60518e1467b2f0c32d72eab8e3918e54d9c4176939946f716b22ccbb734dfe
                              • Instruction Fuzzy Hash: B2016976C0961DEBEF08AFE8DD48ADDFB78FB08311F004555E402B2150EB3096509BA1
                              Function 0096AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0096AADA
                              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0096AAE4
                              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0096AAF3
                              • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0096AAFA
                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0096AB10
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: HeapInformationToken$AllocErrorLastProcess
                              • String ID:
                              • API String ID: 44706859-0
                              • Opcode ID: 414d4f4ada7ebf97a484410e4918168d1d663fbbfa3fb596da0f9e5bc55475ae
                              • Instruction ID: 3c6cd85eb8b7d9f99d50c05d407767e8aab71776cabf54c5ed1243bfd6bd193a
                              • Opcode Fuzzy Hash: 414d4f4ada7ebf97a484410e4918168d1d663fbbfa3fb596da0f9e5bc55475ae
                              • Instruction Fuzzy Hash: 6FF062712152096FEB111FB4EC88E673BADFF45764F000129F941D7190DA609C01DF61
                              Function 0096AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0096AA79
                              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0096AA83
                              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0096AA92
                              • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0096AA99
                              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0096AAAF
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: HeapInformationToken$AllocErrorLastProcess
                              • String ID:
                              • API String ID: 44706859-0
                              • Opcode ID: 757bdd8efa5ffde30c78bb988004869a21b7063f3ccd4a727235fc7814c353c1
                              • Instruction ID: 85cd68409cb48dc9d6b0a612c9230af8761767e6ac889ae04e3897d53fd6df3f
                              • Opcode Fuzzy Hash: 757bdd8efa5ffde30c78bb988004869a21b7063f3ccd4a727235fc7814c353c1
                              • Instruction Fuzzy Hash: 84F0AF312152046FEB101FA4AD89E673BADFF49764F00012AF901D7190EA609C01DA61
                              Function 0096EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetDlgItem.USER32(?,000003E9), ref: 0096EC94
                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 0096ECAB
                              • MessageBeep.USER32(00000000), ref: 0096ECC3
                              • KillTimer.USER32(?,0000040A), ref: 0096ECDF
                              • EndDialog.USER32(?,00000001), ref: 0096ECF9
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: BeepDialogItemKillMessageTextTimerWindow
                              • String ID:
                              • API String ID: 3741023627-0
                              • Opcode ID: 5daa5ad6d1157cb621843e721dca2d67cd6ab25ee2838048da9d4cf9193b6592
                              • Instruction ID: eb4e3411f13dd5d266757b3d06f9ab2067492d21c1b29caa1e883f4f65c4303d
                              • Opcode Fuzzy Hash: 5daa5ad6d1157cb621843e721dca2d67cd6ab25ee2838048da9d4cf9193b6592
                              • Instruction Fuzzy Hash: 54018134514705ABEB345B10DF9EB967BB8FF00B15F000669B582A14E0EBF8AA44DB80
                              Function 0094B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                              Download Yara Rule
                              APIs
                              • EndPath.GDI32(?), ref: 0094B0BA
                              • StrokeAndFillPath.GDI32(?,?,009AE680,00000000,?,?,?), ref: 0094B0D6
                              • SelectObject.GDI32(?,00000000), ref: 0094B0E9
                              • DeleteObject.GDI32 ref: 0094B0FC
                              • StrokePath.GDI32(?), ref: 0094B117
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Path$ObjectStroke$DeleteFillSelect
                              • String ID:
                              • API String ID: 2625713937-0
                              • Opcode ID: e3fc6db3d9b615172fa2415c11a5d8ae268bf367daf03e5939ab187f0d7db402
                              • Instruction ID: d304a0ee0e2ec68ee723127f06ca535c416257de21d17cab7a745d4bf94c9e9f
                              • Opcode Fuzzy Hash: e3fc6db3d9b615172fa2415c11a5d8ae268bf367daf03e5939ab187f0d7db402
                              • Instruction Fuzzy Hash: E5F0193002D205EFCB25AF69ED0CB643B68AB14372F088314E425840F0D7318956EF94
                              Function 0097F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                              Download Yara Rule
                              APIs
                              • CoInitialize.OLE32(00000000), ref: 0097F2DA
                              • CoCreateInstance.OLE32(009BDA7C,00000000,00000001,009BD8EC,?), ref: 0097F2F2
                              • CoUninitialize.OLE32 ref: 0097F555
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: CreateInitializeInstanceUninitialize
                              • String ID: .lnk
                              • API String ID: 948891078-24824748
                              • Opcode ID: 115ea6d45eb23b2a3aafa09955a7c5803feefc4cef0324ce42bb15cd2deb1a5b
                              • Instruction ID: 110f5a52399c01373b842776439a3d9b613d533d073e04efbbbc816e6c415e80
                              • Opcode Fuzzy Hash: 115ea6d45eb23b2a3aafa09955a7c5803feefc4cef0324ce42bb15cd2deb1a5b
                              • Instruction Fuzzy Hash: 64A129B2104201AFD300EF64C891EABB7E8FFD8714F40495DF59597192EB70EA09CBA2
                              Function 0097E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0093660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009353B1,?,?,009361FF,?,00000000,00000001,00000000), ref: 0093662F
                              • CoInitialize.OLE32(00000000), ref: 0097E85D
                              • CoCreateInstance.OLE32(009BDA7C,00000000,00000001,009BD8EC,?), ref: 0097E876
                              • CoUninitialize.OLE32 ref: 0097E893
                                • Part of subcall function 0093936C: __swprintf.LIBCMT ref: 009393AB
                                • Part of subcall function 0093936C: __itow.LIBCMT ref: 009393DF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                              • String ID: .lnk
                              • API String ID: 2126378814-24824748
                              • Opcode ID: 2d0696ee3c03941d5cf38fd01dc76f769ed9d09d595efb591154859862d5bb00
                              • Instruction ID: a4ad4b506fce2c3f9a27f143144e662bddcad66091a5fb7bdef60a323443c305
                              • Opcode Fuzzy Hash: 2d0696ee3c03941d5cf38fd01dc76f769ed9d09d595efb591154859862d5bb00
                              • Instruction Fuzzy Hash: F3A146766043019FCB14DF14C484E5ABBE9BF88724F148998F99A9B3A1CB31ED45CF91
                              Function 0095325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                              Download Yara Rule
                              APIs
                              • __startOneArgErrorHandling.LIBCMT ref: 009532ED
                                • Part of subcall function 0095E0D0: __87except.LIBCMT ref: 0095E10B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ErrorHandling__87except__start
                              • String ID: pow
                              • API String ID: 2905807303-2276729525
                              • Opcode ID: e3ea50bfa8adbf091da511777a6a29bb8091cc75a81c6c13b27ad96d876fbbbb
                              • Instruction ID: 96ed372f2c09592adda4a1ff227f05ff9be8d23b86a7cad967835aaba63c935f
                              • Opcode Fuzzy Hash: e3ea50bfa8adbf091da511777a6a29bb8091cc75a81c6c13b27ad96d876fbbbb
                              • Instruction Fuzzy Hash: C3515C31A0C60196CB19E716C94137A2B9C9B80793F60CD68FCE5851E9DE3A8F8CA745
                              Function 00974606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                              Download Yara Rule
                              APIs
                              • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,009CDC50,?,0000000F,0000000C,00000016,009CDC50,?), ref: 00974645
                                • Part of subcall function 0093936C: __swprintf.LIBCMT ref: 009393AB
                                • Part of subcall function 0093936C: __itow.LIBCMT ref: 009393DF
                              • CharUpperBuffW.USER32(?,?,00000000,?), ref: 009746C5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: BuffCharUpper$__itow__swprintf
                              • String ID: REMOVE$THIS
                              • API String ID: 3797816924-776492005
                              • Opcode ID: a66c947c01fcc87be74f63da09d278c722a8e28a3073a828041ae2f93c262c76
                              • Instruction ID: 66d552fb87d00d45ea820924544e8019e38a050e17e1bd082e783c9de74d97c6
                              • Opcode Fuzzy Hash: a66c947c01fcc87be74f63da09d278c722a8e28a3073a828041ae2f93c262c76
                              • Instruction Fuzzy Hash: FA417176A002199FCF05DF64C881AADB7B5FF89304F14C469E91AAB2A2DB34DD45CF50
                              Function 0096C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0097430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0096BC08,?,?,00000034,00000800,?,00000034), ref: 00974335
                              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0096C1D3
                                • Part of subcall function 009742D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0096BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00974300
                                • Part of subcall function 0097422F: GetWindowThreadProcessId.USER32(?,?), ref: 0097425A
                                • Part of subcall function 0097422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0096BBCC,00000034,?,?,00001004,00000000,00000000), ref: 0097426A
                                • Part of subcall function 0097422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0096BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00974280
                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0096C240
                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0096C28D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                              • String ID: @
                              • API String ID: 4150878124-2766056989
                              • Opcode ID: 347be9cc4c668a10bcf4d1c12c8e13a28136488ed879417975de1190d9f4a643
                              • Instruction ID: 09a335508da304c3a000d137ca8db5787f7f3af9b44ad9c7f0b692d817298f38
                              • Opcode Fuzzy Hash: 347be9cc4c668a10bcf4d1c12c8e13a28136488ed879417975de1190d9f4a643
                              • Instruction Fuzzy Hash: 71414B72900218AFDB10DFA4CD91BEEB7B8BF49700F008095FA99B7181DB71AE45CB61
                              Function 0099A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                              Download Yara Rule
                              APIs
                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,009CDC00,00000000,?,?,?,?), ref: 0099A6D8
                              • GetWindowLongW.USER32 ref: 0099A6F5
                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0099A705
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Window$Long
                              • String ID: SysTreeView32
                              • API String ID: 847901565-1698111956
                              • Opcode ID: b3e310e9838b270fdcf781661c8328c431f2a93adc93ed3789867f5986864360
                              • Instruction ID: 9f435ef490c0829784c43b07d50131a194850b59f15cd4a6fe0d4e9f9fc7ff2b
                              • Opcode Fuzzy Hash: b3e310e9838b270fdcf781661c8328c431f2a93adc93ed3789867f5986864360
                              • Instruction Fuzzy Hash: 4031AE3160520AAFDF118E78CC45BEA77A9EB49334F254729F975932E0D730A8509B91
                              Function 0099A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0099A15E
                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0099A172
                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 0099A196
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: MessageSend$Window
                              • String ID: SysMonthCal32
                              • API String ID: 2326795674-1439706946
                              • Opcode ID: 37ff9ad26cce28695c2c03cbb97fdf4b5e315328de49b88502790ce92e26722f
                              • Instruction ID: 0e464f61882ae6265211168f16dd916ebc5fe45c11ba371eee2127fc565577b8
                              • Opcode Fuzzy Hash: 37ff9ad26cce28695c2c03cbb97fdf4b5e315328de49b88502790ce92e26722f
                              • Instruction Fuzzy Hash: 0121A132514218ABDF258F98CC42FEA3B7AEF88724F110214FE55AB1D0D6B5AC51DB90
                              Function 0099A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0099A941
                              • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0099A94F
                              • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0099A956
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: MessageSend$DestroyWindow
                              • String ID: msctls_updown32
                              • API String ID: 4014797782-2298589950
                              • Opcode ID: 069b73aea0c7db508a3722a0606a2f7b16dd5acb6bd88ef05f6f9ad02c8fa457
                              • Instruction ID: a764e608b493c79ae3fc3d06ab344d76aab07b04cbc3a2de82012c73ec32909e
                              • Opcode Fuzzy Hash: 069b73aea0c7db508a3722a0606a2f7b16dd5acb6bd88ef05f6f9ad02c8fa457
                              • Instruction Fuzzy Hash: F721A1B5600209AFDB10DF29CC91E7737ADEF9A3A8B050159FA049B261CB30EC11DBA1
                              Function 009999A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00999A30
                              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00999A40
                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00999A65
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: MessageSend$MoveWindow
                              • String ID: Listbox
                              • API String ID: 3315199576-2633736733
                              • Opcode ID: 0b84ca1b9ea06f45606cfecc04ea649b84e4b675be0e69269954785133853632
                              • Instruction ID: ad7c91a471d8bca830b3ec0dde3fdd8c163cefeea595ee10704539e3578bb74a
                              • Opcode Fuzzy Hash: 0b84ca1b9ea06f45606cfecc04ea649b84e4b675be0e69269954785133853632
                              • Instruction Fuzzy Hash: 4D21BE32611118BFDF268F5CCC85FBF3BAEEB89764F018128F9549B1A0C6719C5297A0
                              Function 0099A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0099A46D
                              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0099A482
                              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0099A48F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID: msctls_trackbar32
                              • API String ID: 3850602802-1010561917
                              • Opcode ID: 9d0eee63712a2fc677221c2d30edeb102220d51206362200019566aa18841fea
                              • Instruction ID: 3e09d96ed47618c120acb515d5c88941f46b7b9c96486e9414f8a2b38082dce5
                              • Opcode Fuzzy Hash: 9d0eee63712a2fc677221c2d30edeb102220d51206362200019566aa18841fea
                              • Instruction Fuzzy Hash: 27110A71210208BEEF245F69CC45FAB376DEFC8754F014118FA45960E1D2B2E811D760
                              Function 00952287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00952350,?), ref: 009522A1
                              • GetProcAddress.KERNEL32(00000000), ref: 009522A8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: RoInitialize$combase.dll
                              • API String ID: 2574300362-340411864
                              • Opcode ID: eafb655ee2f14bcef2536fe0bda3db6ed2aa9e2f099e419ce5529ee44d465fe7
                              • Instruction ID: e9fb7ad7a4799f608c0a2f3a7c15d8c7d306b6f5decebdf0eb16f72c7d589896
                              • Opcode Fuzzy Hash: eafb655ee2f14bcef2536fe0bda3db6ed2aa9e2f099e419ce5529ee44d465fe7
                              • Instruction Fuzzy Hash: AAE01A746BD301ABDB105F71ED8DB64366DA781726F504420F112E60B0EBB55444EF08
                              Function 0095235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00952276), ref: 00952376
                              • GetProcAddress.KERNEL32(00000000), ref: 0095237D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: RoUninitialize$combase.dll
                              • API String ID: 2574300362-2819208100
                              • Opcode ID: 28ab5c4d8fe2f462eb468774d1b99e1a17b8b7f20d368b266edf4490a3edcdf0
                              • Instruction ID: 666cff6f47f450b8ddbe17c441404fe9b63987217267e7f4adef281d604dbe0d
                              • Opcode Fuzzy Hash: 28ab5c4d8fe2f462eb468774d1b99e1a17b8b7f20d368b266edf4490a3edcdf0
                              • Instruction Fuzzy Hash: C9E0B67466E300EBDB209F61EE4DB243A6DB783B16F210424F509E60B1DBB95814EB14
                              Function 009AAC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: LocalTime__swprintf
                              • String ID: %.3d$WIN_XPe
                              • API String ID: 2070861257-2409531811
                              • Opcode ID: 9e5f92528f77e64e1fe5fcb4259b1f9c30195856168685755cb72e71fa250b4e
                              • Instruction ID: a975ec5690ccb82a00509783d3956d237688b3d66c996eec8469ab05deb85c24
                              • Opcode Fuzzy Hash: 9e5f92528f77e64e1fe5fcb4259b1f9c30195856168685755cb72e71fa250b4e
                              • Instruction Fuzzy Hash: E5E01271805658DBDB11DB51CD45EF973BCA709761F100892B946E1104E73D9B84EF52
                              Function 009342F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(kernel32.dll,00000000,009342EC,?,009342AA,?), ref: 00934304
                              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00934316
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                              • API String ID: 2574300362-1355242751
                              • Opcode ID: 843ccc0af177890c54eae16a68edd752139eb688ad7ecd1969e4ad7bf0db0525
                              • Instruction ID: f6176b796882cb657a31eb205fafbb2ca01c50bf8448f1e70f1505eb41b4aaef
                              • Opcode Fuzzy Hash: 843ccc0af177890c54eae16a68edd752139eb688ad7ecd1969e4ad7bf0db0525
                              • Instruction Fuzzy Hash: 9CD0A730418712DFC7255F66ED0C60176DCAB08315F01842DE441D3165EBB4DC808A10
                              Function 00992205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(kernel32.dll,?,009921FB,?,009923EF), ref: 00992213
                              • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00992225
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: GetProcessId$kernel32.dll
                              • API String ID: 2574300362-399901964
                              • Opcode ID: fbe7e6f2516335bad0c2f1b37369e0515c1d9c418c74d4afd478dfd5c7b95957
                              • Instruction ID: 3e6eef39dc01cf99e2f061068ef03d7723fcde1d37785f6553be099816d43b94
                              • Opcode Fuzzy Hash: fbe7e6f2516335bad0c2f1b37369e0515c1d9c418c74d4afd478dfd5c7b95957
                              • Instruction Fuzzy Hash: 28D0A734418712AFCB2E4F3AFD0860576DCEB08314B00442DE851E2250EB70DC809650
                              Function 0093434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(kernel32.dll,009341BB,00934341,?,0093422F,?,009341BB,?,?,?,?,009339FE,?,00000001), ref: 00934359
                              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0093436B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                              • API String ID: 2574300362-3689287502
                              • Opcode ID: cdfd4ac527edf58a4306e88b7c16a2b5fc2da2b28bdf957d1d0588a3825f170b
                              • Instruction ID: 46c235b80fe652081d54bf9d4fd3e137c6639320bbe061f193f1b1242cade032
                              • Opcode Fuzzy Hash: cdfd4ac527edf58a4306e88b7c16a2b5fc2da2b28bdf957d1d0588a3825f170b
                              • Instruction Fuzzy Hash: EAD0A730418712DFC7254F35ED0C6017ADCAB14729F01852DE4C1D3150FBB4EC808A10
                              Function 00970539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(oleaut32.dll,?,0097051D,?,009705FE), ref: 00970547
                              • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00970559
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: RegisterTypeLibForUser$oleaut32.dll
                              • API String ID: 2574300362-1071820185
                              • Opcode ID: 9cfac22372ff422a811715340338d6e8378f624a4045b0c8925c0a925e094a1f
                              • Instruction ID: 6b0079fa895430598a036bade80a9c11ac338c12b11ee345ee07aa80b3dec01e
                              • Opcode Fuzzy Hash: 9cfac22372ff422a811715340338d6e8378f624a4045b0c8925c0a925e094a1f
                              • Instruction Fuzzy Hash: 36D0A73141C712DFC7208F66EC0860176FCAB40715B10C82DF48AD2190E6B0CC808A10
                              Function 00970564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0097052F,?,009706D7), ref: 00970572
                              • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00970584
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                              • API String ID: 2574300362-1587604923
                              • Opcode ID: acbfb5c5073b4b5f4770eec5e713a0c51ca47f11a8d5ca145db2a0c9b091c795
                              • Instruction ID: 73f08928f1cb46062f154ba22bf25ecf56378f4ee88ce1294451eaacf5d26b18
                              • Opcode Fuzzy Hash: acbfb5c5073b4b5f4770eec5e713a0c51ca47f11a8d5ca145db2a0c9b091c795
                              • Instruction Fuzzy Hash: 2AD0A731418312DFC7205F36EC09B027BECAB44314B10C92DF845D2190E7B0C8C08B20
                              Function 0098ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(kernel32.dll,?,0098ECBE,?,0098EBBB), ref: 0098ECD6
                              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0098ECE8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: GetSystemWow64DirectoryW$kernel32.dll
                              • API String ID: 2574300362-1816364905
                              • Opcode ID: 99a18c47d69b5588349aa03e6b3d41f97c0797c4b661a042ef0ad43687cf1209
                              • Instruction ID: 6b5edcdf85f13460b0f04827fec2d85dfde431b995ebf60a9ec0dd62eccf452c
                              • Opcode Fuzzy Hash: 99a18c47d69b5588349aa03e6b3d41f97c0797c4b661a042ef0ad43687cf1209
                              • Instruction Fuzzy Hash: E2D0A7319187239FCB256F66ED4860276ECAB04314B00842DF885D2290FFB0CC809710
                              Function 0098BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(kernel32.dll,00000000,0098BAD3,00000001,0098B6EE,?,009CDC00), ref: 0098BAEB
                              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0098BAFD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: GetModuleHandleExW$kernel32.dll
                              • API String ID: 2574300362-199464113
                              • Opcode ID: 806d3260fcd9941d86d6ec5fd9b2bb47ee7b1d1eaa898e41cf635c03222019f5
                              • Instruction ID: 33ab9b1a66f7b09dcde6952c71089abf6c9d907b82fc9c37065bc3899b241d9e
                              • Opcode Fuzzy Hash: 806d3260fcd9941d86d6ec5fd9b2bb47ee7b1d1eaa898e41cf635c03222019f5
                              • Instruction Fuzzy Hash: 27D0A9308187229FC735AF2AEC48B1276ECAB04325B04842EE883D3290EBB0CC81CB10
                              Function 00993BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(advapi32.dll,?,00993BD1,?,00993E06), ref: 00993BE9
                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00993BFB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: RegDeleteKeyExW$advapi32.dll
                              • API String ID: 2574300362-4033151799
                              • Opcode ID: d06f8573148139b7c5c7cb13f90a9e8339aaa20c3a47ec134d7bc38410bf5e05
                              • Instruction ID: 8572010fbfab58f94d5be3b25d3cfe72a55a741467faaef59a3c8a537e02a0fa
                              • Opcode Fuzzy Hash: d06f8573148139b7c5c7cb13f90a9e8339aaa20c3a47ec134d7bc38410bf5e05
                              • Instruction Fuzzy Hash: A6D0A770418B52BFCF205F69ED08613BBFCAB01728B108429E885E2150F6B0C8808E10
                              Function 00969B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 00c686b8dd75d497e83dbf54947df5cf0a9d2ead54be0ab91a534c5cb0559e1d
                              • Instruction ID: f509c8707127105fa47930c1d7bf7321bfc3ee9199c645c77c7ddc67d08c4d9e
                              • Opcode Fuzzy Hash: 00c686b8dd75d497e83dbf54947df5cf0a9d2ead54be0ab91a534c5cb0559e1d
                              • Instruction Fuzzy Hash: DBC17D75A0021AEFCB14CFA4C994BAEB7B9FF48704F108598E905EB291D735DE41DB90
                              Function 0098AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                              Download Yara Rule
                              APIs
                              • CoInitialize.OLE32(00000000), ref: 0098AAB4
                              • CoUninitialize.OLE32 ref: 0098AABF
                                • Part of subcall function 00970213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0097027B
                              • VariantInit.OLEAUT32(?), ref: 0098AACA
                              • VariantClear.OLEAUT32(?), ref: 0098AD9D
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                              • String ID:
                              • API String ID: 780911581-0
                              • Opcode ID: d764119b680b96284928090322c108eec2c77e31dee2b056ff057b7cbf725ed6
                              • Instruction ID: a7fd9b9174ebca5c436aad1cee370cd129f38838fc6fe316f6f2a25ed2297478
                              • Opcode Fuzzy Hash: d764119b680b96284928090322c108eec2c77e31dee2b056ff057b7cbf725ed6
                              • Instruction Fuzzy Hash: A1A15B756047019FDB14EF14C491B1AB7E9FF88710F14884AF99A9B3A2CB74ED44CB86
                              Function 009691CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Variant$AllocClearCopyInitString
                              • String ID:
                              • API String ID: 2808897238-0
                              • Opcode ID: 08ffcdcd70812fb88051437b8bae327ea110f7d3e5121f9a4aae2e61af7fa090
                              • Instruction ID: c25f1d16de9d66ccb9d40a5653415a0da2c2f044c324fd72af05d12d67931bdc
                              • Opcode Fuzzy Hash: 08ffcdcd70812fb88051437b8bae327ea110f7d3e5121f9a4aae2e61af7fa090
                              • Instruction Fuzzy Hash: BE51A1306143069BDB24AF6AD895F2EB3EDEF85314F20881FE556CB3E1DB7498808B05
                              Function 0095365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                              • String ID:
                              • API String ID: 3877424927-0
                              • Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                              • Instruction ID: 5cbcba76d2cc548bbd59434b77b8f0f0ad0ea01e4603c5387bbb408f5e73a151
                              • Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                              • Instruction Fuzzy Hash: B951EAB1E01305ABCB28CF6BC88566E77A5AF443A2F24C72DFC25862D0D7759F589B40
                              Function 0099C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                              Download Yara Rule
                              APIs
                              • GetWindowRect.USER32(00FC8250,?), ref: 0099C544
                              • ScreenToClient.USER32(?,00000002), ref: 0099C574
                              • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0099C5DA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Window$ClientMoveRectScreen
                              • String ID:
                              • API String ID: 3880355969-0
                              • Opcode ID: 2feda4fcae812ff0e97d5201ac0772faf466ab0c2879c30ce4121f12127e9577
                              • Instruction ID: bdefc95858d8f5be9641e3cd25330ffb4c3834a61d809357e0b0e1ca3d1bc65f
                              • Opcode Fuzzy Hash: 2feda4fcae812ff0e97d5201ac0772faf466ab0c2879c30ce4121f12127e9577
                              • Instruction Fuzzy Hash: 9B514DB5A04209EFCF20DF68CC80AAE7BB9EB59320F108659F9559B290D730ED41DB90
                              Function 0096C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0096C462
                              • __itow.LIBCMT ref: 0096C49C
                                • Part of subcall function 0096C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0096C753
                              • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0096C505
                              • __itow.LIBCMT ref: 0096C55A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: MessageSend$__itow
                              • String ID:
                              • API String ID: 3379773720-0
                              • Opcode ID: 673907cb4e8acd7fc3f2b1c64da545f28dd7f14d772a1d1c12d807396a818822
                              • Instruction ID: 1c837980cef8a345831082d0aac015ef36282e86b4fc3b395bfeb32969b08faf
                              • Opcode Fuzzy Hash: 673907cb4e8acd7fc3f2b1c64da545f28dd7f14d772a1d1c12d807396a818822
                              • Instruction Fuzzy Hash: 5941B4B1A04608AFDF21EF54CC51BFE7BB9AF89700F000029F946A7291DB709A45CFA1
                              Function 0097390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00973966
                              • SetKeyboardState.USER32(00000080,?,00000001), ref: 00973982
                              • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 009739EF
                              • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00973A4D
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: KeyboardState$InputMessagePostSend
                              • String ID:
                              • API String ID: 432972143-0
                              • Opcode ID: 5b3161cccc662e295142e252912b53c66296eb89261d5ff43e92b6c8143c1f26
                              • Instruction ID: 7aaff01a7a1ca69f845d9cc714aa9a1812f17c0a24c1388acac24d52341c6dbf
                              • Opcode Fuzzy Hash: 5b3161cccc662e295142e252912b53c66296eb89261d5ff43e92b6c8143c1f26
                              • Instruction Fuzzy Hash: F0412972E14208EAEF348B648806BFDBBB9AB55310F04C11AF5C9521C1D7B58E85F765
                              Function 0097E698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0097E742
                              • GetLastError.KERNEL32(?,00000000), ref: 0097E768
                              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0097E78D
                              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0097E7B9
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: CreateHardLink$DeleteErrorFileLast
                              • String ID:
                              • API String ID: 3321077145-0
                              • Opcode ID: 6eb95f0d6c811aa3a220e009d02f86b475dd74fe3d779c205acc892b075f2ae7
                              • Instruction ID: 0513f3ccb9aaf7e943434c36f47f9aa1160dc711ae8f41c12283281b2eb9c77f
                              • Opcode Fuzzy Hash: 6eb95f0d6c811aa3a220e009d02f86b475dd74fe3d779c205acc892b075f2ae7
                              • Instruction Fuzzy Hash: C641123A600610DFCB15EF15C585A4DBBE5BF99720F198498E94AAB3A2CB74FD00CB91
                              Function 0099B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                              Download Yara Rule
                              APIs
                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0099B5D1
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: InvalidateRect
                              • String ID:
                              • API String ID: 634782764-0
                              • Opcode ID: 602dfd9189551a45b0b38b9afedb38ca6bd97986be8eb40c7501723f8df3a194
                              • Instruction ID: a6c2462670fdbbfb31450b597491d8e9630f3db6741b08e79d3e78d67f0a19b3
                              • Opcode Fuzzy Hash: 602dfd9189551a45b0b38b9afedb38ca6bd97986be8eb40c7501723f8df3a194
                              • Instruction Fuzzy Hash: 8331BC74611208FBEF208F1CEE89FAC7769AB06320F654515FA51D62E1D738B940DB92
                              Function 0099D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                              Download Yara Rule
                              APIs
                              • ClientToScreen.USER32(?,?), ref: 0099D807
                              • GetWindowRect.USER32(?,?), ref: 0099D87D
                              • PtInRect.USER32(?,?,0099ED5A), ref: 0099D88D
                              • MessageBeep.USER32(00000000), ref: 0099D8FE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Rect$BeepClientMessageScreenWindow
                              • String ID:
                              • API String ID: 1352109105-0
                              • Opcode ID: 29ca2b0bfd133c41ec181ffeb6c39dcbe085f0fed3d423e5ae632b337ed7d10b
                              • Instruction ID: e4b004931952e34d93f16eb90d3810acdf4a9b802135a8a77c6a558d4e3f2eca
                              • Opcode Fuzzy Hash: 29ca2b0bfd133c41ec181ffeb6c39dcbe085f0fed3d423e5ae632b337ed7d10b
                              • Instruction Fuzzy Hash: 55418974A06219DFCF11DF5EC8C4BA97BB9BF49320F1881A9E814CB262D330E941DB80
                              Function 00973A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00973AB8
                              • SetKeyboardState.USER32(00000080,?,00008000), ref: 00973AD4
                              • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00973B34
                              • SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00973B92
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: KeyboardState$InputMessagePostSend
                              • String ID:
                              • API String ID: 432972143-0
                              • Opcode ID: cf58a92110b25f6f6f174b2c97419a67f7f81c4a3ba9b3219bf8eda95d3b898e
                              • Instruction ID: 84b5b2be83a4244a3a589daad1d1d09391107b86eeabf13aa755e1a10c04a175
                              • Opcode Fuzzy Hash: cf58a92110b25f6f6f174b2c97419a67f7f81c4a3ba9b3219bf8eda95d3b898e
                              • Instruction Fuzzy Hash: C1315672A14258AEEF308B64C819BFE7BAD9B95320F04C21AF4C9932D1C7748F45E761
                              Function 00964004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00964038
                              • __isleadbyte_l.LIBCMT ref: 00964066
                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00964094
                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 009640CA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                              • String ID:
                              • API String ID: 3058430110-0
                              • Opcode ID: 7f253ec64f4eee8738aec6a66331c3cf508284e6b64ff4a6b1bec4f6af41567d
                              • Instruction ID: 7895f3ec2efc430b0039c9117ea55153b9d5a8e028f196ac0665ad5c54d6a113
                              • Opcode Fuzzy Hash: 7f253ec64f4eee8738aec6a66331c3cf508284e6b64ff4a6b1bec4f6af41567d
                              • Instruction Fuzzy Hash: EE31EF30604226EFDB21DFB5C844BBB7BA9FF40320F158429EA618B1A1E731D890DB90
                              Function 00997CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                              Download Yara Rule
                              APIs
                              • GetForegroundWindow.USER32 ref: 00997CB9
                                • Part of subcall function 00975F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00975F6F
                                • Part of subcall function 00975F55: GetCurrentThreadId.KERNEL32 ref: 00975F76
                                • Part of subcall function 00975F55: AttachThreadInput.USER32(00000000,?,0097781F), ref: 00975F7D
                              • GetCaretPos.USER32(?), ref: 00997CCA
                              • ClientToScreen.USER32(00000000,?), ref: 00997D03
                              • GetForegroundWindow.USER32 ref: 00997D09
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                              • String ID:
                              • API String ID: 2759813231-0
                              • Opcode ID: c237bc28eef67eb00f0dc1d640381d5dae9cd141b2300f3410fa0c77cd67d61a
                              • Instruction ID: 0e46e6bdbec4c97ff541202c1720e0392d6526f13acb0acb95e7bc8821a88cd6
                              • Opcode Fuzzy Hash: c237bc28eef67eb00f0dc1d640381d5dae9cd141b2300f3410fa0c77cd67d61a
                              • Instruction Fuzzy Hash: 2C31F0B2D00108AFDB10EFA9D985DEFFBF9EF94314B118466F855E7211DA319E058BA0
                              Function 0099F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094B34E: GetWindowLongW.USER32(?,000000EB), ref: 0094B35F
                              • GetCursorPos.USER32(?), ref: 0099F211
                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,009AE4C0,?,?,?,?,?), ref: 0099F226
                              • GetCursorPos.USER32(?), ref: 0099F270
                              • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,009AE4C0,?,?,?), ref: 0099F2A6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Cursor$LongMenuPopupProcTrackWindow
                              • String ID:
                              • API String ID: 2864067406-0
                              • Opcode ID: f095342275bfab2876025e6706e447e004abe645081d50941bae0ba84e62666b
                              • Instruction ID: 8c254188a30e0a7d59baec0982fb253298553a75bf1e47865bd032b2e096da2f
                              • Opcode Fuzzy Hash: f095342275bfab2876025e6706e447e004abe645081d50941bae0ba84e62666b
                              • Instruction Fuzzy Hash: F421B439501018EFDF298F58C968EFEBBB9EF49321F044065F915871A1D3309D90EB90
                              Function 0098431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                              Download Yara Rule
                              APIs
                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00984358
                                • Part of subcall function 009843E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00984401
                                • Part of subcall function 009843E2: InternetCloseHandle.WININET(00000000), ref: 0098449E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Internet$CloseConnectHandleOpen
                              • String ID:
                              • API String ID: 1463438336-0
                              • Opcode ID: e02a04c5756c655d1f49ca4d7e26116cdc4e8a5d2a71d777ac72f69ace301d97
                              • Instruction ID: a796354bec3f49a7f75641ac6aa87d111b902aa2f67f1136315ef8092f28b7c2
                              • Opcode Fuzzy Hash: e02a04c5756c655d1f49ca4d7e26116cdc4e8a5d2a71d777ac72f69ace301d97
                              • Instruction Fuzzy Hash: BB21D171205606BBEB15AF60DE40FBBB7ADFF84710F10411BBA1596750EB719820AB90
                              Function 00998A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                              Download Yara Rule
                              APIs
                              • GetWindowLongW.USER32(?,000000EC), ref: 00998AA6
                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00998AC0
                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00998ACE
                              • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00998ADC
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Window$Long$AttributesLayered
                              • String ID:
                              • API String ID: 2169480361-0
                              • Opcode ID: f5ce26f8c0ea919cc1b5b51a33774d56cfbd235429ab2bd54d7ddce91fb93962
                              • Instruction ID: ea88453023afe3811a6eb7c13240e55d908b0b1eddcad0fe252a4e1591c7bcfa
                              • Opcode Fuzzy Hash: f5ce26f8c0ea919cc1b5b51a33774d56cfbd235429ab2bd54d7ddce91fb93962
                              • Instruction Fuzzy Hash: 4C119031206115AFDB04AB18DC55FBB779DBF86320F144619F92AC72E2DB74AD018B94
                              Function 00988A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                              Download Yara Rule
                              APIs
                              • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00988AE0
                              • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00988AF2
                              • accept.WSOCK32(00000000,00000000,00000000), ref: 00988AFF
                              • WSAGetLastError.WSOCK32(00000000), ref: 00988B16
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ErrorLastacceptselect
                              • String ID:
                              • API String ID: 385091864-0
                              • Opcode ID: b88b8e8f95d7dd8b1e8990509560b32d76e8629d322d5461667ed6ec6cfdfeee
                              • Instruction ID: 31f70a7d83028f2a2448e923ec56f8db77f7d0a571d5f96ad1ae72b8c7875ae3
                              • Opcode Fuzzy Hash: b88b8e8f95d7dd8b1e8990509560b32d76e8629d322d5461667ed6ec6cfdfeee
                              • Instruction Fuzzy Hash: 97219672A011249FC7119F69C985ADEBBECEF89320F0041AAF849D7250DB749A418FA0
                              Function 00970AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00971E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00970ABB,?,?,?,0097187A,00000000,000000EF,00000119,?,?), ref: 00971E77
                                • Part of subcall function 00971E68: lstrcpyW.KERNEL32(00000000,?,?,00970ABB,?,?,?,0097187A,00000000,000000EF,00000119,?,?,00000000), ref: 00971E9D
                                • Part of subcall function 00971E68: lstrcmpiW.KERNEL32(00000000,?,00970ABB,?,?,?,0097187A,00000000,000000EF,00000119,?,?), ref: 00971ECE
                              • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0097187A,00000000,000000EF,00000119,?,?,00000000), ref: 00970AD4
                              • lstrcpyW.KERNEL32(00000000,?,?,0097187A,00000000,000000EF,00000119,?,?,00000000), ref: 00970AFA
                              • lstrcmpiW.KERNEL32(00000002,cdecl,?,0097187A,00000000,000000EF,00000119,?,?,00000000), ref: 00970B2E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: lstrcmpilstrcpylstrlen
                              • String ID: cdecl
                              • API String ID: 4031866154-3896280584
                              • Opcode ID: b274edbf02ace0efc0673464f3ca159c092b27510ac3b19178ef062b40531d42
                              • Instruction ID: 9aa223827898cb2d2fbe5de01860967f5b01923a7a6a06a80fef4afce8fc4ab0
                              • Opcode Fuzzy Hash: b274edbf02ace0efc0673464f3ca159c092b27510ac3b19178ef062b40531d42
                              • Instruction Fuzzy Hash: FF118137210305EFDB25AF64DC45E7A77A8FF85354B80816AE80ACB290EB719950D7A1
                              Function 00962F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 00962FB5
                                • Part of subcall function 0095395C: __FF_MSGBANNER.LIBCMT ref: 00953973
                                • Part of subcall function 0095395C: __NMSG_WRITE.LIBCMT ref: 0095397A
                                • Part of subcall function 0095395C: RtlAllocateHeap.NTDLL(00FA0000,00000000,00000001,00000001,00000000,?,?,0094F507,?,0000000E), ref: 0095399F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: AllocateHeap_free
                              • String ID:
                              • API String ID: 614378929-0
                              • Opcode ID: b897c8ab529bcf9339f68d20c8732dd0ed6fadd42b2e019c8803657f081d9f22
                              • Instruction ID: 065f671174b4356648c818279f0dd216343475992270376bd734474fcef92945
                              • Opcode Fuzzy Hash: b897c8ab529bcf9339f68d20c8732dd0ed6fadd42b2e019c8803657f081d9f22
                              • Instruction Fuzzy Hash: 3C11CA31509612ABDB317FB1EC0576E7B9CAF843A1F208925FC899A152DB34C9449790
                              Function 0097058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 009705AC
                              • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 009705C7
                              • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 009705DD
                              • FreeLibrary.KERNEL32(?), ref: 00970632
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                              • String ID:
                              • API String ID: 3137044355-0
                              • Opcode ID: bc2e1d0fdb8dae142284767c7fdb28b0e7b43033b92f5f0fcdea4d329cc8ae07
                              • Instruction ID: e2b79dcbe441f7f56dd1db6eaecfebdd6bdec551fc146ca797f3d08289422662
                              • Opcode Fuzzy Hash: bc2e1d0fdb8dae142284767c7fdb28b0e7b43033b92f5f0fcdea4d329cc8ae07
                              • Instruction Fuzzy Hash: 6B218172A01209EFDB208F95DD98ADABBBCEFC0704F00CA69E51E92050E774EA55DF50
                              Function 00976713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00976733
                              • _memset.LIBCMT ref: 00976754
                              • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 009767A6
                              • CloseHandle.KERNEL32(00000000), ref: 009767AF
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: CloseControlCreateDeviceFileHandle_memset
                              • String ID:
                              • API String ID: 1157408455-0
                              • Opcode ID: 76261c8aeb3c96eace09f7b65f459f017602a104db769d22b8f38941e17bcfc3
                              • Instruction ID: 3a45f21b7ee0bc6b717483e5b54409eb93f191c12a49f3b3b80c77ab11d4ad44
                              • Opcode Fuzzy Hash: 76261c8aeb3c96eace09f7b65f459f017602a104db769d22b8f38941e17bcfc3
                              • Instruction Fuzzy Hash: 6D11CA769013287AE72097A5AC4DFAFBABCEF44774F10429AF508E71D0D2744E808BA4
                              Function 0096B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0096AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0096AA79
                                • Part of subcall function 0096AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0096AA83
                                • Part of subcall function 0096AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0096AA92
                                • Part of subcall function 0096AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0096AA99
                                • Part of subcall function 0096AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0096AAAF
                              • GetLengthSid.ADVAPI32(?,00000000,0096ADE4,?,?), ref: 0096B21B
                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0096B227
                              • HeapAlloc.KERNEL32(00000000), ref: 0096B22E
                              • CopySid.ADVAPI32(?,00000000,?), ref: 0096B247
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
                              • String ID:
                              • API String ID: 4217664535-0
                              • Opcode ID: 7f39699aa1cf538aeb45eecb2efbd71840850b4d3d96a10e62a3dad90a6f36de
                              • Instruction ID: 7498b0ecaf1e8ecbb5a6457b6ede5024205e9284a2d46b824e05be3d05d5e983
                              • Opcode Fuzzy Hash: 7f39699aa1cf538aeb45eecb2efbd71840850b4d3d96a10e62a3dad90a6f36de
                              • Instruction Fuzzy Hash: 5511C172A00205EFCB149F98DD95AAEB7EDFF94318F14802DE952E7210E731AE84DB10
                              Function 0096B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0096B498
                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0096B4AA
                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0096B4C0
                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0096B4DB
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID:
                              • API String ID: 3850602802-0
                              • Opcode ID: 519f16760d3cd5220a59614a8991d0fdf56726f371387e464b6d475da668b6f0
                              • Instruction ID: 702332d9c972d921165f1e4619abf3ff50bae4a0ed7f201fb8ad5e5177c1c637
                              • Opcode Fuzzy Hash: 519f16760d3cd5220a59614a8991d0fdf56726f371387e464b6d475da668b6f0
                              • Instruction Fuzzy Hash: 5311487A900218FFDB11DFA8C981E9DBBB8FB48710F204091EA04B7290DB71AE51DB94
                              Function 0094B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094B34E: GetWindowLongW.USER32(?,000000EB), ref: 0094B35F
                              • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0094B5A5
                              • GetClientRect.USER32(?,?), ref: 009AE69A
                              • GetCursorPos.USER32(?), ref: 009AE6A4
                              • ScreenToClient.USER32(?,?), ref: 009AE6AF
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Client$CursorLongProcRectScreenWindow
                              • String ID:
                              • API String ID: 4127811313-0
                              • Opcode ID: 331f162db6b226d871f7b2c3acfdbbb63bc6c62ca3e6379712e34747893938d0
                              • Instruction ID: b23031488ab4169102ab3bf61786fb9fdca5cc39a6a1fc64d55b9a2a50e448ad
                              • Opcode Fuzzy Hash: 331f162db6b226d871f7b2c3acfdbbb63bc6c62ca3e6379712e34747893938d0
                              • Instruction Fuzzy Hash: 2811363190102AFFCB10EF98CD85EAEB7B8EB49314F000851F901E7140E334EA91DBA1
                              Function 0097732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThreadId.KERNEL32 ref: 00977352
                              • MessageBoxW.USER32(?,?,?,?), ref: 00977385
                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0097739B
                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 009773A2
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                              • String ID:
                              • API String ID: 2880819207-0
                              • Opcode ID: f673d315f440062d40248e885cb9a699b181b2fc57f13e4ddfbf03422fbc79f6
                              • Instruction ID: 191eebb10305dd45ac96b0258b0ecf2d13f4406277ce9de0874f2fb77e013ac6
                              • Opcode Fuzzy Hash: f673d315f440062d40248e885cb9a699b181b2fc57f13e4ddfbf03422fbc79f6
                              • Instruction Fuzzy Hash: 30110872A2C204BFC7019BACDC05AEEBBAD9B45324F048315F935D3261E6748D00A7A0
                              Function 0094D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                              Download Yara Rule
                              APIs
                              • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0094D1BA
                              • GetStockObject.GDI32(00000011), ref: 0094D1CE
                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 0094D1D8
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: CreateMessageObjectSendStockWindow
                              • String ID:
                              • API String ID: 3970641297-0
                              • Opcode ID: 716f97914950872761cb3e39ce2611f27ce946a579336816c16d1ad1656dace8
                              • Instruction ID: e39f4e445c07b866e38d1c29cd134f4ac00753ceeccde7f0feb623432876665f
                              • Opcode Fuzzy Hash: 716f97914950872761cb3e39ce2611f27ce946a579336816c16d1ad1656dace8
                              • Instruction Fuzzy Hash: 3011ADB250A509BFEF0A4F909C50EEABB6DFF08364F040216FE1452050DB319C60EBA0
                              Function 00973F9B Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                              Download Yara Rule
                              APIs
                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00972B1B,?,00973B9F,?,00008000), ref: 00973FB8
                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00972B1B,?,00973B9F,?,00008000), ref: 00973FDD
                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00972B1B,?,00973B9F,?,00008000), ref: 00973FE7
                              • Sleep.KERNEL32(?,?,?,?,?,?,?,00972B1B,?,00973B9F,?,00008000), ref: 0097401A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: CounterPerformanceQuerySleep
                              • String ID:
                              • API String ID: 2875609808-0
                              • Opcode ID: 81700c808a02d9a49dc530b178c5b2126d37e291e6d1eb5236d1e3773dc46013
                              • Instruction ID: 826a799b2cfaa9cbf215053b7a5f8cd39d93116f65f1876ad9fe658629fdb200
                              • Opcode Fuzzy Hash: 81700c808a02d9a49dc530b178c5b2126d37e291e6d1eb5236d1e3773dc46013
                              • Instruction Fuzzy Hash: 2711A172D1561DEBDF049FA4D948BEEBF38FF09751F008055EA45B6180CB309660EB91
                              Function 00964DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                              • String ID:
                              • API String ID: 3016257755-0
                              • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                              • Instruction ID: ab6138ce22543f597623d313d7790ae4d0dacc5b1f93e2c9564e0dc333087662
                              • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                              • Instruction Fuzzy Hash: CC01443200014ABBCF175EC8DC168EE3F26BB58390F598855FA2859131D337CAB2EB81
                              Function 00957452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00957A0D: __getptd_noexit.LIBCMT ref: 00957A0E
                              • __lock.LIBCMT ref: 0095748F
                              • InterlockedDecrement.KERNEL32(?), ref: 009574AC
                              • _free.LIBCMT ref: 009574BF
                              • InterlockedIncrement.KERNEL32(00FB3880), ref: 009574D7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                              • String ID:
                              • API String ID: 2704283638-0
                              • Opcode ID: a015f99b9fecbf005e6a1e0de41fc7e2c53372257a0ed1e45c8befdb36b58a7a
                              • Instruction ID: a2dae6b3c519d8aa6effbb89b3e61e6510f3154739190e309b38606ad8ee629a
                              • Opcode Fuzzy Hash: a015f99b9fecbf005e6a1e0de41fc7e2c53372257a0ed1e45c8befdb36b58a7a
                              • Instruction Fuzzy Hash: 4C01003290A661ABC722EFA7B90931DFB65BF44B22F154005FC14672A0CB206E08DFC2
                              Function 00957A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __lock.LIBCMT ref: 00957AD8
                                • Part of subcall function 00957CF4: __mtinitlocknum.LIBCMT ref: 00957D06
                                • Part of subcall function 00957CF4: EnterCriticalSection.KERNEL32(00000000,?,00957ADD,0000000D), ref: 00957D1F
                              • InterlockedIncrement.KERNEL32(?), ref: 00957AE5
                              • __lock.LIBCMT ref: 00957AF9
                              • ___addlocaleref.LIBCMT ref: 00957B17
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                              • String ID:
                              • API String ID: 1687444384-0
                              • Opcode ID: 4adb2ec9a3cc0b769ee1f035fb9798d5be5ab2ed37099c76e674bcdc841f6dc2
                              • Instruction ID: 17046e0c6a04e1131a36c82af0f11695f8db78a7a471c99d83258ad1cee0b14f
                              • Opcode Fuzzy Hash: 4adb2ec9a3cc0b769ee1f035fb9798d5be5ab2ed37099c76e674bcdc841f6dc2
                              • Instruction Fuzzy Hash: CD016171405700DFD721DFB6D905749F7F0AF90326F20494EE89A972A0CB70A648CB11
                              Function 0099E32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 0099E33D
                              • _memset.LIBCMT ref: 0099E34C
                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,009F3D00,009F3D44), ref: 0099E37B
                              • CloseHandle.KERNEL32 ref: 0099E38D
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: _memset$CloseCreateHandleProcess
                              • String ID:
                              • API String ID: 3277943733-0
                              • Opcode ID: 140bf9e7fa462b06042314f96df712f04de833fb967dd17b0dcf176209da0b4e
                              • Instruction ID: aed58c385f8a33b2a07b694ca36425f53b910d7dfca8386d46c82538d6203f7a
                              • Opcode Fuzzy Hash: 140bf9e7fa462b06042314f96df712f04de833fb967dd17b0dcf176209da0b4e
                              • Instruction Fuzzy Hash: 6BF05EF1564304BAE3105B65EC46F777EACDB04B55F008421BF08D61E2D3799E00E7A8
                              Function 0099EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0094AFE3
                                • Part of subcall function 0094AF83: SelectObject.GDI32(?,00000000), ref: 0094AFF2
                                • Part of subcall function 0094AF83: BeginPath.GDI32(?), ref: 0094B009
                                • Part of subcall function 0094AF83: SelectObject.GDI32(?,00000000), ref: 0094B033
                              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0099EA8E
                              • LineTo.GDI32(00000000,?,?), ref: 0099EA9B
                              • EndPath.GDI32(00000000), ref: 0099EAAB
                              • StrokePath.GDI32(00000000), ref: 0099EAB9
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                              • String ID:
                              • API String ID: 1539411459-0
                              • Opcode ID: 957abd70242b83178aa10c1e5be2199d6d5afd0e5a3597719e61bd05826c12bd
                              • Instruction ID: 68a4eca79c037af879b15191d5e51466de0790b2e3d215447dfcb54a65bf9496
                              • Opcode Fuzzy Hash: 957abd70242b83178aa10c1e5be2199d6d5afd0e5a3597719e61bd05826c12bd
                              • Instruction Fuzzy Hash: F9F0823105A25ABBDB12AF98AE0DFCE3F19AF16321F084201FE11610F187755551EBD9
                              Function 0096C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0096C84A
                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 0096C85D
                              • GetCurrentThreadId.KERNEL32 ref: 0096C864
                              • AttachThreadInput.USER32(00000000), ref: 0096C86B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                              • String ID:
                              • API String ID: 2710830443-0
                              • Opcode ID: 28367e0e67f9cc480a1dd007a84d01d5e5c54bd9033b06c57cbf457cf3458149
                              • Instruction ID: bb0951bc353091955242e96e7929fe9f6717168744aa19b99f652fdf6447a41a
                              • Opcode Fuzzy Hash: 28367e0e67f9cc480a1dd007a84d01d5e5c54bd9033b06c57cbf457cf3458149
                              • Instruction Fuzzy Hash: D7E065B1146228B6DB205B61DD0DEDB7F1CEF057B1F408115B50D95450D671C580DBE0
                              Function 0096B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 0096B0D6
                              • OpenThreadToken.ADVAPI32(00000000,?,?,?,0096AC9D), ref: 0096B0DD
                              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0096AC9D), ref: 0096B0EA
                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,0096AC9D), ref: 0096B0F1
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: CurrentOpenProcessThreadToken
                              • String ID:
                              • API String ID: 3974789173-0
                              • Opcode ID: a3245fdd8c5ca72e1bb09beb059c3407aa5d86f0666df2e989512ff7bd263c40
                              • Instruction ID: 81e9f2ce89edfda47de14268faa09c63ef369a0413ab8b759eb30e81d7331551
                              • Opcode Fuzzy Hash: a3245fdd8c5ca72e1bb09beb059c3407aa5d86f0666df2e989512ff7bd263c40
                              • Instruction Fuzzy Hash: 85E086366562129BD7202FB15E0CB473BACEF557B5F018928F741D6040FB348441DB60
                              Function 0094B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                              • GetSysColor.USER32(00000008), ref: 0094B496
                              • SetTextColor.GDI32(?,000000FF), ref: 0094B4A0
                              • SetBkMode.GDI32(?,00000001), ref: 0094B4B5
                              • GetStockObject.GDI32(00000005), ref: 0094B4BD
                              • GetWindowDC.USER32(?,00000000), ref: 009ADE2B
                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 009ADE38
                              • GetPixel.GDI32(00000000,?,00000000), ref: 009ADE51
                              • GetPixel.GDI32(00000000,00000000,?), ref: 009ADE6A
                              • GetPixel.GDI32(00000000,?,?), ref: 009ADE8A
                              • ReleaseDC.USER32(?,00000000), ref: 009ADE95
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                              • String ID:
                              • API String ID: 1946975507-0
                              • Opcode ID: 28ca1d5cd955cf56173f599aeeece579f954fb3745d4447bdca2372b231fc841
                              • Instruction ID: 7f2214f1ce124eac20fe9c9345e49694e53539db5e5a8440a63ee6261f8542f9
                              • Opcode Fuzzy Hash: 28ca1d5cd955cf56173f599aeeece579f954fb3745d4447bdca2372b231fc841
                              • Instruction Fuzzy Hash: 75E06D31119240AAEB251B68AC09BD83B15AB1233AF10C326F66A980E1D7B18580EB11
                              Function 009AB29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: CapsDesktopDeviceReleaseWindow
                              • String ID:
                              • API String ID: 2889604237-0
                              • Opcode ID: 4676e114c2f57e4fb4af0adec20c6265ec63b749d9605fcfa7b484f46c6f9cc0
                              • Instruction ID: 6f8ddfd993af751cb3322fff456f1f353bf93a8dd2b71959308cbdbf5991b8a9
                              • Opcode Fuzzy Hash: 4676e114c2f57e4fb4af0adec20c6265ec63b749d9605fcfa7b484f46c6f9cc0
                              • Instruction Fuzzy Hash: 00E04FB5515204EFDB005F70C948A6D7BA4FB4C361F11C916FC5A87311EB789840AB50
                              Function 0096B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0096B2DF
                              • UnloadUserProfile.USERENV(?,?), ref: 0096B2EB
                              • CloseHandle.KERNEL32(?), ref: 0096B2F4
                              • CloseHandle.KERNEL32(?), ref: 0096B2FC
                                • Part of subcall function 0096AB24: GetProcessHeap.KERNEL32(00000000,?,0096A848), ref: 0096AB2B
                                • Part of subcall function 0096AB24: HeapFree.KERNEL32(00000000), ref: 0096AB32
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                              • String ID:
                              • API String ID: 146765662-0
                              • Opcode ID: 7dfd871ba6ef5d3b8c1846c821ba5e300f3c90023666451e1ea73164f595a8cc
                              • Instruction ID: b3911b08abed1bbfdc4222c5707596559f53cb1179a11fc988a6cf335abfb0ea
                              • Opcode Fuzzy Hash: 7dfd871ba6ef5d3b8c1846c821ba5e300f3c90023666451e1ea73164f595a8cc
                              • Instruction Fuzzy Hash: 04E0B63A119005BBCB012BA5ED0885DFBA6FF887313148322F62581575DB32A871FF91
                              Function 009AB2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: CapsDesktopDeviceReleaseWindow
                              • String ID:
                              • API String ID: 2889604237-0
                              • Opcode ID: f9c00211f03319d6362a21f7be555b013a29d4e8db36f3f48a2eb245b71a0303
                              • Instruction ID: 92a16225f86019e4326a2809af428d634890a000acc7e9fe1b0db6059821cd52
                              • Opcode Fuzzy Hash: f9c00211f03319d6362a21f7be555b013a29d4e8db36f3f48a2eb245b71a0303
                              • Instruction Fuzzy Hash: E8E046B9915200EFDB005F70C988A2D7BA8FB4C361F118A1AFD5A8B310EB789800AB50
                              Function 0096DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                              Download Yara Rule
                              APIs
                              • OleSetContainedObject.OLE32(?,00000001), ref: 0096DEAA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ContainedObject
                              • String ID: AutoIt3GUI$Container
                              • API String ID: 3565006973-3941886329
                              • Opcode ID: 9d4aa3af933c45991cda28836f0f93caf17cb9fd4ce98e5751e61e738dbffeea
                              • Instruction ID: 3ffd228925cb30e43b8a8c24d6026e72c33c6426ae24e6e8b879d264f3d4b57a
                              • Opcode Fuzzy Hash: 9d4aa3af933c45991cda28836f0f93caf17cb9fd4ce98e5751e61e738dbffeea
                              • Instruction Fuzzy Hash: 80914774A01701AFDB24DF64C894B6AB7F9BF88710F20886DF95ACB691DB71E841CB50
                              Function 0097DE7C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094C6F4: _wcscpy.LIBCMT ref: 0094C717
                                • Part of subcall function 0093936C: __swprintf.LIBCMT ref: 009393AB
                                • Part of subcall function 0093936C: __itow.LIBCMT ref: 009393DF
                              • __wcsnicmp.LIBCMT ref: 0097DEFD
                              • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0097DFC6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                              • String ID: LPT
                              • API String ID: 3222508074-1350329615
                              • Opcode ID: e40ae52206b3fe868eee10efeeaa3d7bd5b23a0cd7293fd156aa0e56ef461fc9
                              • Instruction ID: 5f8bca625b5abb09f7e95c6947c21aaaada8bbecf6cad87ced7d5fdb3d85b852
                              • Opcode Fuzzy Hash: e40ae52206b3fe868eee10efeeaa3d7bd5b23a0cd7293fd156aa0e56ef461fc9
                              • Instruction Fuzzy Hash: C7618276A04215AFCB14DF98C895FAEB7F8EF48310F058099F54AAB291D774AE40CB50
                              Function 0094BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNEL32(00000000), ref: 0094BCDA
                              • GlobalMemoryStatusEx.KERNEL32 ref: 0094BCF3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: GlobalMemorySleepStatus
                              • String ID: @
                              • API String ID: 2783356886-2766056989
                              • Opcode ID: 3ecb1b2b82d066ff44b56aef1c0230dffda1ac0e12d9ebb82f0eda057924a05f
                              • Instruction ID: b1eea6a9de4cbf4938c0150b1bda5cebc9ada0ee9d0b3d4432c5dcdcd8a8ae40
                              • Opcode Fuzzy Hash: 3ecb1b2b82d066ff44b56aef1c0230dffda1ac0e12d9ebb82f0eda057924a05f
                              • Instruction Fuzzy Hash: D6512871418748ABE320AF14D885FAFBBECFBD4354F81485EF1C8450A6DB7089A89766
                              Function 0097C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009344ED: __fread_nolock.LIBCMT ref: 0093450B
                              • _wcscmp.LIBCMT ref: 0097C65D
                              • _wcscmp.LIBCMT ref: 0097C670
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: _wcscmp$__fread_nolock
                              • String ID: FILE
                              • API String ID: 4029003684-3121273764
                              • Opcode ID: 0631f224e3b6263d1578cb098ab04677b19ec524ad78a834e2102372bd2a2e6c
                              • Instruction ID: ccf149ec91eefd0e13a376317a41dd5a32ad34a686b60d14eda24caa79c9051a
                              • Opcode Fuzzy Hash: 0631f224e3b6263d1578cb098ab04677b19ec524ad78a834e2102372bd2a2e6c
                              • Instruction Fuzzy Hash: 0641D572A0020ABBDF20ABA4DC85FEF77B9AF89714F014479F605EB191D671AA048B51
                              Function 0099A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 0099A85A
                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0099A86F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID: '
                              • API String ID: 3850602802-1997036262
                              • Opcode ID: ea2b30f5d40af33b6640332129723b7914d1887c00036be53da75034bcd55aed
                              • Instruction ID: 0c8ddb9ec38a19189e6c383a6c51c3d8b59f27d88d27a32c9a9d9a5bfe9d2daa
                              • Opcode Fuzzy Hash: ea2b30f5d40af33b6640332129723b7914d1887c00036be53da75034bcd55aed
                              • Instruction Fuzzy Hash: 0941E774E012099FDF14CFA9D881BEA7BB9FB08314F14016AE905EB351D770A941CFA1
                              Function 00985180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 00985190
                              • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 009851C6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: CrackInternet_memset
                              • String ID: |
                              • API String ID: 1413715105-2343686810
                              • Opcode ID: 5c88fec56cb7ae9880dfedd6c4934c548f465356a5cf583a3fc3c1c6bfe6ebf7
                              • Instruction ID: 8ea65e7b32c04414cf566237e63c3aecb326da3a1329d78a12ef0749875fb550
                              • Opcode Fuzzy Hash: 5c88fec56cb7ae9880dfedd6c4934c548f465356a5cf583a3fc3c1c6bfe6ebf7
                              • Instruction Fuzzy Hash: C031F871800119ABCF11EFA4CC85AEEBFB9FF58710F100015E815B6266EA31A95ADFA0
                              Function 0099975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                              Download Yara Rule
                              APIs
                              • DestroyWindow.USER32(?,?,?,?), ref: 0099980E
                              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0099984A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Window$DestroyMove
                              • String ID: static
                              • API String ID: 2139405536-2160076837
                              • Opcode ID: 0a5c46bacb3b9d0d54e24ee8a7dac55ef589b2273da38cacdc282c90a6ea1685
                              • Instruction ID: b8fc30ae1e8a6df2800817671a9daea3cc85b7761b7442b1a9f927cc9e147f36
                              • Opcode Fuzzy Hash: 0a5c46bacb3b9d0d54e24ee8a7dac55ef589b2273da38cacdc282c90a6ea1685
                              • Instruction Fuzzy Hash: 01315871110604AAEF209F79CC81BBB77ADFF99764F10861DF9A9C7190DA31AC81DB60
                              Function 00975157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 009751C6
                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00975201
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: InfoItemMenu_memset
                              • String ID: 0
                              • API String ID: 2223754486-4108050209
                              • Opcode ID: 6788e59863c6f13a533bde8a143e5494833627e790a6974a646f2f90089ab8f0
                              • Instruction ID: b2d4352bdfc7c68240e20a54865db1dd919ee3e4651cf6fa0882af8fc215d9d0
                              • Opcode Fuzzy Hash: 6788e59863c6f13a533bde8a143e5494833627e790a6974a646f2f90089ab8f0
                              • Instruction Fuzzy Hash: 4E312873600304DBEBA4CF99D845BAEBBFCFF85350F158019E9A9A61A1D7F09944CB50
                              Function 0098658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: __snwprintf
                              • String ID: , $$AUTOITCALLVARIABLE%d
                              • API String ID: 2391506597-2584243854
                              • Opcode ID: 88fa953919f8c91628bc1f2216873f3e3c21ae510f366984517317f0c6f971ad
                              • Instruction ID: 14eacb6aac4759e25f6c9cf0fc1bc33517a3bc02f9024c7973eb8f4e502c15ce
                              • Opcode Fuzzy Hash: 88fa953919f8c91628bc1f2216873f3e3c21ae510f366984517317f0c6f971ad
                              • Instruction Fuzzy Hash: 05216F71A00259ABCF11EFA5D882FAD77B4AF89704F004459F515AB281DB70EE45CFA1
                              Function 009993CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0099945C
                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00999467
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID: Combobox
                              • API String ID: 3850602802-2096851135
                              • Opcode ID: 8892be370be747bdcba05e97cc48d9237c4f6e19f14d8902cc7f561b6c08c3d6
                              • Instruction ID: 5aea2e56a5e1d7e769f3679ecaefb9a1bbf5233b4a48bfb8909db561263eba0d
                              • Opcode Fuzzy Hash: 8892be370be747bdcba05e97cc48d9237c4f6e19f14d8902cc7f561b6c08c3d6
                              • Instruction Fuzzy Hash: 51118271310218AFEF26DF5CDC81EBB376FEB983A4F104129F919972A0D6719C529760
                              Function 009998FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0094D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0094D1BA
                                • Part of subcall function 0094D17C: GetStockObject.GDI32(00000011), ref: 0094D1CE
                                • Part of subcall function 0094D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0094D1D8
                              • GetWindowRect.USER32(00000000,?), ref: 00999968
                              • GetSysColor.USER32(00000012), ref: 00999982
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Window$ColorCreateMessageObjectRectSendStock
                              • String ID: static
                              • API String ID: 1983116058-2160076837
                              • Opcode ID: 9b9b0d323c78ae45ae6634d565f1a7e7ec7b1b0937d6002924795d568c9f5e15
                              • Instruction ID: f9724ffb69e8a0aa186cfbcc92d92fde25dbddedef590b166c65f6742f31ca60
                              • Opcode Fuzzy Hash: 9b9b0d323c78ae45ae6634d565f1a7e7ec7b1b0937d6002924795d568c9f5e15
                              • Instruction Fuzzy Hash: 90112672520209AFDF04DFB8CC45AEA7BA8FB48354F01462CFD55E2250E735E850DB60
                              Function 00999617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetWindowTextLengthW.USER32(00000000), ref: 00999699
                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009996A8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: LengthMessageSendTextWindow
                              • String ID: edit
                              • API String ID: 2978978980-2167791130
                              • Opcode ID: 2365dbd8b924620ff06f075ff4671cb20269f970c8f52b340ed60c1a0d296c87
                              • Instruction ID: 3f8a2f7c5d5c257c8c8055445e474e417ef44b47892f5eb064d1e0c52c4f4872
                              • Opcode Fuzzy Hash: 2365dbd8b924620ff06f075ff4671cb20269f970c8f52b340ed60c1a0d296c87
                              • Instruction Fuzzy Hash: 1D119A71510108AAEF108F6CDC40EEB3B6EEB05378F100728F965931E0C7369C50A760
                              Function 00975262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 009752D5
                              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 009752F4
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: InfoItemMenu_memset
                              • String ID: 0
                              • API String ID: 2223754486-4108050209
                              • Opcode ID: 745340878b8095b8114ba195028f1e35819153089b27815a394e4fdba92dfaff
                              • Instruction ID: 03c01d05aaeec70c59e375d04bc1d2aab0b4de353cfd8f656e710ba124af8c15
                              • Opcode Fuzzy Hash: 745340878b8095b8114ba195028f1e35819153089b27815a394e4fdba92dfaff
                              • Instruction Fuzzy Hash: 6411D073A01614EBDBA0DA98D904BAD77BDAB45790F068125E91DA72A0E3F0AD04C790
                              Function 00984D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                              Download Yara Rule
                              APIs
                              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00984DF5
                              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00984E1E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Internet$OpenOption
                              • String ID: <local>
                              • API String ID: 942729171-4266983199
                              • Opcode ID: 684087cba1379733c6230152dbdc7594bc9964db57f9831603f56a77434cb355
                              • Instruction ID: 4ddff201e1d3a90abb79d6d873427ab8000f5991db4b155fd8ef9ab1eac38a4a
                              • Opcode Fuzzy Hash: 684087cba1379733c6230152dbdc7594bc9964db57f9831603f56a77434cb355
                              • Instruction Fuzzy Hash: 59119EB1501222BADB259F51C888EEBFAACFF06755F10862AF50596280E6746940D7E0
                              Function 0098A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                              Download Yara Rule
                              APIs
                              • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0098A84E
                              • htons.WSOCK32(00000000,?,00000000), ref: 0098A88B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: htonsinet_addr
                              • String ID: 255.255.255.255
                              • API String ID: 3832099526-2422070025
                              • Opcode ID: 98c3e73466f6cc04dc20d57ce6655a897ba76ff67465dda2cf629183ec2842c1
                              • Instruction ID: c5d8b49496e8e9ccc4154c1ca3239fb06b7dc55b6f39594163b974297e3132a2
                              • Opcode Fuzzy Hash: 98c3e73466f6cc04dc20d57ce6655a897ba76ff67465dda2cf629183ec2842c1
                              • Instruction Fuzzy Hash: D301F9B5200305ABDB21EF64C886FADB368EF44320F108527F516973D1D771E801C762
                              Function 0096B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0096B7EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID: ComboBox$ListBox
                              • API String ID: 3850602802-1403004172
                              • Opcode ID: 8c8550fa9e5a09c50ef3b67fb0e35f3a89e8d5b4484e54e00900845378fa5c73
                              • Instruction ID: e1c44f8785466582d9be77bd34f80b4e20f78d647cc818944cd943f60aaf5b0e
                              • Opcode Fuzzy Hash: 8c8550fa9e5a09c50ef3b67fb0e35f3a89e8d5b4484e54e00900845378fa5c73
                              • Instruction Fuzzy Hash: 7501D4B1A41118ABCB04EBA4CC52AFE737DBF95350B04062DF472A72D2EB745D08CB90
                              Function 0096B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00000180,00000000,?), ref: 0096B6EB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID: ComboBox$ListBox
                              • API String ID: 3850602802-1403004172
                              • Opcode ID: 482243f18d7b44f3315ec8d80e015b3dcd5d41f73049826976c06d9435bed94a
                              • Instruction ID: 0e29491cce278c2c2855fe5c8164e01dd8620700750d2e33fdf8be6329bfbdc8
                              • Opcode Fuzzy Hash: 482243f18d7b44f3315ec8d80e015b3dcd5d41f73049826976c06d9435bed94a
                              • Instruction Fuzzy Hash: 71016DB1A41108ABCB15EBA4C962BFE73BD9F85354F100029B502B32D2EB545E189BB5
                              Function 0096B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00000182,?,00000000), ref: 0096B76C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID: ComboBox$ListBox
                              • API String ID: 3850602802-1403004172
                              • Opcode ID: 34d137b700de6ec357c42103cd60f830bc9ab0a3b66d98fc2eecc2fd93cf0dd4
                              • Instruction ID: 743c13c2328db9188a31a553fe160f038507e5255d65a7fc550e99fd93705dcd
                              • Opcode Fuzzy Hash: 34d137b700de6ec357c42103cd60f830bc9ab0a3b66d98fc2eecc2fd93cf0dd4
                              • Instruction Fuzzy Hash: 8401D1B2A41108ABCB01EBA4CA12FFE73AC9B85344F100029B402F31D2EB645F099BB5
                              Function 00977744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: ClassName_wcscmp
                              • String ID: #32770
                              • API String ID: 2292705959-463685578
                              • Opcode ID: e9cb81fa07ff0b9c16abcb122f94434398699d77f32f72bd0d42496889c1a671
                              • Instruction ID: bfc7f6ff1133c1be771ab9c0cc197dac86b1b748d50ea3a8a34a248a715b81d8
                              • Opcode Fuzzy Hash: e9cb81fa07ff0b9c16abcb122f94434398699d77f32f72bd0d42496889c1a671
                              • Instruction Fuzzy Hash: B1E0927760422567D710EAA6DC0AF9BFBACAB91B64F004156B905D3041E670AA4587D4
                              Function 0096A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                              Download Yara Rule
                              APIs
                              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0096A63F
                                • Part of subcall function 009513F1: _doexit.LIBCMT ref: 009513FB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: Message_doexit
                              • String ID: AutoIt$Error allocating memory.
                              • API String ID: 1993061046-4017498283
                              • Opcode ID: 2ef5900a371cbdad07c0007a8c01aa3fc85be78beb7a2ce1f4b880c322eb5ec3
                              • Instruction ID: cd6fcdc8bc08646c8cf38e528f1520915649a371565192c4f25a7739117b6f36
                              • Opcode Fuzzy Hash: 2ef5900a371cbdad07c0007a8c01aa3fc85be78beb7a2ce1f4b880c322eb5ec3
                              • Instruction Fuzzy Hash: EFD02B313C531833C21436996D17FC8364CCB84B65F040025BB08950C349E6894002DA
                              Function 009AAE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                              Download Yara Rule
                              APIs
                              • GetSystemDirectoryW.KERNEL32(?), ref: 009AACC0
                              • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 009AAEBD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: DirectoryFreeLibrarySystem
                              • String ID: WIN_XPe
                              • API String ID: 510247158-3257408948
                              • Opcode ID: 27e31bd88bf5c58d805a86514fa66c2fe419d03a512e6839232946b1b47f4347
                              • Instruction ID: 5350aee7c2768fc15d0b58f4b27749b49f52e3c0c6c9be76a28a54c6e15333b3
                              • Opcode Fuzzy Hash: 27e31bd88bf5c58d805a86514fa66c2fe419d03a512e6839232946b1b47f4347
                              • Instruction Fuzzy Hash: C8E09B70C15149DFDB15DFA5DD44AECF7BCAB49310F108181E052B2260D7344A44DF21
                              Function 00998698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                              Download Yara Rule
                              APIs
                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009986A2
                              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 009986B5
                                • Part of subcall function 00977A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00977AD0
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: FindMessagePostSleepWindow
                              • String ID: Shell_TrayWnd
                              • API String ID: 529655941-2988720461
                              • Opcode ID: d171127bf59a31eb0cf5051dfe45d6b7e21e372f7e041ea6e31addac8d8eb28d
                              • Instruction ID: c30882a6a344f4208ad884329c18c738f25d32e66119bb4280e39282028d384f
                              • Opcode Fuzzy Hash: d171127bf59a31eb0cf5051dfe45d6b7e21e372f7e041ea6e31addac8d8eb28d
                              • Instruction Fuzzy Hash: 03D0A932399314B7E22863709C0BFC66A089B40B20F000914B609AA1C0C8E0A9008A10
                              Function 009986CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                              Download Yara Rule
                              APIs
                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009986E2
                              • PostMessageW.USER32(00000000), ref: 009986E9
                                • Part of subcall function 00977A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00977AD0
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1290142176.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                              • Associated: 00000000.00000002.1290108073.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290240330.00000000009DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290361481.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1290391728.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_930000_RFQ.jbxd
                              Similarity
                              • API ID: FindMessagePostSleepWindow
                              • String ID: Shell_TrayWnd
                              • API String ID: 529655941-2988720461
                              • Opcode ID: ff8c0a13e003e3868fd0e276dd6f4e12754e4e1dab940b59ab18fc21be73f61c
                              • Instruction ID: 9662cc973363f3bc0653123d42edaf321bbc07691787e3b4a728f7c4a16b43fb
                              • Opcode Fuzzy Hash: ff8c0a13e003e3868fd0e276dd6f4e12754e4e1dab940b59ab18fc21be73f61c
                              • Instruction Fuzzy Hash: 70D0A93238A314BBF22963709C0BFC66A089B44B20F000914B609AA1C0C8E0A9008A14